[TALK30] Trusted Graph for explainable detection of cyberattacks – Pierre PARREND (EPITA / iCube, Unistra)
On Wed, April 19th, 2023, 2pm CET, Pierre PARREND (Laboratoire de Recherche de l’EPITA / Laboratoire ICube – Unistra), will talk about “Trusted Graph for explainable detection of cyberattacks“. You are cordially invited to come or join the free live stream on youtube and LinkedIn! Please share the link https://talk.cybercni.fr/30 with your interested friends!
Trailer: https://youtu.be/eiRdUH8yMHk
LinkedIN Event: https://www.linkedin.com/events/7052340159396139008/
Facebook Event: https://www.facebook.com/events/1698222957276297/
Youtube: https://www.youtube.com/watch?v=Ud1SieWVq10?list=PLdftPKA9mTfaDJxqwexil2mPhUFIA9ITd
Stream redirect (for every edition): https://TALK.cyberCNI.fr/stream
Newsletter with invitations: Subscription on https://TALK.cyberCNI.fr
Help us spreading the news
The best talks are those with an interested diverse audience! Therefore, please use the following media to spread the news in your networks:
Thank you!
Abstract
Machine Learning (ML) is now a key asset in security operations for the classification of malware or malicious web sites through combinations of network, system or software properties, anomaly detection by identification of deviating behaviours. Challenges for efficient and scalable use remain wide open, as the issue of training future professionals in a domain that requires high level of proficiency both in system and network technologies and in machine learning models and theory. Nonetheless, the technologies are sufficiently mature to be pervasive in security devices like supervision (Splunk), EDR/XDR (Thetris, DarkTrace) or SOAR (), as well as in security teams focusing in SOC or forensics.
However, while ML is a powerful tool for analyzing dominant behaviours and deviations thereof, it falls short in detecting weak signals, complex attacks like APTs, and more generally taking the relationships between messages, machines or network into account. Specific models have emerged to address these issues, which need to radically switch the analysis approach: the individual packets are no longer significant, their sequence is. Individual machines are not working stand alone, their interactions build the capability – and the threats – to the network. Security analysis therefore needs to leave the now common Euclidian, multi-dimensional ML models to face the complex interactions of machines and communications, nodes and their binding vertices, that is to say: the non-Euclidian domain of graph analytics.
In this talk, we present how the combination of attack graphs, graph theoretical metrics and graph learning enhance the well-mastered ML models for detection of attacks and address two critical phases for attack detection and mitigation: supervision and forensics. The graphs can take several forms: interaction graphs, considering IP or IP+Mac addresses as node definition, or scenario graphs, focusing on short-range time-windows to isolate related sessions. We illustrate their versatile capability through a wide range of cyberattacks from broadscale ransomware, scanning or denial of service attacks, to targeted attacks like spoofing, up to complex advanced persistence threat (APT) multi-step attacks.
The non-aggregative characteristics of graph models supports extended properties for explainability of attacks throughout the analytics lifecycle: data, model, output and interface. These approaches are evaluated both for information system network traces and for cyberphysical systems in industrial and medical environments.
Pierre PARREND
Pierre Parrend is HDR Professor at EPITA and head of Security & Systems team ar LRE – Laboratoire de Recherche de l’EPITA. As a member of the ICube laboratory of the University of Strasbourg, he leads a joint project between the CSTB team (Complex Systems and Translational Bio-Informatics) of ICube and the EPITA Research Laboratory (LRE) on the use of graphs for explainable detection of cyberattacks. He is particularly interested in attack detection in medical and industrial sensor systems, in particular in the context of the ANR Correau project – Resilience through the design and security of water networks – of which ICube is a partner, and of the ANR THIA-ArtIC on connected medical objects. Pierre is also responsible for the Security & System Team, and deputy director, of the LRE. In this context, he coordinates the contribution of EPITA’s regional sites in Strasbourg, Rennes, Lyon and Toulouse to the school’s partner research laboratories. Pierre was responsible for the BICS (Biostatistics, Informatics, and Complex Systems) research platform at the ICube laboratory, and responsible for the teaching department in computer science and mathematics at ECAM Strasbourg-Europe between 2012 and 2021. He is graduated with a Habilitation to Direct Research from the University of Strasbourg (2017) and a PhD in Computer Science from INSA Lyon (2008).
About Laboratoire de Recherche de l’EPITA / Laboratoire ICube – Unistra
EPITA is a private engineering school located in France, specialized in computer science and information technology. It was founded in 1984. EPITA offers a five-year program leading to the “Ingénieur EPITA” degree recognized by the Commission des Titres d’Ingénieurs. The school provides a curriculum focused on Computer Science and Computer Engineering
that covers various fields such as computer programming, artificial intelligence, cybersecurity, software engineering, and more.
The LRE, Laboratoire de Recherche de l’EPITA, is the research lab of EPITA. It entails five teams: Security and Systems, Artificial Intelligence, Image, Automata, and Digital Methods for Humanities, as well as three transversal axes: robotics, software performance, and machine learning applications.
Talk.cybercni.fr
The Cyber CNI Lecture Series is a free monthly event that typically takes place on the last Wednesday of the month from 2pm to 3h30pm CET.
The event consists of a 45-minute expert presentation followed by a 45-minute discussion.
The Cyber CNI Speaker series aims to raise awareness and understanding of cyber security issues among all audiences. It aims to enable an ongoing dialogue between experts from industry and academia and the general public (citizens, families, small and large businesses, public organizations, etc.). All of us are concerned.
The events are broadcast live on Youtube (https://talk.cybercni.fr/) and LinkedIn, allowing worldwide remote participation – including a tool to participate in the discussion.
You can add the event calendar via ICS, webcal, HTML.
How the digital transformation is changing our lives
The COVID-19 pandemic has shown all of us the benefits of information technology. It allows us to work at a distance, to live at a distance, and most importantly, to keep in touch at a distance – with younger and older people, those closest to us, and even make new contacts.
Our society relies more and more on information and operational technologies. Examples include water, energy, heat and cooling supply, communications, healthcare, production and processing of goods, transportation, national security, banking, research and education, and food production.
What all these areas have in common is that they make intensive use of networked distributed computer systems. These systems can be attacked in many ways. This is no longer just a problem for computer “pros” because computer systems are essential to all of us. The effects of “cyber-attacks” range from power outages to the collapse of the health care or banking sectors.
Program and registration: https://talk.cybercni.fr/
Leave a Reply
Want to join the discussion?Feel free to contribute!