GRASEC

The complexity of today’s systems and the data they produce has made it more difficult to ensure their security due to the data overload, the need to store and handle massive amounts of data, and efficient analysis. Using graphs and knowledge graphs to analyze and interpret the data is a very promising strategy that is gaining more and more attention these last years. It is becoming more and more usual to employ graph databases and graph mining and learning algorithms for processing massive and complex data.

Graphs offer the advantage of capturing complex and heterogeneous systems and activities. Moreover, the visualization of graph-based data is straightforward and comprehensible for human analysts, which makes it very powerful in practice. For example, Botnet activity can be observed as a plethora of observables, and there is a need to correlate the particular observations into a big picture, which can be achieved using a graph to represent particular events and observations and relations between them. Attack graphs are popular tools for representing cyber-attacks, calculating their impact, and even projecting them and predicting the next step of an adversary.

This workshop aims at bringing together people from industry and academia, including researchers, developers, and practitioners from a variety of fields working on graphs and knowledge graphs, network management, data science, and cybersecurity. The workshop will allow attendees to share and discuss their latest findings from both theoretical and practical perspectives, namely in terms of graph-based security data representation, analysis, processing and visualization. The workshop attendees may benefit from sharing experience on graph-based data analysis regardless of the specific application. Moreover, researchers and practitioners will have an opportunity to familiarize themselves with recent advances in graph analysis, mining and learning, and other approaches that could be used in their work. The workshop aims to highlight the latest research and experience in graph-based approaches in cybersecurity. The workshop also seeks papers describing new datasets with real attack scenarios, graph modeling tools evaluated on existing and proposed datasets, and systematization of knowledge (SoK) papers.

Keynote:
Theory and Practice of Cybersecurity Knowledge Graphs and Further Steps

The keynote surveys the growing adoption of knowledge graphs in cybersecurity and explores their potential in cybersecurity research and practice. By structuring and interlinking vast amounts of cybersecurity data, knowledge graphs offer increasing capabilities for incident response and cyber situational awareness. They enable a holistic view of the protected cyber infrastructures and threat landscapes, facilitating advanced analytics, automated reasoning, vulnerability management, and attack mitigation. We expect the cybersecurity knowledge graphs to assist incident handlers in day-to-day cybersecurity operations as well as strategic network security management. We may see emerging tools for decision support based on knowledge graphs that will leverage continuous data collection. A knowledge graph filled with the right data at the right time can significantly reduce the workload of incident handlers. We may even see rapid changes in incident handling tools and workflows leveraging the knowledge graphs, especially when combined with emerging technologies of generative AI and large language models that will facilitate interactions with the knowledge bases or generate reports of security situations. However, the implementation of cybersecurity knowledge graphs is challenging. Ensuring the quality of the underlying data is a serious concern for researchers and practitioners. Only accurate, complete, and updated data can ensure the reliability of the knowledge graph, leading to good insights and decisions. Additionally, the dynamic nature of cyber threats necessitates continuous data updates and rigorous validation processes.

About the speaker:
RNDr. Martin Husák, Ph.D. is a researcher at the Institute of Computer Science at Masaryk University, a member of the university's security team (CSIRT-MU). He was also a visiting researcher at The University of Texas at San Antonio, USA and Florida Atlantic University, USA. His research interests are related to cyber situational awareness and incident response with a special focus on the incident triage and application of graph-based data analytics and recommender systems. He was leading the development of the CRUSOE toolset that aims at supporting cyber situational awareness in computer networks by collecting and aggregating data on the hosts and using them for decision support in incident handling. He is now enhancing the CRUSOE toolset in follow-up research projects and exploring its capability as a knowledge graph of a computer network.