GRASEC
5th International Workshop on Graph-based Approaches for CyberSecurity
-
Aug 01, 2024
-
SR05
-
08:45 — 12:15
Workshop Chairs
- → Martin Husak
- → Mohamed-Lamine Messai
- → Hamida Seba
Accepted Paper
NORIA UI: Efficient Incident Management on Large-Scale ICT Systems Represented as Knowledge Graphs
Lionel Tailhardat
(Orange, France), Yoan Chabot
(Orange, France), Antoine Py
(Orange, France), Perrine Guillemette
(Orange, France)
Full Paper
Incident management in telecom and computer networks requires correlating and interpreting heterogeneous technical information sources. While knowledge graphs have proven flexible for data integration and logical reasoning, their use in network and cybersecurity monitoring systems (NMS/SIEM) is not yet widespread. In this work, we explore the integration of knowledge graphs to facilitate the diagnosis of complex situations from the perspective of NetOps/SecOps experts who use NMS/SIEMs. Through expert interviews, we identify expectations in terms of ergonomics and decision support functions, and propose a Web-based client-server software architecture using an RDF knowledge graph that describes network systems and their dynamics. Based on a UI/UX evaluation and feedback from a user panel, we demonstrate the need to go beyond simple data retrieval from the knowledge graph. We also highlight the importance of synergistic reasoning and interactive analysis of multi-layered systems. Overall, our work provides a foundation for future designs of knowledge-graph-based NMS/SIEM decision support systems with hybrid logical/probabilistic reasoning.
Workshop GRASEC
Workshop GRASEC
A Model-based Approach for Assessing the Security of Cyber-Physical Systems
Hugo Teixeira De Castro
(Télécom Sud Paris, France), Ahmed Hussain
(KTH Royal Institute of Technology, Sweden), Gregory Blanc
(Institut Mines-Télécom, Télécom SudParis, Institut Polytechnique de Paris, France), Jamal El Hachem
(Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Bretagne Sud (UBS), France), Dominique Blouin
(Telecom Paris, France), Jean Leneutre
(Telecom Paris, France), Panos Papadimitratos
(KTH Royal Institute of Technology, Sweden)
Full Paper
Cyber-Physical Systems ( CPS s) complexity, automation, and interconnection have been continuously increasing to support new opportunities and functionalities in numerous life-impacting applications, such as e-health, Internet of Things ( IoT ) devices, or Industrial Control Systems (ICSs). These characteristics introduce new critical security challenges to both industrial practitioners and academics. This work investigates how Model-Based System Engineering (MBSE) and attack graph approaches could be leveraged to model and analyze secure CPS solutions for identifying high-impact attacks at the architecture phase of the secure system development life cycle. To achieve this objective, we propose a new framework that comprises (1) a modeling paradigm for secure CPS representation, easily usable by system architects with limited cybersecurity expertise, (2) an attack-graph-based solution for CPS automatic quantitative security analysis, based on the MulVAL security tool formalisms, (3) a model-based code generator tool - a set of Model-To-Text (MTT) transformation rules to bridge the gap between the CPS specific extensions of SysML and MulVAL. We illustrated the ability of our proposed framework to model, analyze, and identify attacks in CPS s through an autonomous ventilation system example. The results confirm that the framework can accurately represent CPS and their vulnerabilities. Attack scenarios, including a Denial of Service ( DoS ) attack targeting an industrial communication protocol, were identified and displayed as attack graphs. Furthermore, success probabilities were computed to assess the level of risk quantitatively. In future work, we intend to ex- tend the approach to connect it to dynamic security databases and address challenges such as automatic countermeasure selection.
Workshop GRASEC
Workshop GRASEC
FedHE-Graph: Federated Learning with Hybrid Encryption on Graph Neural Networks for Advanced Persistent Threat Detection
Atmane Ayoub Mansour Bahar
(École Nationale Supérieure d’Informatique, Alger, Algérie, Algeria), Kamel Soaïd Ferrahi
(École Nationale Supérieure d’Informatique, Alger, Algérie, Algeria), Mohamed-Lamine Messai
(Université Lumière Lyon 2, France), Hamida Seba
(University Lyon 1, France), Karima Amrouche
(École Nationale Supérieure d’Informatique, Alger, Algérie, Algeria)
Full Paper
Intrusion Detection Systems (IDS) play a crucial role in safeguarding systems and networks from different types of attacks. However, IDSes face significant hurdles in detecting Advanced Persistent Threats (APTs), which are sophisticated cyber-attacks characterized by their stealth, duration, and advanced techniques. Recent research has explored the effectiveness of Graph Neural Networks (GNNs) in APT detection, leveraging their ability to analyse intricate-relationships within graph data. However, existing approaches often rely on local models, limiting their adaptability to evolving APT-tactics and raising privacy-concerns. In response to these challenges, this paper proposes integrating Federated-Learning (FL) into the architectures of GNN-based Intrusion Detection Systems. Federated Learning is a distributed-learning paradigm that enables collaborative model-training without centralizing sensitive-data. By leveraging FL, hosts can contribute to a collective knowledge-base while preserving the confidentiality of their local datasets. This approach not only mitigates hardware strain and addresses privacy concerns; but also enhances model robustness by capturing diverse-insights from multiple sources. Moreover, our solution includes an enhanced encryption-system of the clients’ weights to safely send them to the server through the system’s network. This solution prevents man-in-the-middle (MitM) attacks from intercepting the weights and reconstructing clients data using reverse engineering. We evaluate our approach on several datasets, demonstrating promising results in reducing false-positive rates compared to state-of-the-art Provenance-based IDSes (PIDS).
Workshop GRASEC
Workshop GRASEC
Advancing ESSecA: a step forward in Automated Penetration Testing
Massimiliano Rak
(University of Campania, Luigi Vanvitelli, Italy), Felice Moretta
(University of Campania "Luigi Vanvitelli", Italy), Daniele Granata
(Università della Campania "Luigi Vanvitelli", Italy)
Full Paper
The growing importance of Information Technology (IT) services is accompanied by a surge in security challenges. While traditional security tests focus on single applications, today's interconnected systems require a broader evaluation. Vulnerability Assessment and Penetration Testing (VAPT) is a method to tackle this, aiming to assess whole systems thoroughly. However, performing VAPT manually is time-consuming and costly. Therefore, there's a strong need for automating these processes. In response to these challenges, a novel methodology, named ESSecA built upon existing literature to guide the penetration testers during the assessment of a system based on threat intelligence mechanisms. This paper presents enhancements to the ESSecA methodology, including a formal Penetration Test Plan (PTP) model, a taxonomy for Penetration Test phases, and an innovative pattern match system integrated with a Tool Catalogue knowledge base used to improve the Expert System. These developments culminated in an algorithm facilitating the automatic generation of Penetration Test Plans, thus advancing the automation of security assessment processes.
Workshop GRASEC
Workshop GRASEC
Comparing Hyperbolic Graph Embedding models on Anomaly Detection for Cybersecurity
Mohamed Yacine Touahria Miliani
(École Nationale Supérieure d’Informatique, Algeria), Souhail Abdelmouaiz Sadat
(École Nationale Supérieure d’Informatique, Algeria), Hamida Seba
(University Lyon1, France), Mohammed Haddad
(Université Claude Bernard Lyon-1, France)
Full Paper
Graph-based anomaly detection has emerged as a powerful tool in cybersecurity for identifying malicious activities within computer systems and networks. While existing approaches often rely on embedding graphs in Euclidean space, recent studies have suggested that hyperbolic space provides a more suitable geometry for capturing the inherent hierarchical and complex relationships present in graph data. In this paper, we explore the efficacy of hyperbolic graph embedding for anomaly detection in the context of cybersecurity. We conduct a comparison of six state-of-the-art hyperbolic graph embedding methods, evaluating their performance on a well-known intrusion detection dataset. Our analysis reveals the strengths and limitations of each method, demonstrating the potential of hyperbolic graph embedding for enhancing security.
Workshop GRASEC
Workshop GRASEC
Detail GRASEC 02/05
5th International Workshop on Graph-based Approaches for CyberSecurity to be held in conjunction with the 19th International Conference on Availability, Reliability and Security
The complexity of today’s systems and the data they produce has made it more difficult to ensure their security due to the data overload, the need to store and handle massive amounts of data, and efficient analysis. Using graphs and knowledge graphs to analyze and interpret the data is a very promising strategy that is gaining more and more attention these last years. It is becoming more and more usual to employ graph databases and graph mining and learning algorithms for processing massive and complex data.
Graphs offer the advantage of capturing complex and heterogeneous systems and activities. Moreover, the visualization of graph-based data is straightforward and comprehensible for human analysts, which makes it very powerful in practice. For example, Botnet activity can be observed as a plethora of observables, and there is a need to correlate the particular observations into a big picture, which can be achieved using a graph to represent particular events and observations and relations between them. Attack graphs are popular tools for representing cyber-attacks, calculating their impact, and even projecting them and predicting the next step of an adversary.
This workshop aims at bringing together people from industry and academia, including researchers, developers, and practitioners from a variety of fields working on graphs and knowledge graphs, network management, data science, and cybersecurity. The workshop will allow attendees to share and discuss their latest findings from both theoretical and practical perspectives, namely in terms of graph-based security data representation, analysis, processing and visualization. The workshop attendees may benefit from sharing experience on graph-based data analysis regardless of the specific application. Moreover, researchers and practitioners will have an opportunity to familiarize themselves with recent advances in graph analysis, mining and learning, and other approaches that could be used in their work. The workshop aims to highlight the latest research and experience in graph-based approaches in cybersecurity. The workshop also seeks papers describing new datasets with real attack scenarios, graph modeling tools evaluated on existing and proposed datasets, and systematization of knowledge (SoK) papers.
Graphs offer the advantage of capturing complex and heterogeneous systems and activities. Moreover, the visualization of graph-based data is straightforward and comprehensible for human analysts, which makes it very powerful in practice. For example, Botnet activity can be observed as a plethora of observables, and there is a need to correlate the particular observations into a big picture, which can be achieved using a graph to represent particular events and observations and relations between them. Attack graphs are popular tools for representing cyber-attacks, calculating their impact, and even projecting them and predicting the next step of an adversary.
This workshop aims at bringing together people from industry and academia, including researchers, developers, and practitioners from a variety of fields working on graphs and knowledge graphs, network management, data science, and cybersecurity. The workshop will allow attendees to share and discuss their latest findings from both theoretical and practical perspectives, namely in terms of graph-based security data representation, analysis, processing and visualization. The workshop attendees may benefit from sharing experience on graph-based data analysis regardless of the specific application. Moreover, researchers and practitioners will have an opportunity to familiarize themselves with recent advances in graph analysis, mining and learning, and other approaches that could be used in their work. The workshop aims to highlight the latest research and experience in graph-based approaches in cybersecurity. The workshop also seeks papers describing new datasets with real attack scenarios, graph modeling tools evaluated on existing and proposed datasets, and systematization of knowledge (SoK) papers.
Keynote:
Theory and Practice of Cybersecurity Knowledge Graphs and Further Steps
The keynote surveys the growing adoption of knowledge graphs in cybersecurity and explores their potential in cybersecurity research and practice. By structuring and interlinking vast amounts of cybersecurity data, knowledge graphs offer increasing capabilities for incident response and cyber situational awareness. They enable a holistic view of the protected cyber infrastructures and threat landscapes, facilitating advanced analytics, automated reasoning, vulnerability management, and attack mitigation. We expect the cybersecurity knowledge graphs to assist incident handlers in day-to-day cybersecurity operations as well as strategic network security management. We may see emerging tools for decision support based on knowledge graphs that will leverage continuous data collection. A knowledge graph filled with the right data at the right time can significantly reduce the workload of incident handlers. We may even see rapid changes in incident handling tools and workflows leveraging the knowledge graphs, especially when combined with emerging technologies of generative AI and large language models that will facilitate interactions with the knowledge bases or generate reports of security situations. However, the implementation of cybersecurity knowledge graphs is challenging. Ensuring the quality of the underlying data is a serious concern for researchers and practitioners. Only accurate, complete, and updated data can ensure the reliability of the knowledge graph, leading to good insights and decisions. Additionally, the dynamic nature of cyber threats necessitates continuous data updates and rigorous validation processes.
About the speaker:
RNDr. Martin Husák, Ph.D. is a researcher at the Institute of Computer Science at Masaryk University, a member of the university's security team (CSIRT-MU). He was also a visiting researcher at The University of Texas at San Antonio, USA and Florida Atlantic University, USA. His research interests are related to cyber situational awareness and incident response with a special focus on the incident triage and application of graph-based data analytics and recommender systems. He was leading the development of the CRUSOE toolset that aims at supporting cyber situational awareness in computer networks by collecting and aggregating data on the hosts and using them for decision support in incident handling. He is now enhancing the CRUSOE toolset in follow-up research projects and exploring its capability as a knowledge graph of a computer network.
Theory and Practice of Cybersecurity Knowledge Graphs and Further Steps
The keynote surveys the growing adoption of knowledge graphs in cybersecurity and explores their potential in cybersecurity research and practice. By structuring and interlinking vast amounts of cybersecurity data, knowledge graphs offer increasing capabilities for incident response and cyber situational awareness. They enable a holistic view of the protected cyber infrastructures and threat landscapes, facilitating advanced analytics, automated reasoning, vulnerability management, and attack mitigation. We expect the cybersecurity knowledge graphs to assist incident handlers in day-to-day cybersecurity operations as well as strategic network security management. We may see emerging tools for decision support based on knowledge graphs that will leverage continuous data collection. A knowledge graph filled with the right data at the right time can significantly reduce the workload of incident handlers. We may even see rapid changes in incident handling tools and workflows leveraging the knowledge graphs, especially when combined with emerging technologies of generative AI and large language models that will facilitate interactions with the knowledge bases or generate reports of security situations. However, the implementation of cybersecurity knowledge graphs is challenging. Ensuring the quality of the underlying data is a serious concern for researchers and practitioners. Only accurate, complete, and updated data can ensure the reliability of the knowledge graph, leading to good insights and decisions. Additionally, the dynamic nature of cyber threats necessitates continuous data updates and rigorous validation processes.
About the speaker:
RNDr. Martin Husák, Ph.D. is a researcher at the Institute of Computer Science at Masaryk University, a member of the university's security team (CSIRT-MU). He was also a visiting researcher at The University of Texas at San Antonio, USA and Florida Atlantic University, USA. His research interests are related to cyber situational awareness and incident response with a special focus on the incident triage and application of graph-based data analytics and recommender systems. He was leading the development of the CRUSOE toolset that aims at supporting cyber situational awareness in computer networks by collecting and aggregating data on the hosts and using them for decision support in incident handling. He is now enhancing the CRUSOE toolset in follow-up research projects and exploring its capability as a knowledge graph of a computer network.
Topics of interest include, but are not limited to 03/05
- Knowledge graphs and ontologies of cyberspaces and digital twins
- Attack graphs modeling and application, graph-based threat assessment
- Graph-based models for network modeling and cyber situational awareness
- Graph-based approaches to network traffic analysis and forensics
- Intrusion, anomaly, and botnet activity detection using graph data
- Graph-based anomaly detection for network security and management
- Graph application in access controls, security policies
- Graph-based malware detection
- Autoencoders and representation learning for graphs and knowledge graphs
- Graph embedding techniques for network security and management problems
- Graph databases and graph-based tools for security data analysis
- Visualization and analysis of dynamic large-scale graphs and graph streams
- Novel applications of static/dynamic and large graphs in network security and management
Workshop Chairs 04/05
Workshop Chairs
Program Committee
Imre Lendák
|
ELT University, Hungary
Joseph Khoury
|
Louisiana State University, USA
Lionel Tailhardat
|
Orange, France
Milan Čermák
|
Masaryk University, Czech Republic
Mohamed Haddad
|
University Lyon 1, France
Noriaki Kamiyama
|
Ritsumeikan University, Japan
Pavol Sokol
|
Pavol Jozef Šafárik University in Košice, Slovakia
Pierre Parrend
|
EPITA/University of Strasbourg, France
Belal Alsinglawi
|
Western Sydney University, Australia & Zayed University, UAE
Submission 05/05
Submission Guidelines
The submission guidelines valid for the workshop are the same as for the ARES conference.
Important Dates
Extended Submission Deadline
May 19, 2024
Author Notification
May 29, 2024
Proceedings Version
Jun 18, 2024
Conference
Jul 30
—
Aug 02, 2024