For security analysts, a picture may be worth more than a thousand words
Dmitriy Komashinskiy and Andrew Patel (WithSecure) In SAPPAN, we have developed several models for detecting anomalous events in endpoints. For example, we have built a model for identifying anomalous process launch events and a model for identifying anomalous “module load” operations. In order to increase the reliability of detections reported by the models and to…
Modeling Host Behavior in Computer Network
By Tomas Jirsik (Institute of Computer Science, Masaryk University) An analysis of a host behavior is an essential key for modern network management and security. A robust behavior profile enables the network managers to detect anomalies with high accuracy, predict the host behavior, or group host to clusters for better management. This blog introduces basic…
Analytic provenance for security operation centres
Robert Rapp (University of Stuttgart) An important part of incident response is still an analytical process to understand the cause of an incident and select response actions. Using therefore visualisations in security operation centres (SOC) can improve the alert triage of analysts by visual analytics to handle tons of alerts each day. Such an analysis…
Challenges in Visualization for AI
By Franziska Becker (University of Stuttgart, Institute for Visualization and Interactive Systems) Artificial intelligence (AI) is one of the buzzwords that defined many conversations in the last 5-10 years. Especially in regards to technology, “Can we use AI to improve our product?” is not an uncommon question. With these conversations come issues concerning interpretability and…
Datasets Quality Assessment For Machine Learning
By Dominik Soukup (CESNET) Have you ever heard about Machine learning (ML)? Probably yes, ML is a popular technique for network traffic classification and incident detection. However, have you ever heard about evaluating the quality of datasets (QoD)? QoD is becoming more important with deployment ML in production, and project SAPPAN contributes to this topic.…
Detecting suspicious *.ch-domains using deep neural networks
By Mischa Obrecht (Dreamlab Technologies AG Switzerland) The SAPPAN consortium has been researching several different use cases for new detection methods, such as the classification of phishing websites or algorithmically generated domains (AGDs). Both topics were tackled using deep neural network classifiers, achieving good accuracy on training and validation data mostly based on the English…
Sharing of incident response playbooks
By Martin Žádník (CESNET) As an incident handler, have you wondered whether the way how you deal with a cybersecurity incident can be improved, how others deal with the same issues, whether the handling can be automatized? If yes, you are not alone. There is a whole community working on a standard to express incident…