International Workshop on Graph-based network Security (GraSec) in conjunction with IEEE/IFIP Network Operations and Management Symposium NOMS 2022 https://noms2022.ieee-noms.org/
Most of the existing security monitoring solutions cannot cope with unknown and complex attacks due to the continual apparition of new threats, botnet propagation and command-and-control mechanisms. Recently, botnet detection systems which leverage communication graph analysis using machine learning have gained attention to overcome these limitations. Graph-based modeling and mining approaches have been proposed and provide interesting results.
Graph-based modeling offers the advantage of understanding complex attacks and determining the root cause of an attack. However, existing graph mining tools for anomaly detection over streaming events are not adapted for cyber-security problems while the corresponding data continuously appears in the form of complex graphs.
The workshop serves to bring together people from industry and academia including researchers, developers, and practitioners from a variety of fields working on graphs and their applications to network security and cybersecurity in general as well as blockchain. Moreover, the workshop allows attendees to share and discuss their latest findings from both theoretical and practical perspectives in several techniques and methods for graph modeling, mining, learning, and visualizing. The main goal of GraSec is to present research and experience results in graph applications on network and cybersecurity as well as the defensive and offensive tools.
Accepted regular papers will have a 30 minutes oral presentation (including 10-minute Q&A) at assigned time slot. Accepted short papers will have a 20
minutes oral presentation (including 5-minute Q&A).
Papers accepted for GraSec will be included in the IFIP/IEEE NOMS conference proceedings. IFIP and IEEE reserve the right to remove any paper from the IFIP
database and IEEE Xplore if the paper is not presented at the workshop.
- Identification of Attack Paths Using Kill Chain and Attack Graphs. Lukas Sadlek (Masaryk University), Pavel Celeda (Masaryk University), Daniel Tovarnak (Masaryk University)
- ObservableDB: An Inverted Index for Graph-Based Traversal of Cyber Threat Intelligence. Daniel Tovarnak (Masaryk University), Michal Cech (Masaryk University), Dusan Tichý (Masaryk University), Vojtech Dohnal (Masaryk University)
- GNN-Based Malicious Network Entities Identification In Large-Scale Network Data. Stepan Dvorak (Cisco Systems), Pavel Prochazka (Cisco Systems), Lukas Bajer (Cisco Systems)
- Cyber threat response using reinforcement learning in graph-based attack simulations. Jakob Nyberg (KTH – Royal Institute of Technology), Pontus Johnson (KTH – Royal Institute of Technology)
- Milan Cermak
- Bio: Milan Cermak received a Ph.D. degree from the Faculty of Informatics of Masaryk University in 2020 and works as a cybersecurity researcher at the university’s Computer Security Incident Response Team (CSIRT-MU). His main research interests include the development of advanced methods for a forensic analysis of network traffic using modern approaches and technologies such as a stream or graph-based analysis frameworks. In addition to detecting attacks and anomalies in network traffic, he is also interested in various cybersecurity areas, including web penetration testing or criminal investigation. He also teaches courses focused on network traffic analysis and forensics, both at the university and as a part of commercial training.
- Title: Incident Investigation: From Packets to Graph-Based Analysis.
- Description: Analysis of network traffic allows us to explore events in the monitored network (even retrospectively). It benefits from the fact that it is almost impossible to maliciously affect the captured data (as opposed to system logs, for example). Therefore, it is a reliable source that suitably complements cyber incident investigation. The analysis of network traffic is currently performed by the use of tools such as Wireshark or Arkime, which allow manual data browsing, filtering, aggregation, and provide interactive visualizations but don’t account for the fact that the human brain perceives the data as associations/graphs.This interactive keynote will show you how network traffic is typically analyzed today and how it can be adapted to human thinking by using a graph database. In the introductory part, you will see what a typical network attack looks like, how it can be analyzed using Wireshark, and what the advantages and disadvantages of today’s analysis techniques are. We will then show you how to transform network data into a format suitable for a graph database while at the same time preserving the natural perception of network traffic. In the final part of the keynote, we will introduce the Granef toolkit (https://granef.csirt.muni.cz/) and use it to analyze the given data. Through simple tutorial exercises, participants will have the opportunity to explore graph-based analysis on their own and gain new insights into network traffic data.
- Requirements: Python 3, Docker (https://www.docker.com/), and Wireshark (https://www.wireshark.org/).
CALL FOR PAPERS
Call for paper:pdf version
TOPICS OF INTEREST
- Graph-based intrusion detection and botnet activity detection,
- Graph-based anomaly detection for network security and management,
- Attack graphs modeling and application, graph-based threat assessment,
- Graph-based models for network modeling and cyber situational awareness,
- Graph-based approaches to network traffic analysis and forensics,
- Graph application in access controls, security policies,
- Autoencoders and representation learning for graphs,
- Graph embedding techniques for network security and management problems,
- Graph databases and graph-based tools for big data analysis,
- Parallel algorithms for dynamic and big graph analysis on HPC (CPU-GPU) systems,
- Graph sampling and summarizing techniques,
- Visualization of dynamic and large-scale graphs,
- Novel applications of static/dynamic and large graphs in network security and management.
Paper submissions must present original, unpublished research, development, or experiences. Each submission must be written in English, accompanied by a 50 to 200 words abstract that clearly outlines the scope and contributions of the paper. Self-plagiarized papers will be rejected without further review. Authors should submit their papers via JEMS: https://jems.sbc.org.br/
There is a length limitation of 6 pages (including title, abstract, all figures, tables, and references) for regular papers, and 4 pages for short papers describing work in progress. Submissions must be in IEEE 2-column style.