Coordinator – French Alternative Energies and Atomic Energy Commission (CEA)

Participants – VIC, VMU, IMT.

The goal of WP5 is twofold:

• to test state-of-the-art artificial intelligence and machine learning (AI/ML) detection methods on raw data,
• to investigate AI/ML methods to exploit incoming incident information from different sources, which may be local data sources or separate SOCs. For both main goals special attention will be dedicated to how to share information efficiently. Threats detected on raw data need to be communicated using the IDMEFv2 format and incoming threat information from other sources / locations is also expected to use the IDMEFv2 format.

The following tasks are set:

• Task 5.1 AI Threat Detection in Raw Data is about the detection of threats from raw data, i.e. both raw data from logs and raw data from hardware signals of embedded systems, summarized network data and/or social engineering channels. The aim is to test current tools and state-of-the-art AI/ML techniques on structured data represented as an attributed heterogeneous graph. Several steps are to be considered:

1) identification and collection of relevant raw hardware data from embedded systems (HPC, syscalls, etc.);

2) structuration of raw data using existing tools to obtain table-like structured data;

3) construction of relevant graphs;

4) AI/ML models on graph and heterogeneous data to assess link or node threat level. Several data sources (e.g.process,system, network) may be initially processed separately.

• Task 5.2 Integration of the IDMEFv2 format is focused on information sharing. The questions it addresses are:

1) How to convert a detected threat from 5.1 to an IDMEFv2 message describing the threat, possibly including additional information generated by AI/ML. Several messages may also be used if multiple stages are involved;

2) How to use incoming IDMEFv2 messages to identify possibly related events in a separate data source or at another SOC. A preliminary step will be to use the IDMEFv2 message to identify the threat and the related events in the original data source (log, message, channel) from the SOC emitting the IDMEFv2 alert. An underlying goal of the task is to provide feedback regarding what data to include in the IDMEFv2 format to get the most out of the AI/ML tools, while making sure that the shared data respect ethics and do not cause unintended harm. This implies being responsible about respecting the privacy of users and not disclosing sensitive information.

• Task 5.3 Multiple source AI threat Detect is about generating alerts or improving alert descriptions by using IDMEFv2 messages as input. The questions it addresses are a) how to leverage external information to improve the detection of a local threat; b) how to combine related threat information from multiple sources to create higher level consolidated alerts or improve threat intelligence. Here a collection of IDMEFv2 messages may be seen as higher level log data on which AI/ML may be used to generate higher level alerts. Importantly, IDMEFv2 messages may come from separate entities (e.g. independent networks, SOCs or countries) that cannot easily share information beyond the IDMEFv2 messages.

• Task 5.4 AI Tools Transfer and Tuning focuses on transferring the work done in WP5 to the simulator and pilots in WP7 and WP8, using tools developed in WP4. It will also include tuning of the proposed AI/ML models using data generated by the simulations / pilots.

Deliverables:

• • 1 Report on AI tools for multi-level threat detection – M32