CasK

CasK: Multi-agent behavioural endpoint models for the detection of cyberattacks across the kill chain (NVISO)

Context

Cyber-attacks are becoming more sophisticated and complex.

This project aims to improve current endpoint monitoring using artificial intelligence. Significant innovations are proposed from both research and business perspectives.

From the research perspective, this project will move from flat event-based models to hierarchical multi-agent models. Second, syntactic analysis of log files will be enhanced by knowledge of the IT infrastructure to obtain behavioral information. Finally, artificial life techniques will be used to model behavior and dynamics (e.g., to integrate the malware life cycle and kill chain). It is these abstract behavioral views that will be used to separate “normal” from “malicious” information using machine learning.

From a business perspective, this technological innovation will allow us to move from

– rigid, expensive, and difficult to maintain rule-based systems to

– flexible, scalable systems that learn basic behavior in each new (or independent of) the context in which they are deployed.

Partners

NVISO is a consulting firm focused exclusively on information, information technology and cybersecurity. NVISO has a clear industry focus and strong track record in the financial, public and technology sectors.

Main Topic

Many anomaly detection techniques analyze network traffic [Bhuyan14]. The main objective of the project is to generate a high-level behavioral view of the state of the client’s computing environment based on the endpoint logs. Once this high-level view is obtained, we plan to provide several other views to the machine learning algorithms to identify atypical or aberrant behaviors, which cannot be analyzed by a human.

Objectives

The objectives of the project are to

* decrease the number of events an analyst has to investigate;
* decrease false positive events to consider;
* increase detection of true positive events;
* decrease the time needed to pinpoint a malicious event.

 

Project Info

Start 01/04/2019

End 31/09/2022

Funding: Innoviris

Involved Members: Kristof Van Moffaert, Leticia Arco García, Johan Loeckx