2025-06-19 –, Classroom 3 workshops
This workshop offers a hands-on presentation of two open-source tools from the CyFORT project, bridging the gap between state-of-the-art academic research and real-world SOC/CSIRT operations: IDPS-ESCAPE, a SOAR platform with an AI-driven anomaly detection toolbox (ADBox), and SATRAP, a platform for computer-aided analysis of Cyber Threat Intelligence (CTI) assisted by logic-based automated reasoning.
Participants will learn how to integrate an open-source SIEM (Wazuh) with ADBox and its Multivariate Time-Series Anomaly Detection via Graph Attention Networks (MTAD-GAT) algorithm, as well as how to configure anomaly detectors by training new ML models and using them on SIEM-level ingested data to respond to adversarial attacks, and automate response workflows. They will also gain hands-on experience setting up a CTI knowledge base and streamlining CTI analysis investigations using the CTI Analysis Toolbox of SATRAP.
Duration: 2 hours
Level: Intermediate (familiarity with concepts in basic machine learning, SIEM/IDPS and CTI recommended)
Workshop outline
- Introduction to IDPS-ESCAPE
- Overview of the IDPS-ESCAPE architecture: ADBox, Wazuh integration, and anomaly detection pipelines
- Use cases: user and entity behavior analytics (UEBA), and false-positive reduction
- Demonstration: Deploying ADBox for Multivariate Anomaly Detection
- Configure ADBox to ingest Wazuh alerts and resource metrics
- Train a custom MTAD-GAT model and monitor to detect suspicious behavior (UEBA)
- Visualize anomalies in Wazuh Dashboards and automate Wazuh alert enrichment
- Introduction to SATRAP
- Overview of SATRAP and its application in cyber threat intelligence, plus an explanation of logic-based automated reasoning and its benefits
- Hands-On Lab: CTI analysis with SATRAP
- Setting up SATRAP in a controlled environment
- Creating and populating a CTI knowledge base
- Developing a playbook in the form of a Jupyter Notebook to demonstrate how we can benefit from the automated reasoning functions of the SATRAP Python CTI Analysis Toolbox in a step-by-step CTI investigation
- Integration and best practices
- Strategies for integrating IDPS-ESCAPE and SATRAP with existing security systems
- Best practices for maintaining and updating these tools
- Q&A session to address participant queries and challenges
Target Audience
- SOC analysts and CTI teams seeking to enhance detection, investigation and mitigation capabilities
- Security engineers interested in SOAR automation and open-source tooling
- Researchers exploring practical applications of anomaly detection and automated reasoning
- Curious learners
Requirements
- A basic understanding of cybersecurity concepts and familiarity with security tools
- Laptop with Docker installed
- Basic Python and GNU/Linux experience (no advanced ML expertise required)
Abstractions Lab provides solutions aimed at ensuring the trustworthiness and security of digital systems by advancing the state-of-the-art and applying novel results from computer science and mathematics for the design, development, and analysis of conceptual solutions as well as concrete tools for secure software and cyber physical systems.
Our philosophy is rooted in the belief that correct and secure systems are built on a solid mathematical foundation, with cryptography and formal methods forming its main pillars. This allows systems with well-specified security goals, to be designed, analyzed, and proven secure under all modelled circumstances in well-defined scenarios.
We are a small team of computer scientists, mathematicians and software engineers passionate about computer science and mathematics, and their application to information security. We specialize in classical/(post-)quantum cryptography, applied logic, software security, artificial intelligence and cyber-physical system security.
- IDPS-ESCAPE presenter: Arash
- SATRAP presenter: Itzel
