BSidesLuxembourg 2025

Fortifying Cyber Defenses: A hands-on workshop with IDPS-ESCAPE and SATRAP
2025-06-19 , Classroom 3 workshops

This workshop offers a hands-on presentation of two open-source tools from the CyFORT project, bridging the gap between state-of-the-art academic research and real-world SOC/CSIRT operations: IDPS-ESCAPE, a SOAR platform with an AI-driven anomaly detection toolbox (ADBox), and SATRAP, a platform for computer-aided analysis of Cyber Threat Intelligence (CTI) assisted by logic-based automated reasoning.

Participants will learn how to integrate an open-source SIEM (Wazuh) with ADBox and its Multivariate Time-Series Anomaly Detection via Graph Attention Networks (MTAD-GAT) algorithm, as well as how to configure anomaly detectors by training new ML models and using them on SIEM-level ingested data to respond to adversarial attacks, and automate response workflows. They will also gain hands-on experience setting up a CTI knowledge base and streamlining CTI analysis investigations using the CTI Analysis Toolbox of SATRAP.


Duration: 2 hours
Level: Intermediate (familiarity with concepts in basic machine learning, SIEM/IDPS and CTI recommended)

Workshop outline

I. Introduction to IDPS-ESCAPE

  • Presentation of the IDPS-ESCAPE architecture and its building blocks: open-source SOAR, ADBox, Wazuh-Suricata integration, and anomaly detection training and prediction pipelines
  • Use cases: user and entity behavior analytics (UEBA), automated response/prevention based on detected anomalies
  • Demonstration: Deploying ADBox for Multivariate Anomaly Detection
  1. Configure ADBox to ingest Wazuh alerts and resource metrics
  2. Train a custom MTAD-GAT model and monitor to detect suspicious behavior (UEBA)
  3. Visualize anomalies in Wazuh Dashboards
  4. Overview of IDPS-ESCAPE integrations: Wazuh, Suricata, MISP, OpenCTI, OpenBAS
  5. Overview of implemented UEBA and AD scenarios, along with implemented active responses

II. Introduction to SATRAP

  • Overview of SATRAP and its application in cyber threat intelligence, plus an explanation of logic-based automated reasoning and its benefits
  • Hands-On Lab: CTI analysis with SATRAP
  1. Setting up SATRAP in a controlled environment
  2. Creating and populating a CTI knowledge base
  3. Developing a playbook in the form of a Jupyter Notebook to demonstrate how we can benefit from the automated reasoning functions of the SATRAP Python CTI Analysis Toolbox in a step-by-step CTI investigation

III. Integration and best practices

  • Strategies for integrating IDPS-ESCAPE and SATRAP with existing security systems
  • Best practices for maintaining and updating these tools
  • Q&A session to address participant queries and challenges

Target Audience

  • SOC analysts and CTI teams seeking to enhance detection, investigation and mitigation capabilities
  • Security engineers interested in SOAR systems and open-source tools
  • Researchers exploring practical applications of anomaly detection and automated reasoning
  • Curious learners

Requirements

  • A basic understanding of cybersecurity concepts and familiarity with security tools
  • Laptop with Docker and preferably VS Code installed
  • Basic Python and GNU/Linux experience (no advanced ML expertise required)

Arash, CTO at itrust Abstractions Lab, is a research scientist and programmer specializing in quantum-safe cryptography, information theory and mathematical software, with 12 years of experience in academic research in theoretical computer science and mathematics and 20 years of experience in programming and software engineering. He has worked and published in (post-)quantum/classical cryptography, information theory, discrete mathematics, provable (information) security, mathematical optimization, mathematical software, evolutionary computation, bioinformatics, semantic search and systems programming. He holds a PhD in Computer Science, specialized in quantum-safe cryptography and information theory.

Abstractions Lab provides solutions for the trustworthiness and security of digital systems. We apply and advance state-of-the-art results in computer science and mathematics, to design, develop, and analyze conceptual solutions and concrete tools for secure software and cyber physical systems. We are driven by the belief that cryptography and formal methods form the mathematical foundation for building correct and secure systems.

Arash will be presenting IDPS-ESCAPE at this workshop.

Itzel is a computer scientist and software engineer who enjoys research on computational logic, cryptography, and their intersection. She embraces the challenges of exploring and innovating in these fields for the design and development of information security solutions in diverse domains.

Abstractions Lab provides solutions for the trustworthiness and security of digital systems. We apply and advance state-of-the-art results in computer science and mathematics, to design, develop, and analyze conceptual solutions and concrete tools for secure software and cyber physical systems. We are driven by the belief that cryptography and formal methods form the mathematical foundation for building correct and secure systems.