2025-08-06 –, Siena
In cybersecurity, analysts routinely drown in noisy, fragmented alerts—making it difficult to uncover coordinated, multi-stage attacks. This talk introduces an innovative approach to contextualizing alerts and extracting hidden attack chains using fully explainable, open-source machine learning—no black boxes or complex large-language models involved. Attendees will explore how clustering algorithms, temporal knowledge graphs, and Markovian sequencing methods can systematically map security alerts, logs, and telemetry to MITRE ATT&CK Techniques, clearly revealing attacker tactics and objectives. The session will include practical demonstrations using the speaker’s open-source tool, Attack Flow Detector, available on GitHub. Participants do not need deep data science expertise; basic familiarity with MITRE ATT&CK and standard SOC processes will help maximize learning outcomes. After attending, participants will understand how to implement transparent ML-based correlation workflows, reduce false positives, accelerate response times, and detect stealthy, multi-step attack flows.
This talk introduces an open-source approach to alert correlation and attack flow reconstruction using interpretable machine learning—not LLMs or black-box AI. Designed for SOC analysts and defenders, the presentation walks through how to map logs and alerts to MITRE ATT&CK techniques, cluster them into meaningful stages, and chain those stages into full attack narratives. The goal is to expose coordinated attacks that hide within fragmented telemetry, false positives, and lone incidents.
Attendees will learn how to apply context-driven techniques—like density-based clustering, temporal graph modeling, and simple NLP classifiers—to turn noisy data into actionable insight. We’ll demonstrate how the Attack Flow Detector tool performs this work in real-world-style environments, outputting root cause analysis and ticket-ready reports. The talk emphasizes transparency, explainability, and practicality—giving hackers and blue teamers a framework to trace attacker movement through data they already have, without needing search-heavy SIEMs or opaque AI platforms.
Ezz Tahoun is an award-winning cybersecurity data scientist recognized globally for his innovations in applying AI to security operations. He has presented at multiple DEFCON villages, including Blue Team, Cloud, Industrial Control Systems (ICS), Adversary, Wall of Sheep, Packet Hacking, Telecom, and Creator Stage, as well as BlackHat Sector, MEA, EU, and GISEC. His groundbreaking work earned him accolades from Yale, Princeton, Northwestern, NATO, Microsoft, and Canada's Communications Security Establishment. At 19, Ezz began his PhD in Computer Science at the University of Waterloo, quickly gaining recognition through 20 influential papers and 15 open-source cybersecurity tools. His professional experience includes leading advanced AI-driven projects for Orange CyberDefense, Forescout, RBC, and Huawei Technologies US. Holding certifications such as aCCISO, CISM, CRISC, GCIH, GSEC, CEH, and GCP-Cloud Architect, Ezz previously served as an adjunct professor in cyber defense and warfare.