The Swiss AI Lab IDSIA is conducting exploratory research on SWITCH-CERT security monitoring data. Sandra Mitrović, IDSIA and Jakob Dhondt, SWITCH-CERT talk about their collaboration in this SWITCH Innovation Lab.
Sandra Mitrović: With machine learning we're able to go a step forward and to model a possible future. It fascinates me to discover non-obvious things and maybe predict aspects of future events. For example, for my PhD I modelled customer behaviour, predicting which customers will terminate their contracts, based on their customer experience.
SM: There is undeniably a lot of potential to use these methods on security data as recent research has shown. Obviously, it depends on the data sets you use, but it's also about asking the right questions. That's why collaborations like this one with SWITCH-CERT are so important. We as AI researchers know how to handle data, how to train and make models but we don't necessarily know which findings would be useful for the domain we're modelling for.
Jakob Dhondt: We handle an enormous amount of different types of security data in our team every day. We have access to data that spans from local incidents in our NREN SWITCHlan and the .ch registry to global data, that we receive from our international network of CERT partners.
The purpose of this SWITCH Innovation Lab is to explore the possibilities and methods that could be deployed to use our data in new ways. That is why we're collaborating with AI experts to actually look at the data from their perspective.
SM: To be honest I don't understand all of the data, as I'm not a security expert but yes, there seem to be many hidden possibilities. Even the data of the Security Reports we're now working on is 7 million event logs. From the perspective of AI or ML that's exiting. The bigger and more variety of data, the better the model.
JD: We looked at different data sets and discussed their potential with IDSIA. Together we decided to use the Security Report data sets as they were most suitable in terms of size and the use-cases we had in mind.
JD: We are particularly interested in predictive use cases. For example, it would be beneficial to recognise certain patterns before a host gets compromised. These patterns could then be checked against all the hosts of our customers. Thereby we could ideally predict and prevent an attack in an automated way.
So far, we don't have this actionable result. But the collaboration with IDSIA is very rewarding for us in terms of evaluating the wealth and potential of our data from a machine learning perspective.
SM: Our collaboration has been a fast and smooth process. We started analysing the data and at this stage we usually have a lot of questions regarding the actual meaning of the data. We had many interesting discussions with Jakob and the CERT team, looking at patterns and results of what we are modelling.
JD: In order to get an actionable result, the problem or use case you want to solve needs to be as small and precise as possible. I think we've learned a lot about how to collaborate in this area, which is very valuable. And although we don't have a product or service that we will now develop, there might be a use case which we will want to explore further with IDSIA in the future.