Skip to main content
Centre for Cyber Defence and Information Security

Project: Threat detection and hunting

Mathias Ekstedt

PhD student, 5 years, starting 2025

This project is largely the opposite to automated penetration testing. Fundamentally it is a project on the topic of intrusion detection, but as opposed to much research in the area that studies the fundamental question of what can be observed and
distinguished as an attack in large data sets (of network traffic, host logs, etc.), this project aims at making use of a broader range of state-of-the-art threat detection signals and logs collected over larger networks and system environments and look for emerging system-wide patterns beyond what is currently done.

Here the challenge circles around what data to investigate further to improve certainty in the intrusion assessment given some previously observed set of signals. The scenario is that there exists more data than what is actually possible to (timely, or for other reasons) take into account in the assessment and that careful data retrieval strategies would thus be needed for rational assessments.

By using attack graphs, hypotheses over attack vectors could be formed from a limited set of intrusion signals. The work will follow a similar approach to that of Kim and Dán [KD22], but it will build on the Meta Attack Language (MAL) [JLE18]. By making attack simulations in the “MAL simulator” (see project description below) it is possible to also synthetically generate attacks for learning patterns in the intrusion signals. In order to realize this data generation key extensions of the simulation formalism are the explicit introduction of the defender's observational capability of the attacker as well as a mechanism for defining the properties of generating signals and logs from legitimate user behavior in the the system.

Thus, this project will both extend and refine existing attack simulation infrastructure as well as develop new intrusion detection capabilities, for instance using machine learning. In addition to the use case of detecting ongoing attacks, we also want to explore how this solution can support threat hunting activities by guiding the search for additional intrusion evidence based on currently observed signals and probable behavior according to the attack graph.

As an add-on to the analysis, attribution could also be supported by matching and filtering detection signals to expected behavioral patterns of different threat actors.