Exploring Security Monitoring Data

The Swiss AI Lab IDSIA is conducting exploratory research on SWITCH-CERT security monitoring data. Sandra Mitrović, IDSIA and Jakob Dhondt, SWITCH-CERT talk about their collaboration in this SWITCH Innovation Lab.

Published on 07.10.2020

SWITCH: Sandra, what fascinates you about artificial intelligence (AI) and machine learning (ML)?

Sandra Mitrović: With machine learning we're able to go a step forward and to model a possible future. It fascinates me to discover non-obvious things and maybe predict aspects of future events. For example, for my PhD I modelled customer behaviour, predicting which customers will terminate their contracts, based on their customer experience.

Where do you see the potential of ML and AI with security data?

SM: There is undeniably a lot of potential to use these methods on security data as recent research has shown. Obviously, it depends on the data sets you use, but it's also about asking the right questions. That's why collaborations like this one with SWITCH-CERT are so important. We as AI researchers know how to handle data, how to train and make models but we don't necessarily know which findings would be useful for the domain we're modelling for.

Jakob, why did SWITCH-CERT approach IDSIA?

Jakob Dhondt: We handle an enormous amount of different types of security data in our team every day. We have access to data that spans from local incidents in our NREN SWITCHlan and the .ch registry to global data, that we receive from our international network of CERT partners.

The purpose of this SWITCH Innovation Lab is to explore the possibilities and methods that could be deployed to use our data in new ways. That is why we're collaborating with AI experts to actually look at the data from their perspective.

Sandra, what’s your perspective on the potential of the data available to SWITCH-CERT?

SM: To be honest I don't understand all of the data, as I'm not a security expert but yes, there seem to be many hidden possibilities. Even the data of the Security Reports we're now working on is 7 million event logs. From the perspective of AI or ML that's exiting. The bigger and more variety of data, the better the model.

SWITCH: How did you set out at the beginning of this lab?

JD: We looked at different data sets and discussed their potential with IDSIA. Together we decided to use the Security Report data sets as they were most suitable in terms of size and the use-cases we had in mind.

Which use cases did you want to explore further?

JD: We are particularly interested in predictive use cases. For example, it would be beneficial to recognise certain patterns before a host gets compromised. These patterns could then be checked against all the hosts of our customers. Thereby we could ideally predict and prevent an attack in an automated way.

So far, we don't have this actionable result. But the collaboration with IDSIA is very rewarding for us in terms of evaluating the wealth and potential of our data from a machine learning perspective.

How do you collaborate in your daily work?

SM: Our collaboration has been a fast and smooth process. We started analysing the data and at this stage we usually have a lot of questions regarding the actual meaning of the data. We had many interesting discussions with Jakob and the CERT team, looking at patterns and results of what we are modelling.

What are the biggest learnings for this lab so far?

JD: In order to get an actionable result, the problem or use case you want to solve needs to be as small and precise as possible. I think we've learned a lot about how to collaborate in this area, which is very valuable. And although we don't have a product or service that we will now develop, there might be a use case which we will want to explore further with IDSIA in the future.

SWITCH Innovation Labs

A new platform for collaboration with partners from the higher education community, with the aim of expanding the foundation’s innovation base. 


Sandra Mitrović

Sandra Mitrović is a postdoctoral researcher at IDSIA (Dalle Molle Institute for Artificial Intelligence). She has a background in Applied Mathematics and Computer Science and holds a Masters in Data Mining and Knowledge Management at Université Pierre et Marie Curie and a PhD from KU Leuven. Her research interests encompass natural language processing, representation learning, (social) network analysis and machine learning in general.


Jakob Dhondt

After gaining a masters degree in computer science at the KULeuven, Jakob Dhondt joined SWITCH in 2017. As part of the SWITCH-CERT he is working as a security expert focussing on DNS.

Other articles