Triple tap at CNS'25

7 July 2025, by Mathias Fischer

Photo: https://cns2025.ieee-cns.org/

Triple tap at the IEEE Conference on Communications and Network Security (CNS 2025)! We congratulate Anum, Liliana and Kevin for their listed works accepted to the conference:

• "Tagging Alerts to Adversaries: ML-Enabled Classification Using MITRE ATT&CK Framework"
• "Real-Time Detection of Multi-Stage Attacks using Kill Chain State Machines"
• "Enhancing Privacy through Unlinkable Data Sharing with User-in-the-Loop Access Control"

We look forward to presenting our findings at the conference in Avignon, France (September 8-11, 2025) and seek an exchange with international researchers.

Abstract – Tagging Alerts to Adversaries: ML-Enabled Classification Using MITRE ATT&CK Framework:

An intrusion detection system (IDS) in an enterprise network plays an important role in identifying and alerting suspicious activity. The triggered alerts are generated along with false alarms where a legitimate activity is mistakenly classified as malicious and results in alerts fatigue. Too many alerts that are not integrated and lack related context and correlation can burden security analytics and make prioritization of threats more challenging. For security operations centers (SOCs) in an enterprise, it can result in critical alerts being overlooked or undetected, which can lead to dire attacks not being identified on time. Therefore, an automated tagging of alerts for prioritization of high-risk events is important. To overcome this challenge, we use machine learning (ML) to enrich the alerts of IDS with the real-world adversary information of the MITRE ATT&CK framework. In particular, we leverage the knowledge of the MITRE ATT&CK matrix for enterprise and apply multi-layer perceptron (MLP) and transformer-based learning in a novel way to uncover the possible correlation of alerts to known adversarial behaviors (or tactics). We evaluate our models over the recent security logs of the real enterprise network and demonstrate an accuracy of up to 95% with our automated alert classification. Extensive experiments are performed with publicly available datasets as well to demonstrate the performance of the transformer model and verify its effectiveness against different IDS setups.

Abstract – Real-Time Detection of Multi-Stage Attacks using Kill Chain State Machines:

Cyber threats present an ongoing challenge for organisations worldwide. Attackers range from cyber criminals to state-funded groups that have a specialised skill set to execute complex attacks and present an Advanced Persistent Threat(APT). Therefore, organisations use security monitoring as a second line of defence to detect attacks based on signatures that raise alarms when an Indicator of Compromise (IoC) is observed. However, current Intrusion Detection Systems (IDS) generate many false positives, leading to alert fatigue. The raised alerts also do not show the whole attack as they need to be dissected individually. Our work presents a simplified approach that enables efficient and real-time construction of attacks by correlating alerts. Tests with different network datasets suggest that our prioritisation mechanisms can reduce the number of false-positive alerts by 99%. Our performance evaluation indicates that we can detect multi-stage attacks in real time with a low memory footprint and short execution time.

Abstract – Enhancing Privacy through Unlinkable Data Sharing with User-in-the-Loop Access Control:

In our information-driven society, the volume of data generated by individuals has grown significantly. Protecting the privacy of individuals is becoming more challenging, as this data can reveal detailed insights into personal preferences and behavior. To address this challenge, we introduce a user-centric, privacy-preserving data-sharing solution that leverages a central data storage service, hereafter referred to as the data intermediary. By integrating local differential privacy with user-in-the-loop access control, our system enables data providers to securely and unlinkably store their data at the intermediary. Data consumers can localize and request data via the intermediary. The data providers are included in access decisions without disclosing their identity nor by enabling the linking of their data. We evaluated our approach using theoretical analysis and simulations. Our findings indicate that our system achieves ε-privacy and safeguards data providers against external and internal attackers, malicious data consumers, and an honest-but-curious intermediary. Moreover, our method reduces the message overhead for data discovery in our system by more than half compared to existing approaches.