Telecom SudParis is a public graduate school for engineering, which has been recognized on the highest level in the domain of digital technology. The quality of its courses is founded on the scientific excellence of its faculty and on teaching techniques that emphasize project management, innovation and intercultural understanding. Telecom SudParis is part of the Institut Mines-Telecom, the number one group of engineering schools in France, under the supervision of the Minister for Industry. Telecom SudParis with Ecole Polytechnique, ENSTA Paris, ENSAE Paris and Telecom Paris are co-founders of the Institut Polytechnique de Paris, an institute of Science and Technology with an international vocation.
Its assets include: a personalized course, varied opportunities, the no.3 incubator in France, an ICT research center, an international campus shared with Institut Mines-Telecom Business School and over 60 student societies and clubs.
Behavioural approaches based on machine learning generate many false positives. In particular, when deep learning methods are used, false positives are difficult to explain, as deep learning is often considered a black box that is difficult to interpret. However, there are many tools available to correlate the influence of learning characteristics on detection results. These tools make it possible to explain a posteriori a model that is difficult or impossible to interpret.
The early detection of certain events causing intrusions will allow operators to predict the emergence of attacks and prevent or mitigate them more quickly. The ability to correlate and aggregate a large number of heterogeneous events at different levels (characteristics, causality, temporality) will also allow operators to focus their attention on the most important or relevant events, allowing for more efficient processing, scaling up.
In this project, we aim to assist a human operator in decision making and incident response. Our visualisation approaches will allow 1) characterising anomalies to process them more accurately/efficiently or even anticipate them, by knowing the events or parameters that generated them; 2) aggregating and correlating anomalies in order to reduce the workload, by knowing the temporal or causal links; 3) explaining detection errors by a posteriori analysis of the samples.
There are many tools for visualising model characteristics, the best known of which allow correlation to be carried out, making it possible to reduce the number of these characteristics, but also to evaluate their influence (principal component analysis, linear discriminant analysis, t-SNE algorithm). Combining these different approaches (statistical and visual) should make it possible to better understand behavioural approaches in deep learning and to exploit them for cases where the intrusions are sometimes more discrete.
More recent approaches such as SHAP will make it possible to determine the elements of an alert or an anomaly that gave rise to its (mis)classification. Attention mechanisms can also be used to highlight certain causal, correlational or influential relationships.
The results of this project will provide an explainable framework for behavioural detectors based on deep learning in order to augment the different learning phases (from data collection, to the validation of a model representative of normal data, to the representation of data as robust features and the training of the detection model).
Essential skills, knowledge and experience