A safer digital society through security monitoring and detection

We develop high-quality and actionable anomaly detectors while minimizing the number of false positives. This is crucial for early and automated responses, limiting the damage and human costs during an attack. Our methods include combining various data sources, engaging human experts, and leveraging new technologies such as causal AI and graph networks. To gain experience and create a secure environment for testing our detection tools, we have developed an internal, fully automated, and customizable IT cyber range at TNO.

We focus on designing and implementing methods to detect attacks on critical infrastructure. This is essential for the safety of modern Dutch society, which is increasingly dependent on operational technology (transportation, energy, water, industry, etc.).

We specialize in protecting AI models and detecting misuse of AI. As AI becomes integrated into software, new vulnerabilities arise that also require security monitoring. For example, poisoned training data can corrupt models, while altered inputs can bypass AI-driven detectors. We also focus on identifying AI-driven attacks, including advanced threats like deepfake phone calls, to protect our digital society from the evolving risks of AI.

In this project, we aim to identify the true causes behind an Application Layer DDoS attack. We use a method that first detects anomalies which may be indicative of L7 DDoS attacks that are able to bypass existing security measures. Subsequently, we explain the true causes of these anomalies using "Causal AI" technology. This helps to understand the root causes of the anomalies.

Every day, organizations receive notifications of malicious IP addresses via cyber threat intelligence (CTI) feeds. However, when an IP address is added to such a CTI feed, the question arises: since when has this IP address been under the control of the attacker? We introduce a new, data-driven approach to gain deeper insights into the characteristics of IP addresses used for command-and-control (C2) traffic. Our method, implemented in a tool, identifies ownership changes of IPs and has led to the observation that some malware C2 infrastructures are likely under the attacker’s control long before they are discovered and listed in popular blocklists.

In collaboration with a major Dutch organization, we are developing an explainable AI model capable of detecting long-term and hard-to-trace multi-stage attacks. Modern attacks require significant skill, time, and patience to execute and aim to remain undetected. Consider, for example, the time and expertise needed to insert a backdoor in the XZ incident, where an anonymous contributor attempted to introduce a backdoor into the XZ Utils repository, a widely used compression tool in Linux systems, that would have allowed arbitrary code execution.

By correlating network events over time, we can identify patterns and anomalies that may indicate multi-stage attack paths. This enables you to know exactly what needs to be countered.

Every week, we hear about fraud, disinformation, and artificial content that increasingly impact people's lives. We are developing a real-time, fusion-model detector for voices that are artificial or have been altered. The aim is to identify deepfake voices, voice phishing attacks, and phone scams, and to alert the listener that the voice is not genuine.