Final event
08-11-2022We were proud to be part of Cyber Security Week Luxembourg and look back on a fantastic event. A big thank you to our participants, speakers and partners!

Future needs of next generation SOCs and CSIRTs
08-11-2022Most SOCs and CSIRTs have a good set of capabilities. But present day SOC and CSIRT capabilities simply do not suffice to deal with the persistence and sophistication of professional threat actors, also considering the increasing complexity of ICT infrastructures and shortage of skilled staff. Therefore we need to increase the speed and effectiveness of detection of and response to ongoing attacks, and the scope, effectiveness and efficiency of proactive analysis of threats to the ICT infrastructure to enhance its cyber resilience.
Read our latest blog post on the future needs of SOCs and CSIRTs, written by Reinder Wolthuis and Frank Fransen.
Automating the hunt for new DGAs and other malicious domains
05-10-2022
Read our latest blog post on the hunt for new DGAs, written by Piotr Kijewski, CEO at The Shadowserver Foundation.
“The work in SOCCRATES has helped achieve real-world impact through the detection of new threats and large scale victim notification alerts to the Internet defender community.”
Piotr Kijewski
Deep dive session on the SOCCRATES platform at the ONE Conference 2022
03-10-2022
We are proud to be part of the ONE Conference 2022. Join the deep dive session on 18 October in The Hague.
In this session, we will present our experiences of designing, implementing and evaluating the SOCCRATES security automation platform for SOC/CSIRTS. First the vision, use cases, KPIs and the components of the platform will be introduced. Next we will present the experiences of designing and implementing of the SOCCRATES Platform, and elaborate on the results of the evaluation at three pilots sites. Finally, we will conclude with lessons learned and next steps.
In this deep dive session, a detailed overview of the SOCCRATES platform will be presented accompanied by a step-by-step demonstration of how the SOCCRATES Platform provides situational and option awareness for SOC analysists and CSIRT teams during ongoing attacks. In addition, a detailed demonstration will be given on how the platform assesses the discovery of new vulnerable assets in an ICT infrastructure and how it can prepare recommendations to mitigate business risk.
Open acces paper
15-09-2022
Wojciech Wideł, Preetam Mukherjee, and Mathias Ekstedt from our partner KTH published in IEEE Access about their work in the SOCCRATES project.
Mathias Ekstedt: ‘This paper covers the underlying algorithm that was developed for automatically suggesting courses of actions to the SOC operator. It analyzes the structure of attack graphs generated from models of the monitored ICT infrastructure and fits defense actions into a specified available budget.’

Blog post: From Anomalies to Actions
23-08-2022
Agron Bajraktari, Francesca Soro, David Allison and Paul Smith from our partner AIT wrote a blog post about their work in the SOCCRATES project: ‘From Anomalies to Actions: Reasoning About the Root Cause of Anomalies to Determine Actionable Insights for Cyber-Attack Mitigation’.
Learn more
SOCCRATES final event: ‘Innovation for Next Generation SOCs’
05-07-2022
Defending against cyber-attacks has become a challenging task for most organisations. How can we innovate SOCs and CSIRTs and enhance them to be ready for current and future threats?
The SOCCRATES research project aims to take control of the growing cyberthreats by developing and implementing a security automation and decision support platform. At the SOCCRATES final event, you will get an insight into the world of security automation. We will demonstrate the SOCCRATES platform, share project learnings and explore future developments. Hands-on demos will provide you with insights into how SOCCRATES innovations improve the effectiveness of the cybersecurity workforce.
Programme highlights
• Keynote speech by Christine Bejerasco, CTO WithSecure: ‘Threat Landscape & A New Security Mindset’
• SOCCRATES vision & results
• Use case demos: SOCCRATES use cases and infrastructure, infrastructure modelling, the SOCCRATES platform
• Pilot learnings
• SOCCRATES results in commercial and Open Source products
• Presentation of the SOCCRATES vision paper
We will conclude the presentations with an informal networking reception.
‘Threat Landscape & A New Security Mindset‘, keynote speech by Christine Bejerasco
From taking a peek at the most effective cyber threats and their evolution, to prioritizing areas to protect in a world of increasing technology sprawl, Bejerasco will show that threat actors adapt swiftly to changes in technologies and human behavior. Bejerasco also shares a method for prioritization based on the desired outcomes of the organization.
Vision Paper
The SOCCRATES Vision Paper provides a vision and concrete next steps on innovative security automation and answers questions such as ‘Why should we invest in automated security and how do you start?’, ‘What does the Next Generation SOC look like?’ and ‘How can we integrate automation into our way of working?’. After the event you will receive a copy of the SOCCRATES vision paper.
Practical information
Wednesday, 19 October 2022
13:30/17.30
Luxexpo The Box
10, Circuit de la Foire Internationale
L-1347 Luxembourg-Kirchberg
Registration
Your registration is free of charge, but mandatory.
Cybersecurity Week Luxembourg
The SOCCRATES final event is organised in collaboration with the Cybersecurity Week Luxembourg (CSWL) (18-20 October 2022). If you want to register for the programme of the CSWL, you can do so separately via the event website. On this page you only register for the SOCCRATES final event.
Download SOCCRATES Vision Paper
16-05-2022
Organisations face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing and there is a shortage of qualified cybersecurity experts. To deal with these challenges, many organisations have increased their efforts in security monitoring and incident response and established (internal) SOCs and CSIRTs (or outsourced these tasks to a MSSP). But even with these increased defence efforts, the levels of cyberthreat exposure cannot be sufficiently reduced.
Continuous innovation and investment in automation is needed in SOCs and CSIRTs to stay ahead of the threats. The SOCCRATES Vision Paper provides a vision and concrete next steps on innovative security automation and answers questions such as ‘Why should we invest in automated security and how do you start?’, ‘What does the Next Generation SOC looks like?’ and ‘How can we integrate automation into our way of working?’.
Download SOCCRATES Vision Paper
To receive a printed copy of the SOCCRATES vision paper, please send an email including your email address and postal address to: info@soccrates.eu.
SOCCRATES final event
In autumn 2022 there will be the SOCCRATES final event, where we will demonstrate the SOCCRATES platform, share project learnings and explore future developments. You are cordially invited! Stay tuned to our website for details.
PvIB Article of the Year 2021 Award!
04-05-2022
Our article in (the Dutch) IB Magazine about SOCCRATES has won the PvIB Article of the Year 2021 Award!
‘SOCCRATES-Security automation in SOC & CSIRT environments’
4th International Workshop on Next Generation Security Operations Centers (NG-SOC 2022)
02-05-2022
We are proud to announce the 4th International Workshop on Next Generation Security Operations Centers (NG-SOC 2022) to be held in conjunction with the 17th International Conference on Availability, Reliability and Security (ARES). This workshop is jointly organized by SOCCRATES, SAPPAN and CyberSEAS Project.
𝗣𝗿𝗼𝗺𝗶𝘀𝗶𝗻𝗴 𝘀𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀
The aim of this workshop is to create a forum for researchers and practitioners to discuss the challenges associated with SOC operations and focus on research contributions that can be applied to address these challenges. Through cooperation among European projects, the workshop intends to provide a more comprehensive overview of the promising research-based solutions that enable timely response to emerging threats and support different aspects of the security analysis and recovery process.
Learn more
2nd Joint Workshop – Dynamic Countering of Cyber-attacks | Achievements and Standardisation
26-01-2022Following the success of the first edition of the workshop back in 2021, SOCCRATES announces the participation in the 2nd Joint Workshop – Dynamic countering of cyber-attacks, which will take place virtually between 9:00 and 16:00CET on the 8th of February 2022.
Organised by the CyberSANE project, and this time supported by the FIWARE Foundation, the workshop aims at gathering the projects from the SU-ICT-01-2018 H2020 call, whose main topic is Dynamic countering of cyber-attacks, to share the main progress of the project, create synergies and set a common ground for standardisation activities. Moreover, experts representing each project will discuss the different approaches to the common problem of attack detection and situational awareness in different environments.
Attending this event
More information about the agenda and speakers can be found on the registration page. Attending this event is free of charge, however, registration is required.
The participating projects are: SOCCRATES, C4IIoT, CARAMEL, GUARD, SAPPAN and SIMARGL.

SOCCRATES SOCCRATES aims to develop and implement a new security platform for Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs) of individual organisations and offered by Managed Security Service Providers (MSSP). They will significantly improve their capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks by using this platform. The platform contains innovative solutions to automated infrastructure modelling, improve attack detection, Cyber Threat Intelligence utilization, AI and machine learning based threat trend prediction, and automation using Attack Defence Graphs (ADG) and business impact modelling to aid human analysis and decision making on the best course of action, enabling the execution of defensive actions at machine-speed. | |
CyberSANE CyberSANE enhances the security and resilience of Critical Information Infrastructures (CIIs) by providing a dynamic collaborative, warning and response system supporting and guiding security officers and operators to recognise, identify, dynamically analyse, forecast, treat and respond to advanced persistent threats (APTs) and handle their daily cyber incidents using structured and unstructured data such as logs, network traffic, or data coming from social networks. CyberSANE introduces a holistic and privacy-aware approach in handling security incidents, addressing the complexity of these nets consisting of cyber assets hosted in cross-border, heterogeneous CIIs from the Energy, Maritime Transportation and Healthcare sectors. CyberSANE System, is an innovative, knowledge-based, collaborative security and response dynamic system, capable of implementing all phases of the Cyber incident handling life cycle for increasing the agility of the security professionals and encourage continuous learning. Follow CyberSANE on Twitter and LinkedIn | |
C4IIoT C4IIoT will design, build and demonstrate a novel and unified Cybersecurity 4.0 framework that implements an innovative IoT architecture paradigm to provide an end-to-end holistic and disruptive security-enabling solution for minimizing the attack surfaces in Industrial IoT systems. C4IIoT bridges cyber assurance and protection, machine (deep) learning (ML/DL), edge/cloud computing, blockchain and Big Data technologies to provide a viable scheme for enabling security and accountability, preserving privacy, enabling reliability and assuring trustworthiness within evolving IIoT applications and processes (e.g. automotive). C4IIoT novel cybersecurity mechanisms are carefully orchestrated across all infrastructure elements involved within an IIoT system (e.g., IIoT devices, field gateways, cloud resources) and is based upon analysis of various data flows (e.g., IIoT device data, encrypted network flows). | |
CARAMEL CARAMEL is a project that aims to introduce an innovative anti-hacking intrusion detection/prevention system for the European automotive industry. Their goal is to proactively address modern vehicle cybersecurity challenges applying advanced Artificial Intelligence (AI) and Machine Learning (ML) techniques and also to continuously seek methods to mitigate associated safety risks. In order to address cybersecurity considerations for the already here autonomous and connected vehicles, well-established methodologies coming from the ICT sector will be adopted, allowing to assess vulnerabilities and potential cyberattack impacts. Although past initiatives and cybersecurity projects related to the automotive industry have reached to security assurance frameworks for networked vehicles, several newly introduced technological dimensions like 5G, autopilots, and smart charging of Electric Vehicles (EVs) introduce cybersecurity gaps, not addressed satisfactorily yet. Considering the entire supply chain of automotive operations, CARAMEL targets to reach commercial anti-hacking IDS/IPS products for the European automotive cybersecurity and to demonstrate their value through extensive attack and penetration scenarios. | |
GUARD GUARD is a cybersecurity framework to Guarantee Reliability and trust for Digital service chains. They aim to design a holistic framework for advanced end-to-end assurance and protection of business service chains. GUARD also aims to improve the detection of attacks and identification of new threats as well as develop fine-grained, programmable and low-overhead monitoring, inspection and enforcement systems. Further to improving awareness and reactions to incidents, GUARD aims to elaborate new business models for commercial exploitation after the project lifetime. | |
SAPPAN SAPPAN aims to develop a platform for sharing and automation to enable privacy preserving and efficient response and recovery utilizing advanced data analysis and machine learning. They will provide a cyber threat intelligence system that decreases the effort required by a security analyst to find optimal responses to and ways to recover from an attack. This will be enabled within a single organization as well as across organisations through novel models for privacy-preserving data processing and sharing. SAPPAN will also enable a European level perspective on advanced cyber security threats detection, response, and recovery making four key contributions that go beyond existing approaches: (1) privacy-preserving aggregation and data analytics including advanced client-side abstractions; (2) federated threat detection based on sharing of anonymised data and sharing of trained machine learning models; (3) standardisation of knowledge in the context of incident response and recovery to enable reuse and sharing; (4) visual, interactive support for Security Operation Center operators. SAPPAN aims to provide solutions for public international institutions and multinational companies who want to enrich their Situational Awareness by sharing cyber security intelligence as well as solutions for small and midsize companies enabling them to outsource intrusion detection. | |
SIMARGL SIMARGL is a project co-funded by the European Commission under Horizon 2020 programme, to combat the pressing problem of malware. It aims to tackle the new challenges in the cybersecurity field, including information hiding methods, network anomalies, stegomalware, ransomware and mobile malware. SIMARGL will offer an integrated and validated toolkit improving European cybersecurity. The cutting-edge of the proposed solution stems from the development of a more general approach, one that has the ability to counteract the new, complex malware. SIMARGL will use breakthrough methods and algorithms to analyze the data from networks, such as: concept drift detectors, advanced signal processing and transformations, lifelong learning intelligent systems (LLIS) approach, hybrid classifiers, and deep learning, just to mention some techniques. |
SOCCRATES presentation ONE conference now online!
11-10-2021Martin Eian from mnemonic has given a presentation at the ONE conference, that took place on Tuesday 28 and Wednesday 29 September 2021 in the Netherlands. The presentation with the title SOCCRATES Project – Automating Threat Intelligence and Adversary Emulation is now online and can be viewed here.

Second series of SOCCRATES webinars
28-09-2021SOCCRATES will organise the second series of webinars that will run until June of 2022 and address results achieved at the (Mnemonic, Vattenfall and Shadowserver) pilot sites. SOCCRATES webinars is free of charge but subject to registration. An overview of the planned webinars can be found here.
The second series of SOCCRATES webinars starts with a theme session (28 September 2021, 15.30-17.00 CET) on Detecting DGA related threats in collaboration with the EU research projects SAPPAN. More information on this webinar can be found here.
Best paper award at IEEE CSR 2021 conference!
13-07-2021The paper “Mapping cyber threat intelligence to probabilistic attack graphs” by A. Gylling, M. Ekstedt, Z. Afzal, and P. Eliasson, partly financed by SOCCRATES, received best research paper award at the 2021 IEEE International Conference on Cyber Security and Resilience (IEEE CSR), July 26th – 28th.

Agenda of the NG-SOC 2021 workshop, August 17th is now available
12-07-2021The agenda for the jointly organize the NG-SOC 2021 workshop, to be held in conjunction with the 16th International Conference on Availability, Reliability and Security (https://www.ares-conference.eu/conference-2021/detailed-program/) is now available: https://www.ares-conference.eu/workshops-eu-symposium/ng-soc-2021/
To attend the workshop, a registration for ARES conference in amount of 60€ + 20% VAT (Regular Attendee). Registration can be done here: https://www.ares-conference.eu/registration-all-digital-conference/
SOCCRATES submissions accepted for annual FIRST conference
26-04-2021We’ve done two SOCCRATES submissions to the 33rd Annual FIRST Conference: “Crossing Uncertain Times,” to be held virtually on June 7-9, 2021.
And they were both accepted!
* Martin Eian (mnemonic) will present the topic: ‘Adversary Emulation – Generating MITRE ATT&CK Technique Sequences’, which will be a prerecorded session
* Erik Ringdahl (foreseeti) and Frank Fransen (TNO) will present the topic: ‘Attack Defense Graph Analysis for Supporting SOC and CSIRT Operations’, which will be a Live Presentation on Wednesday June 9th, 2021.
This acceptance by the prestigious FIRST annual conference is a great appreciation for the work we do in SOCCRATES!
Deadline extended for Workshop on Next Generation Security Operations Centers (NG-SOC 2021)
22-04-2021The deadline for submissions for the NG SOC worshop, jointly organized by SAPPAN and SOCCRATES in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021 – http://www.ares-conference.eu) has been extended to Ma14th!
The important dates are:
– Submission Deadline May 14th, 2021
– Author Notification May 31, 2021
– Proceedings Version June 13, 2021
– ARES EU Symposium August 17, 2021
– Conference August 17 – August 20, 2021
The call for papers can also be found here: ARES Conference » NG-SOC 2021 (ares-conference.eu). The submission guidelines valid for the workshop are the same as for the ARES conference. They can be found at https://www.ares-conference.eu/conference/submission/.
Positive SOCCRATES mid term review
16-04-2021SOCCRATES already is halfway its project lifetime, so we had our mid-term review on Wednesday April 14th. We prepared for a day of presentations and demos and had very good questions from and discussions with our EU Project Officer (PO) and the three expert reviewers. They also provided us with some very useful suggestions. We received their first feedback at the end of the day (formal feedback report will follow). Although there were some attention points, overall feedback was that our PO and the reviewers were very happy with the progress we’ve made in the project. In particular the newly developed Adversary Emulation Plan tool, presented by Martin Eian (mnemonic), was considered to be really cool. It will be shared as Open Source soon. Our PO also requested us to share our vision on future SOC/CSIRT developments as early as possible, so this can serve as input on upcoming SOC/CSIRT initiatives at EU level. Of course we will gladly fulfill this honorable request.
3rd International Workshop on Next Generation Security Operations Centers (NG-SOC 2021)
15-03-2021Two H2020 projects: SOCCRATES (https://www.soccrates.eu/) and SAPPAN (https://sappan-project.eu/) jointly organize the NG-SOC 2021 workshop, to be held in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021 – http://www.ares-conference.eu)
August 17 – August 20, 2021, Vienna, Austria

Important Dates
– Submission Deadline April 30, 2021
– Author Notification May 31, 2021
– Proceedings Version June 13, 2021
– ARES EU Symposium August 17, 2021
– Conference August 17 – August 20, 2021
Submission Guidelines
Th call for papers can also be found here: ARES Conference » NG-SOC 2021 (ares-conference.eu). The submission guidelines valid for the workshop are the same as for the ARES conference. They can be found at https://www.ares-conference.eu/conference/submission/.
Workshop Description
Organisations in Europe face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing (e.g. by the introduction of new technologies) and there is a shortage of qualified cybersecurity experts. There is a great need to drastically reduce the time to detect and respond to cyber-attacks. A key means for organizations to stay ahead of the threat is through the establishment of a Security Operations Center (SOC). The primary purpose of a SOC is to monitor, assess and defend the information assets of an enterprise, both on a technical and organizational level.
The aim of this workshop is to create a forum for researchers and practitioners to discuss the challenges associated with SOC operations and focus on research contributions that can be applied to address these challenges. Through cooperation among H2020 European projects, the workshop intends to provide a more comprehensive overview of the promising research-based solutions that enable timely response to emerging threats and support different aspects of the security analysis and recovery process.
Topics of interest include, but are not limited to:
• Collaborative Incident Response and Recovery
• Machine Learning for Security and Privacy
• Intrusion Detection
• Network Security
• Standardization and Sharing of Cybersecurity Knowledge
• Endpoint Security
• Privacy Aspects of Sharing in Cybersecurity
• Cyber Threat Intelligence Utilization
• Situation Awareness and Decision Support Tools for SOC
• Novel Visualization Tools and Approaches for SOC
• Security of Machine Learning
• Attacks against Deep Learning (e.g. Adversarial Examples)
• Malware Identification and Analysis
• Vulnerability Discovery
• Digital Forensics and Attack Attribution
• Natural Language Processing (NLP) for Security
• Threat Trend Modelling and Prediction
• Attack and Defence Modelling
• Host Behaviour Profiling
• User Behaviour Analytics (UBA)
• Advanced Persistent Threat Detection and Analysis
• Security Event Fusion, Correlation and Severity Analysis
Workshop Chairs
Irina Chiscop, TNO, Netherlands
Tomas Jirsik, Masaryk University, Brno, Czech Republic
Avikarsha Mandal, Fraunhofer FIT, Aachen, Germany
Ewa Piatkowska, AIT Austrian Institute of Technology, Austria
Program Committee
Ville Alkkiomäki, F-Secure, Finland
Manos Athanatos, FORTH-ICS, Greece
Mathias Ekstedt, KTH, Sweden
Muriel Figueredo Franco, University of Zurich UZH, Switzerland
Frank Fransen, TNO, The Netherlands
Leandros Maglaras, De Montfort University, Leicester, UK
Preetam Mukherjee, KTH, Sweden
Dimitrios Serpanos, Industrial Systems Institute, Greece
Edward Staddon, INRIA, France
Daniel Tovarnak, Masaryk University, Czech Republic
Ruben Trapero, ATOS, Spain
Petr Velan, Masaryk University, Czech Republic
Daniel Weber, LRZ, Germany
Markus Wurzenberger, AIT Austrian Institute of Technology, Austria
Martin Zadnik, CESNET, Czech Republic
Joint Standardisation Workshop of Dynamic countering of cyber-attacks projects
12-01-2021On January 22nd 2021 all projects that are funded in the H2020 call SU-ICT-01-2018 will have a joint workshop to exchange knowledge and to develop plans for collaborative standardisation and dissemination activities. We intend to utilise intra-project synergies to increase the overall impact of the projects and consequently increase the resilience of the EU community against cyber-attacks.

SOCCRATES PRESENTED AT ERICSSON BY SHADOWSERVER
03-11-2020At the Ericsson Internal Network Security Seminar on September 22nd 2020, The Shadowserver Foundation was invited to give a presentation. The presentation was Titled “Large Scale Internet Garbage Collection and sharing”.
Abstract:
The Shadowserver Foundation has been collecting network threat information on a big-data scale for many years with a mission to make the Internet a more secure environment for all. The collected data is shared with 112+ National CSIRTs and 5900+ network owners worldwide via the Shadowserver free daily remediation feeds and used to support various law enforcement investigations. Data collection and management on such a scale is a big challenge – the talk will give an overview of how Shadowserver operates, what data it collects and what threat information can be inferred from it, how the information is being shared and how Shadowserver has supported various malware botnet takedowns and disruptions.
D4.2 Threat Identification and Threat Trend Prediction – Initial Prototype
15-09-2020This deliverable provides an overview of the initial threat identification and trend prediction toolset prototyping carried out as part of Task 4.2 in WP4: Threat Identification and Threat Trend Prediction. A set of Dockerized tools utilizing ML and string similarity algorithms has been developed for the purpose of identifying and classifying DGA-based domains in large domain datasets derived from The Shadowserver Foundation’s malware sandbox.
SOC Automation 101: Let’s Make the SOC Great (-er) Again!
17-07-2020Wednesday August 26, 2020 4:00 PM – 5:10 PM CEST
SOCCRATES and the SECO institute jointly organize a webinar on August 26th (4 PM-5.10 PM CEST) about SOC automation. During this webinar we’ll evaluate automation as one of the solutions to overcoming major challenges that Security Operations Centers face today. We’ll evaluate time consuming tasks that could be automated to increase the efficiency of a SOC and help the Security Analyst to evolve from a fire-fighter to a more proactive response expert.
Rob van Os (SOC Manager at de Volksbank and member of the SOCCRATES stakeholder group) explains why and how a SOC should embrace automation to deal with ‘alert overkill’; manage security tools that generate a lot of data; increase SOC efficiency and outputs; and make the Security Analyst job ‘Great Again’. Erik Ringdahl and Frank Fransen from SOCCRATES deliver a short presentation and a demo of the Attack Defence Graph Analyser, that automatically and continuously generates models of IT architectures in a SOC to perform automated attack simulations and threat modelling, predict how attacks might propagate and suggest mitigations.
Participation is free upon timely registration:
https://register.gotowebinar.com/register/6946483974829535502
SOCCRATES and SAPPAN organise International Workshop on NG SOC in conjunction with ARES, August 25, 2020
07-07-2020Overview
Organisations in Europe face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing (e.g. by introduction of new technologies) and there is a shortage of qualified cybersecurity experts. There is a great need to drastically reduce the time to detect and respond to cyber-attacks. A key means for organizations to stay ahead of the threat is through the establishment of a Security Operations Center (SOC). The primary purpose of a SOC is to monitor, assess and defend the information assets of an enterprise, both on a technical and organizational level.
The aim of the NG-SOC 2020 workshop is to create a forum for researchers and practitioners to discuss the challenges associated with SOC operations and focus on research contributions that can be applied to address these challenges. The workshop will draw on expertise from two EU-funded H2020 projects: SAPPAN (https://sappan-project.eu/) and SOCCRATES (https://www.soccrates.eu/). Selected members of the projects’ consortia will present their research activities. The workshop will include a panel session to foster discussion on the major operational challenges that enterprises and SOC operators face and provide insights into promising research-based solutions
Project abstract
The workshop is jointly organized by two H2020 projects that are funded by the European Commission:
SOCCRATES project (https://www.soccrates.eu/) will develop and implement a new security platform for Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs), that will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks. The SOCCRATES Platform consists of an orchestrating function and a set of innovative components for automated infrastructure modelling, attack detection, cyber threat intelligence utilization, threat trend prediction, and automated analysis using attack defence graphs and business impact modelling to aid human analysis and decision making on response actions, and enable the execution of defensive actions at machine-speed. The SOCCRATES Platform aims to enable organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the SOC. The outcomes of the project will contribute to a more secure cyberspace and strengthen competitiveness in the EU digital single market.
SAPPAN project (https://sappan-project.eu/) aims to enable efficient protection of modern ICT infrastructures via advanced data acquisition, threat analysis, and privacy-aware sharing and distribution of threat intelligence aimed to dynamically support human operators in response and recovery actions. The SAPPAN project will develop a collaborative, federated, and scalable attack detection to support response activities and allow for timely responses to newly emerging threats supporting different privacy-levels. We plan to identify a standard for the interoperable and machine-readable description of incident response reports and recovery solutions. The risk assessment, privacy, and security will be addressed in the standard design. Results of both attack detection and recovery and response processes will be shared on a global level to achieve an advanced response and recovery via knowledge sharing and federated learning. We develop a mechanism for sharing information on threat intelligence, which implements a combination of encryption and anonymization to achieve GDPR compliance. Novel visualization techniques will be developed to assist security and IT personnel and provide an enhanced content of context of the response and recovery, and improved visual presentation of the process.
Topics of interest include, but are not limited to:
Security Operation Center (SOC)
Anomaly Detection
Network Intrusion Detection Systems
Domain Generation Algorithms
Cyber Threat Intelligence Utilization
Privacy-aware Threat Intelligence Sharing
Business Impact Modelling
Attack Analysis with Attack Defence Graphs (ADGs)
Visual Presentation to Support Response and Recovery Actions
Workshop Agenda (Tuesday, 25th of August 2020 | 9:00 – 17:45)
Time | Talk | Duration [min] | |
Session 1 (Ewa Piatkowska) | 90 | ||
09:00 | 09:05 | Welcome Ewa Piatkowska | 5 |
09:05 | 9:25 | The SOCCRATES Project: Overview and Objectives Frank Fransen (TNO) | 20 |
9:25 | 9:45 | The SAPPAN Project: Overview and Objectives Avikarsha Mandal (Fraunhofer FIT) | 20 |
9:45 | 10:30 | Keynote: Semi-Automated Cyber Threat Intelligence (ACT) Martin Eian (Mnemonic) | 45 |
10:30 | 11:00 | Coffee break | 30 |
Session 2 (Tomas Jirsik) | 100 | ||
11:00 | 11:20 | Monitoring Malicious Infrastructures to Produce Threat Intelligence Piotr Kijewski (Shadowserver) | 20 |
11:20 | 11:40 | Pipeline development for Automatically Generated Domain detection Irina Chiscop (TNO) | 20 |
11:40 | 12:00 | Leveraging Machine Learning for DGA Detection Arthur Drichel (RWTH Aachen University) | 20 |
12:00 | 12:20 | Knowledge Management and Anonymization Techniques in Cyber-Threat Intelligence Lasse Nitz, Mehdi Akbari Gurabi (Fraunhofer FIT) | 20 |
12:20 | 12:40 | Reputation Management Techniques for IP addresses, domains, and mail Mischa Obrecht (DreamLab) | 20 |
12:40 | 13:45 | Lunch break | 65 |
Session 3 (Avikarsha Mandal) | 80 | ||
13:45 | 14:05 | Host and Application Behaviour Modelling Tomas Jirsik (Masaryk University) and Sebastian Schaefer (RWTH Aachen University) | 20 |
14:05 | 14:25 | L-ADS: Live Anomaly Detection System Alejandro Garcia Bedoya (ATOS) | 20 |
14:25 | 14:45 | Adversarial Examples against Intrusion Detection Systems Ewa Piatkowska (AIT) | 20 |
14:45 | 15:05 | Fast and Scalable Cybersecurity Data Processing Josef Niedermeier, Gabriela Aumayr (HPE) | 20 |
15:05 | 15:30 | Coffee break | 25 |
Session 4 (Irina Chiscop) | 80 | ||
15:30 | 15:50 | Attack Analysis with Attack Defence Graphs Erik Ringdahl (Foreseeti) | 20 |
15:50 | 16:10 | Attack Graph-based Courses of Action for Defense Wojciech Widel (KTH) | 20 |
16:10 | 16:30 | Visual Analytics for Cyber Security Data Christoph Müller and Franziska Becker (University of Stuttgart) | 20 |
16:30 | 16:50 | Endpoint Protection Paolo Palumbo (FSecure) | 20 |
16:50 | 17:05 | Coffee break | 15 |
Panel Session | 45 | ||
17:05 | 17:35 | Discussion on Future Challenges for SOC Speakers: Pavel Kacha (CESNET) Sarka Pekarova (DreamLab) Paul Smith (AIT) Panel chair: Tomas Jirsik (Masaryk University) | 30 |
17:35 | 17:45 | Wrap up Ewa Piatkowska (AIT) | 10 |
Workshop Website
Venue and Registration
NG-SOC 2020 workshop is organised in conjunction with the ARES 2020 conference, which this year will be held all-digital. Registration for the workshop is required and costs 40€ (Regular Attendee) or 20€ (Student attendee). The registration fee includes the entrance to all ARES & CD-MAKE conference and workshop sessions. If you want to attend, please register at https://www.ares-conference.eu/registration-all-digital-conference .
First SOCCRATES video released
28-05-2020We are very proud to release the first SOCCRATES video. It introduces the project and its goals and shows the underlying concepts in a way that is easy understandable.
SOCCRATES featured on Openaccessgovernment.org
25-03-2020‘The Horizon 2020 project SOCCRATES brings together some of the best expertise in the field to develop, implement and evaluate an automated security platform to defend against complex cyber-attacks, more of which is explained here by Reinder Wolthuis from TNO.’
See the article on https://www.openaccessgovernment.org/soccrates-complex-cyber-attacks/84079/
Frank Fransen presents SOCCRATES on the market day cyber security at TNO
13-03-2020TNO organized a market day cyber security on March 12th 2020 at the Hague Security Delta in the Hague. For this event, people from cyber security industry and end users of cyber security solutions were invited. Maarten Tossings, member of the board of TNO opened the day on which results of recent TNO cyber security projects were highlighted with presentations, demo’s and posters. Frank Fransen, technical coordinator of SOCCRATES presented the SOCCRATES project, its vision and first results. SOCCRATES was very well received by the visitors of the event. For more information on cybersecurity at TNO, visit the TNO cybersecurity page.


SOCCRATES presented on Symposium on Power System Cyber Security at TU Delft March 11th 2020
10-03-2020Frank Fransen, technical coordinator of SOCCRATES, will present SOCCRATES on the Symposium on Power System Cyber Security at TU Delft on March 11th 2020. In the program, Frank will replace Dr. Anurag K Srivastava who is unable to attend. See for more information: https://www.tudelft.nl/powerweb-institute/newsevents/symposium-power-system-cyber-security/
SOCCRATES second meeting in Helsinki
25-02-2020
On January 21st and 22nd, SOCCRATES had its second consortium meeting, hosted by F-Secure. It was a very fruitful meeting, in which besides the overall progress discussion, each Work Package had their own meeting. Good progress was made on several relevant subjects. In particular we had good discussions on the infrastructure modelling module, which resulted in a shared view.
We also had a joint session with the SAPPAN project (funded in the same call as SOCCRATES (H2020 SU-ICT-01-2018) in which F-Secure also participates. We agreed to jointly organize a workshop, look into forming a liaison beweteen the projects and investigate potential synergies and areas of cooperation between the projects.
SOCCRATES delivers first results
10-12-2019On December 1st 2019, the first batch of SOCCRATES results was delivered on time. One of the results is the external website, which is now fully functional and on-line. Part of the deliverables are internal deliverables. This includes cooperation tools for project members, information platform for stakeholder group and advisory board and a project handbook. But there also two important external deliverables that can be found under the results page of the website:
- D2.1 – SOCCRATES use cases definition & pilot sites requirements
- D8.2 – SOCCRATES dissemination plan
We are very happy that we are now up to speed and are very satisfied with these first deliverables. We look forward to the interesting activities and deliverables that will follow in the coming years.
SOCCRATES has started
22-11-2019In 2018, the SOCCRATEs consortium submitted a proposal to work on security automation in H2020. This proposal was rewarded in December 2018 and after preparations have been completed, SOCCCRATES started on September 1st, 2019. SOCCRATES had its kick off meeting in the Hague on September 2nd and 3rd, where all partners assembled and the activities were started. The ‘vibe’ was already very good and all partners look forward to cooperate in this exciting venture, that will last three years until August 31st, 2022.

ARES conference Canterbury 2019
31-10-2019International Workshop on Next Generation Security Operations Centers (NG-SOC 2019)
in conjunction with 14th International Conference on Availability, Reliability and Security (ARES 2019)
August 26 – August 29, 2019, University of Kent, Canterbury, UK
Overview
The first SOCCRATES project workshop was organized within the ARES EU Project Symposium held in conjunction with the 14th International Conference on Availability, Reliability and Security (ARES 2019). It took place on Monday, 26th of August 2019 at the University of Kent, Canterbury, UK.
The workshop introduced the newly-awarded SOCCRATES project which aims to enable organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the Security Operation Centres (SOCs). SOCCRATES will develop and implement a new security platform for SOC, which will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks.
The goal of this workshop was to create a forum for researchers and practitioners to discuss the challenges associated with operations of the SOCs and focus on research contributions that can be applied to address these challenges. Selected members of the SOCCRATES consortium presented their past and proposed project activities. The workshop was concluded with the open discussion on the major operational challenges that enterprises and SOC operators face and insights into promising research-based solutions.

Workshop Programme
The following presentations were given at the workshop:
- The SOCCRATES Project: Motivation and Aims Reinder Wolthuis (TNO)
- ACT: Cyber Threat Intelligence Platform Siri Bromander (Mnemonic)
- Threat modelling and attack simulations with MAL and securiCAD Per Eliasson (Foreseeti)
- Automated Response based on SecuriCAD recommendations Frank Fransen (TNO)
- Anomaly Detection (DNS Ninja & ABC tool) Irina Chiscop (TNO)
- Adversarial Machine Learning Ewa Piatkowska (AIT)
We concluded with the open discussion about future challenges for SOCs, moderated by Frank Fransen (TNO).