Security Logs to ATT&CK Insights
Abstract
Real-time cyber defense often depends on interpreting large volumes of IDS logs that describe what happened, but not what it means. Inspired by recent work on using large language models to map Suricata logs to MITRE ATT&CK techniques and behavioral phases, this demo presents a simplified pipeline: alerts → inferred actions → ATT&CK technique tags, with a lightweight “noise” and “loot” scoring layer for teaching and discussion.
What you will do
In this interactive demo, you'll step into the role of an attacker of a simulated network, selecting manipulation strategies and crafting adversarial inputs. As you experiment with different attack techniques, watch as our detection system analyzes your inputs, revealing how it identifies anomalies and flags suspicious behavior. You'll see detection scores, uncertainty metrics, and visual explanations of what triggered each alert. It's a hands-on way to understand how adversarial attacks work and how our defenses catch them in action.