Azqa Nadeem

02.370, Building Echo, EEMCS,

Delft University of Technology,

The Netherlands

I am a Ph.D. candidate and Lecturer in the Cyber Analytics Lab (Cyber Security group) at Delft University of Technology, advised by Dr. Sicco Verwer and Dr. George Smaragdakis.

My research focus is on Explainable Machine Learning for Cyber Security. I truly believe that machine learning can provide more insights than just prediction probabilities. To this aim, I develop explainable sequential machine learning pipelines that extract actionable intelligence from large volumes of cyber data with the aim of assisting security analysts in their daily operations. These pipelines create human in the loop settings for AI-assisted humans.

Next to research, I spend 40% of my time developing and teaching Cyber Security lectures to BSc. (Computer Science and Engineering) students at TU Delft. The teaching material can be found under Cyber Security Lecture Series.

Outside of work, I love landscape photography and traveling. I enjoy discussions about human psychology, devious behavior, cats, imposter syndrome, and… well… cats.

Recent news

02-2023	Our SoK paper on XAI for cybersecurity has been accepted at EuroS&P!
02-2023	Serving as mentoring co-chair for the EuroS&P 2023.
01-2023	Giving a talk about alert-driven attack graphs at the Digital Security group, Radboud University.
12-2022	Giving a talk about alert-driven attack graphs at Prof. Stoelinga’s group, University of Twente.
11-2022	Panelist for a webinar on MSc. scholarship opportunities in NL organized by the Pakistani embassy.

Selected publications

EuroS&P

SoK: Explainable Machine Learning for Computer Security Applications

Nadeem, Azqa, Vos, Daniel, Cao, Clinton, Pajola, Luca, Dieck, Simon, Baumgartner, Robert, and Verwer, Sicco

In IEEE European Symposium on Security and Privacy (Euro S&P), 2023

Abstract PDF

Explainable Artificial Intelligence (XAI) is a promising solution to improve the transparency of machine learning (ML) pipelines. We systematize the increasingly growing (but fragmented) microcosm of studies that develop and utilize XAI methods for defensive and offensive cybersecurity tasks. We identify 3 cybersecurity stakeholders, i.e., model users, designers, and adversaries, that utilize XAI for 5 different objectives within an ML pipeline, namely 1) XAI-enabled decision support, 2) applied XAI for security tasks, 3) model verification via XAI, 4) explanation verification & robustness, and 5) offensive use of explanations. We further classify the literature w.r.t. the targeted security domain. Our analysis of the literature indicates that many of the XAI applications are designed with little understanding of how they might be integrated into analyst workflows -- user studies for explanation evaluation are conducted in only 14% of the cases. The literature also rarely disentangles the role of the various stakeholders. Particularly, the role of the model designer is minimized within the security literature. To this end, we present an illustrative use case accentuating the role of model designers. We demonstrate cases where XAI can help in model verification and cases where it may lead to erroneous conclusions instead. The systematization and use case enable us to challenge several assumptions and present open problems that can help shape the future of XAI within cybersecurity.
ECML

SECLEDS: Sequence Clustering in Evolving Data Streams via Multiple Medoids
and Medoid Voting

Nadeem, Azqa, and Verwer, Sicco

In Proceedings of the European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases (ECML/PKDD), 2022

Abstract PDF Code Slides

Sequence clustering in a streaming environment is challenging because it is computationally expensive, and the sequences may evolve over time. K-medoids or Partitioning Around Medoids (PAM) is commonly used to cluster sequences since it supports alignment-based distances, and the k-centers being actual data items helps with cluster interpretability. However, offline k-medoids has no support for concept drift, while also being prohibitively expensive for clustering data streams. We therefore propose SECLEDS, a streaming variant of the k-medoids algorithm with constant memory footprint. SECLEDS has two unique properties: i) it uses multiple medoids per cluster, producing stable highquality clusters, and ii) it handles concept drift using an intuitive Medoid Voting scheme for approximating cluster distances. Unlike existing adaptive algorithms that create new clusters for new concepts, SECLEDS follows a fundamentally different approach, where the clusters themselves evolve with an evolving stream. Using real and synthetic datasets, we empirically demonstrate that SECLEDS produces high-quality clusters regardless of drift, stream size, data dimensionality, and number of clusters. We compare against three popular stream and batch clustering algorithms. The state-of-the-art BanditPAM is used as an offline benchmark. SECLEDS achieves comparable F1 score to BanditPAM while reducing the number of required distance computations by 83.7%. Importantly, SECLEDS outperforms all baselines by 138.7% when the stream contains drift. We also cluster real network traffic, and provide evidence that SECLEDS can support network bandwidths of up to 1.08 Gbps while using the (expensive) dynamic time warping distance.
TDSC

Alert-driven Attack Graph Generation using S-PDFA

Nadeem, Azqa, Verwer, Sicco, Moskal, Stephen, and Yang, Shanchieh J

In IEEE Transcations on Dependable and Secure Computing, 2021

Abstract PDF Code Slides

Ideal cyber threat intelligence (CTI) includes insights into attacker strategies that are specific to a network under observation. Such CTI currently requires extensive expert input for obtaining, assessing, and correlating system vulnerabilities into a graphical representation, often referred to as an attack graph (AG). Instead of deriving AGs based on system vulnerabilities, this work advocates the direct use of intrusion alerts. We propose SAGE, an explainable sequence learning pipeline that automatically constructs AGs from intrusion alerts without a priori expert knowledge. SAGE exploits the temporal and probabilistic dependence between alerts in a suffix-based probabilistic deterministic finite automaton (S-PDFA) — a model that brings infrequent severe alerts into the spotlight and summarizes paths leading to them. Attack graphs are extracted from the model on a per-victim, per-objective basis. SAGE is thoroughly evaluated on three open-source intrusion alert datasets collected through security testing competitions in order to analyze distributed multi-stage attacks. SAGE compresses over 330k alerts into 93 AGs that show how specific attacks transpired. The AGs are succinct, interpretable, and provide directly relevant insights into strategic differences and fingerprintable paths. They even show that attackers tend to follow shorter paths after they have discovered a longer one in 84.5% of the cases.
MAAIDL

Beyond Labeling: Using Clustering to Build Network Behavioral Profiles of
Malware Families

Nadeem, Azqa, Hammerschmidt, Christian, Ganan, Carlos H, and Verwer, Sicco

In Malware Analysis Using Artificial Intelligence and Deep Learning, 2021

Abstract PDF Code

Malware family labels are known to be inconsistent. They are also black-box since they do not represent the capabilities of malware. The current state of the art in malware capability assessment includes mostly manual approaches, which are infeasible due to the ever-increasing volume of discovered malware samples. We propose a novel unsupervised machine learning-based method called MalPaCA, which automates capability assessment by clustering the temporal behavior in malware's network traces. MalPaCA provides meaningful behavioral clusters using only 20 packet headers. Behavioral profiles are generated based on the cluster membership of malware's network traces. A Directed Acyclic Graph shows the relationship between malwares according to their overlapping behaviors. The behavioral profiles together with the DAG provide more insightful characterization of malware than current family designations. We also propose a visualization-based evaluation method for the obtained clusters to assist practitioners in understanding the clustering results. We apply MalPaCA on a financial malware dataset collected in the wild that comprises 1.1 k malware samples resulting in 3.6 M packets. Our experiments show that (i) MalPaCA successfully identifies capabilities, such as port scans and reuse of Command and Control servers; (ii) It uncovers multiple discrepancies between behavioral clusters and malware family labels; and (iii) It demonstrates the effectiveness of clustering traces using temporal features by producing an error rate of 8.3%, compared to 57.5% obtained from statistical features.
CCS

Enabling Visual Analytics via Alert-driven Attack Graphs

Nadeem, Azqa, Verwer, Sicco, Moskal, Stephen, and Yang, Shanchieh J

In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021

Abstract Poster

Attack graphs (AG) are a popular area of research that display all the paths an attacker can exploit to penetrate a network. Existing techniques for AG generation rely heavily on expert input regarding vulnerabilities and network topology. In this work, we advocate the use of AGs that are built directly using the actions observed through intrusion alerts, without prior expert input.We have developed an unsupervised visual analytics system, called SAGE, to learn alert-driven attack graphs.We show how these AGs (i) enable forensic analysis of prior attacks, and (ii) enable proactive defense by providing relevant threat intelligence regarding attacker strategies. We believe that alert-driven AGs can play a key role in AI-enabled cyber threat intelligence as they open up new avenues for attacker strategy analysis whilst reducing analyst workload.