Attack Flow and Root Cause Discovery - No LLMs, No Queries, Just Explainable ML

Presented at DEF CON 33 (2025), Aug. 8, 2025, 10 a.m. (45 minutes).

Attack Flow Detector is an open-source tool that helps defenders uncover coordinated cyber attacks buried in noisy alert data. Instead of relying on LLMs or black-box AI, it uses explainable machine learning to map alerts, logs, and telemetry to MITRE ATT&CK techniques, cluster them into contextualized attack steps, and chain them into complete killchains. Built for blue teamers and SOC analysts, it's lightweight, interpretable, and easy to deploy in real environments. This demo will show how the tool processes real-world-style data, generates actionable tickets, and supports root cause analysis. If you're drowning in false positives or lone incidents, this is for you.

Presenters:

• Kevin Shi
  Kevin is a data scientist specializing in cybersecurity and machine learning, currently working at the Canadian Institute for Cybersecurity at the University of New Brunswick. He holds a Master’s degree in Data Science from the University of Windsor, where he focused on applying advanced analytics and machine learning techniques to complex cybersecurity problems. His expertise includes developing and optimizing AI-driven methods for threat detection, anomaly identification, and security event analysis. His research contributions emphasize practical implementations of data science in cybersecurity operations, bridging theoretical approaches with real-world applications.
• Ezz Tahoun
  Ezz Tahoun is an award-winning cybersecurity data scientist recognized globally for his innovations in applying AI to security operations. He has presented at multiple DEFCON villages, including Blue Team, Cloud, Industrial Control Systems (ICS), Adversary, Wall of Sheep, Packet Hacking, Telecom, and Creator Stage, as well as BlackHat Sector, MEA, EU, and GISEC. His groundbreaking work earned him accolades from Yale, Princeton, Northwestern, NATO, Microsoft, and Canada's Communications Security Establishment. At 19, Ezz began his PhD in Computer Science at the University of Waterloo, quickly gaining recognition through 20 influential papers and 15 open-source cybersecurity tools. His professional experience includes leading advanced AI-driven projects for Orange CyberDefense, Forescout, RBC, and Huawei Technologies US. Holding certifications such as aCCISO, CISM, CRISC, GCIH, GSEC, CEH, and GCP-Cloud Architect, Ezz previously served as an adjunct professor in cyber defense and warfare.

Similar Presentations:

• DEF CON 33 (2025) / Contextualizing alerts with relevant logs and events without queries or LLMs Workshop