On 4 and 5 November, the Interconnected Automation Systems research group, led by Prof. Dr. Henning Trsek, welcomed the GraphWatch project consortium and its associated partners to the Innovation Campus Lemgo. The meeting at InnovationSPIN served as a forum for discussing the project results to date, coordinating key milestones and planning the next phase of the project.
Significant progress has already been made during the project to date – from initial functional framework components to scientific publications. Against this backdrop, the meeting in Lemgo provided the ideal setting to take stock and plan further development.
GraphWatch: Supporting cybersecurity with graph-based methods
GraphWatch is dedicated to developing innovative methods for detecting cyber attacks. The background to this is the growing number of complex threats, in particular so-called advanced persistent threats (APTs) – attacks in which perpetrators move undetected within networks over a long period of time in order to steal confidential information.
In order to detect such attacks at an early stage, the project combines approaches from machine learning, graph neural networks (GNN), classification methods and digital twins.
This creates a framework that can identify not only known attack patterns, but also complex and previously difficult-to-detect threats. The aim is to support security specialists in so-called threat hunting – a process that GraphWatch will map as a semi-automated framework in the future.
Scientific focus
Several scientific publications have already been produced as part of the project, in which researchers present new approaches to anomaly detection and network modelling in the context of threat hunting. For example, Robin Buchta (Data|H – Hanover University of Applied Sciences and Arts) and other authors presented a novel method for anomaly detection at the IEEE 29th International Conference on Emerging Technologies and Factory Automation (ETFA 2024). Robin Foster (inIT) and other colleagues dedicated their contribution to ETFA 2025 to the development of an administration shell-based modelling method that makes IT and OT networks accessible in a structured manner, thus laying the foundation for a holistic threat hunting framework.
Real test environment: data as a basis for training
One focus of the meeting was the analysis and discussion of the data sets collected to date, which serve as the basis for training and validating the developed procedures. With the TEACHER demonstrator, inIT provides a complex cyber-physical system (CPS) that is used as a real-world laboratory for investigating various attack scenarios. This practical test environment allows the methods developed in the project to be tested, evaluated and continuously improved in a realistic manner.
Public relations and networking
In 2025, GraphWatch was presented at several events and discussed among experts. An important milestone was participation in the 2025 National Conference on IT Security Research organised by the Federal Ministry of Research, Technology and Space (BMFTR). There, the project partners exchanged ideas with researchers and industry representatives from all over Germany on current challenges and approaches to solutions in cybersecurity research.
The project was also present at the regional level: Robin Foster (research associate) and Natalia Moriz (research group leader) presented the latest project results at Digital Twin Day, a joint event organised by TH OWL and Fraunhofer IOSB-INA. In the subsequent exchange with representatives of small and medium-sized enterprises (SMEs) from the region, potential fields of application for graph-based security solutions were discussed and new opportunities for cooperation were explored.
Outlook
The project meeting in Lemgo once again demonstrated the close cooperation within the GraphWatch consortium. The discussions and intensive exchange provided valuable impetus for the further course of the project and strengthened the common understanding of the goals and challenges of the research project.
The consortium is thus well positioned to successfully implement the next steps in the project.