Research on Grégor Quétel - Blog

Parser Instrumentation for Semantic-Aware Applicative Intrusion Detection

Mon, 16 Mar 2026 00:00:00 +0100

The paper

Title: Parser Instrumentation for Semantic-Aware Applicative Intrusion Detection
Authors: Grégor Quetel, Pierre-François Gimenez, Thomas Robert, Laurent Pautet
Venue: 41st International Conference on ICT Systems Security and Privacy Protection (IFIPSEC26), 2026
Abstract: Intrusion Detection Systems (IDS) are common security tools for protecting modern information systems, yet their effectiveness at detecting application-layer attacks is often limited by the semantic gap between low-level host or network observations and the actual behavior of applications. Existing work overlooks the data collection phase and typically focuses on designing complex decision engines and preprocessing functions such as embedding-based representations. Unfortunately, these approaches incur significant computational overhead at inference time and remain brittle against adversarial inputs. In this paper, we present a parser-based instrumentation approach for application-level intrusion detection that provides lexical, syntactic and explicit semantic observation with minimal overhead. We introduce gaur, an implementation for instrumenting parsers, it produces observations during parsing by associating semantic tags to grammar rules, eliminating the need for runtime natural language processing. Our evaluation demonstrates the low overhead and collection time of our data collector. Furthermore, empirical results show that incorporating explicit semantic information into decision engines not only improves detection performance over traditional mechanisms but also enables faster inference and greater robustness than approaches relying on implicit semantic representations.
Preprint: Soon !
The tool: https://github.com/gquetel/gaur

ScholarSec: Targeted Google Scholar Queries for Cybersecurity Research

Mon, 23 Feb 2026 21:25:18 +0100

Motivation

When looking for related work for my PhD, Google Scholar is my go-to search engine. However, its results can be overwhelming. Citation counts alone are not always a reliable heuristic for paper quality. To narrow things down, one can use the source: operator in a query to filter by venue name. Ultimately that’s what I did. Over time, I had this saved search string that I would prefix every scholar search with. Now, I don’t know everyone’s workflow when it comes to literature review but I thought I could share this string with the community, or even better, provide a tool to build such a string according to your targeted cybersecurity conferences.

ScholarSec

ScholarSec is a small web app that does that. It builds targeted Google Scholar queries filtered by cybersecurity conference venues: you type your keywords, select the conferences you are interested in and it generates the corresponding Google Scholar query.

Keyword input box for building the search query.

Conferences are organized by tiers following the CORE 2026 ranking, so you can quickly select all venues at a given quality level (A*, A, B, C) or pick individual ones.

Conference selection by tiers (A*, A, B, C).

Individual conference selection.

Once the query is built, you can either launch the search directly or copy it to your clipboard. The conference data is maintained in a YAML file following the conventions of the sec-deadlines project.

Disclaimer: Google Scholar imposes a maximum length on source: filters, so most of the conference search string had to be abbreviated to fit within that constraint. While I manually verified that the number of papers retrieved for a given year through the filter made sense and was of the same order of magnitude as the proceedings, I didn’t automatically verify that the chosen source string was fully exhaustive.

Contributing

If you do find a mistake, a better source string or want to add a conference that you feel is suited, feel free to open a pull request on GitHub. Also, don’t hesitate to fork this project or adapt it to your domain. For any other question, don’t hesitate to reach out via X or Mastodon.

Banner image: Louis-Maurice Boutet de Monvel (1935), (Detail of) La Vision et l’Inspiration de Jeanne d’Arc. Musée des Beaux Arts d’Orléans.

Superviz25-SQL: High-Quality Dataset to Empower Unsupervised SQL Injection Detection Systems

Fri, 26 Sep 2025 00:00:00 +0100

The paper

Title: Superviz25-SQL: High-Quality Dataset to Empower Unsupervised SQL Injection Detection Systems
Authors: Grégor Quetel, Eric Alata, Pierre-François Gimenez, Thomas Robert, Laurent Pautet
Venue: Assessment with New methodologies, Unified Benchmarks, and environments, of Intrusion detection and response Systems (ANUBIS) at ESORICS 2025. Abstract: The digitalization of public and private services has led to more sophisticated and serious cybersecurity threats. Among them, SQL injection attacks leverage user inputs to remotely execute malicious actions on a database, such as data exfiltration and deletion, or privilege escalation. They are regularly classified as one of the most prominent threats to web services. Intrusion detection systems are widely used to detect such injection attacks and react to them, but it is difficult to assess their actual effectiveness and compare them because of a lack of high-quality datasets. Current SQL injection detection datasets lack diversity, are poorly documented, and the generated samples are not representative of real-world infrastructures. This article presents a new dataset Superviz25-SQL, whose design is structured around four quality dimensions: realism, diversity, benchmarking capabilities and the presence of good documentation. We examine the dataset diversity using lexical, syntactic and semantic metrics, and demonstrate that its size is sufficient to evaluate data-intensive detectors. Finally, we provide nine classical and state-of-the art SQL injection detection pipelines as baselines for future works.
Pre-print: https://hal.science/hal-05314211
The dataset: https://zenodo.org/records/17086037