Cognitive Techniques for Early Detection of Cybersecurity Events
This addresses the issue of delayed threat detection for cybersecurity analysts, though it appears incremental as it builds on existing ontologies and methods.
The paper tackles the problem of early detection of cybersecurity events, which is challenging due to evolving threats and long dwell times (e.g., up to 146 days), by proposing a cognitive framework that combines knowledge representation and machine learning to reduce analyst cognitive load and increase confidence, demonstrated through a proof-of-concept using a ransomware instance.
The early detection of cybersecurity events such as attacks is challenging given the constantly evolving threat landscape. Even with advanced monitoring, sophisticated attackers can spend as many as 146 days in a system before being detected. This paper describes a novel, cognitive framework that assists a security analyst by exploiting the power of semantically rich knowledge representation and reasoning with machine learning techniques. Our Cognitive Cybersecurity system ingests information from textual sources, and various agents representing host and network-based sensors, and represents this information in a knowledge graph. This graph uses terms from an extended version of the Unified Cybersecurity Ontology. The system reasons over the knowledge graph to derive better actionable intelligence to security administrators, thus decreasing their cognitive load and increasing their confidence in the system. We have developed a proof of concept framework for our approach and demonstrate its capabilities using a custom-built ransomware instance that is similar to WannaCry.