Cognitive Cybersecurity Intelligence (CCSI) Group - Network & Device Cyber Security Analytics


Cyber attacks have become more sophisticated than ever and often include several attack steps using various communication channels to evade detection by traditional security mechanisms. Nevertheless, every attack leaves traces in networks, devices, application logs, and other data sinks. It is the velocity, volume, and variety of such data as well as the constant change in attack strategies that make connecting the dots extremely difficult. IBM Research has developed a vision, defined a strategy, and implemented cyber security analytics for networks and devices that scale in various dimensions:

Challenge: Velocity, variety, and volume of data
Approach: Scalable data management facility that enables real-time extraction of data that are useful for modeling, detecting, and investigating cyber attacks

Challenge: Attacks are continuously changing
Approach: Analyze the data without assuming a predefined set of expected attacks and correlate anomalous and suspicious events towards semantically rich interpretations

Challenge: Near-real-time inspection and scoping of risky events
Approach: Score anomalous and risky events towards the risk they pose to high-value assets or high-privileged users to manage enterprise risk by prioritizing remediation and improving effectiveness

The data engine we developed can scale to many billions of events a day to extract features that may be relevant at real-time or in the future for cyber security analytics and post-incident analysis. We have developed several analytics that immediately flag anomalous or suspicious behaviors across networks and devices, as well as aggregation schemes to combine risky events that may compromise high value assets. We are developing predictive analytics that leverage machine learning and data mining techniques to estimate the future risk that devices pose to the enterprise.

Example: Advanced Threat Impact Analysis. APT Impact Analysis

Given a single external domain name, within a few seconds, discovering (i) the related external malicious infrastructure, (ii) the affected endpoints within the enterprise, and (iii) the related risk to the enterprise assets, which enables prioritized near-real-time response and risk mitigation.




Cognitive Security Analytics


Exploring the Security Knowledge Graph


Security Knowledge Graph