Cognitive Cybersecurity Intelligence (CCSI) Group - overview
The Cognitive Cybersecurity Intelligence (CCSI) group (formerly Global Security Analysis Lab or GSAL) investigates methodologies and technologies to help organizations detect, understand, and deflect advanced cybersecurity threats and attacks on their network and in the cloud. It explores challenging research problems posed by building and combining AI and cognitive methods (e.g., contextual and behavioral analysis, machine learning, reasoning), scalable big data security analytics (e.g., graph mining, deep correlation and provenance analysis), and next-generation defense mechanisms (e.g., transparent malware analysis, active defense and cyber deception layers) to gain deep intelligence and insights about cyber security threats and attacks as well as threat actors.
Current focus areas and projects
- AI-powered and cognitive security offense analytics, cyber threat hunting, and threat intelligence consolidation
- Cross-stack cyber deception and active defense techniques
- Cyber security analytics, event correlation, and provenance tracking on the network and device-level
- Next-generation malware analysis
- Design of high-speed and scalable data collection platforms for real-time and historical security analytics
- Security data visualization and penetration testing
Recent highlights
- 12/2019: Our briefing on SysFlow, scalable system telemetry for improved security analytics, was accepted at FloCon 2020.
- 11/2019: We open-sourced our cloud-native system telemetry pipeline, SysFlow.
- 08/2019: Our paper on improving intrusion detectors by crook-sourcing was accepted at ACSAC'19.
- 07/2019: Our paper on topology-aware hashing for effective CFG similarity analysis was accepted at SecureComm 2019.
- 02/2019: Our research for IBM Cloud Security Advisor has been showcased at IBM THINK 2019.
- 10/2018: ACM highlighted our paper Threat Intelligence Computing in the press release for CCS'18: Leading Cybersecurity Conference Plans Blockbuster Program for 25th Anniversary.
- 07/2018: Our paper Threat Intelligence Computing was accepted at CCS'18.
- 05/2018: Our briefing on DeepLocker, the next generation of malware using AI locksmithing, was accepted at Black Hat USA 2018.
- 05/2018: Our paper "Error-Sensor: Mining Information from HTTP Error Traffic for
Malware Intelligence" was accepted at RAID'18. - 05/2018: Our paper on cross-stack threat sensing for cyber security and resilience was accepted at DSN'18 industry track.
- 04/2018: Our paper on filesystem view separation for data integrity and deception was accepted to appear at DIMVA'18.
- 03/2018: Our paper on protecting the intellectual property of deep neural networks with watermarking was accepted at AsiaCCS'18.
- 03/2018: Nataraj Nagaratnam (CTO, IBM Cloud Security) announces IBM Cloud Security Advisor, to which the CCSI team contributed.
- 01/2018: Our paper on endpoint service projection and deception was accepted at SDN/NFV '18 (at CODASPY '18).
- 11/2017: IBM announces the Quad 9 DNS Service, which is based on DNS analytics developed by the CCSI team
- 11/2017: Decoy and deception-based file system at CCS '17: Hidden in Plain Sight: A Filesystem for Data Integrity and Confidentiality
- 05/2017: IBM Research features our work on cognitive security in a blog post
- 02/2017: IBM launches IBM QRadar Advisor with Watson based on our research ongoing project
- 02/2017: IBM press release: IBM Delivers Watson for Cyber Security to Power Cognitive Security Operations Centers
- 12/2016: Press coverage of the beta release of our research: IBM Watson for Cybersecurity Inches from Research to Reality
- 05/2016: IBM Security turns our research into an offering: IBM Cognitive Security (Watson for Cyber Security)
- 05/2016: Ginni Rometty (CEO, Chairwoman, and President of IBM) announces Watson for Cyber Security at the IBM Security Summit 2016: Outthink Threats - Ginni Rometty
- 05/2016: Sandy Bird (IBM Fellow and CTO, IBM Security) presenting the results of our research and the offering at the IBM Security Summit 2016: Cognition and the Future of Security - Sandy Bird
Recent impact on IBM products and offerings
The CCSI had direct impact with core contributions to several new security products and solutions IBM launched in the last few years:
- IBM Cloud Security Advisor (Mar 2018) by IBM Cloud
- Quad 9 DNS Service (Nov 2017) by IBM Security
- IBM QRadar Advisor with Watson (Feb 2017) by IBM Security
- IBM Watson for Cyber Security (May 2016) by IBM Security
- Big Data Beaconing Detection Analytics shipped with IBM QRadar (May 2015) by IBM Security
- DNS Kinetics shipped with IBM QRadar (May 2015) by IBM Security