Thoughts, stories and ideas on cyber security

Taking Cyber Security to The Next Level With Cognitive Automation

Taking Cyber Security to The Next Level With Cognitive Automation

There is a lot of hype around many things in cyber security. One concept that is not, is called Cognitive Automation (CA). CA can be explained by comparing it to traditional automation. That is, how tasks are automated: like alerts correlation. By using cognitive automation, the way the mind works is taken into account. I believe many security professionals will recognise the practical aspects of the following model.

Complexity versus efficiency and automation

I've written a post on this topic years ago ("The Role of Cognitive Automation in Information Security"), but unluckily that was lost in translation when upgrading to the new site. It probably needed an update anyways, and I belive the cyber security field is more mature to receive this input now rather than at that point.

Cognitive automation is strongly applied in the aerospace industry for instance. In aerospace, long ago, there was a realisation that the strengths of thee human-being is the ability to learn, instinct, problem reduction, ability of abstraction and several others. The machine’s strength is parallel processing, objectivity, long-term monitoring, complex planning and decision making and so on.

Man-Machine Cooperation as Illustrated by Schulte [1]

In order to benefit from a similar model in cyber security there is a need to evolve the way data is extracted, preprocessed and prepared for human-machine interaction. As may be recognised at this point there are already technology available to provide parallel processing on the machine part. How a computing cluster would solve such a problem is the evident problem. In that regard, machine learning is the most promising technique to structure and classify the data which seems to scale really well. Efficiently ingesting, storing and preprocessing the data is the first stage of that challenge.

Another detail that I would like to point out here, from the great book "The Multitasking Mind" by Salvucci and Taatgen, is how the human mind works with buffers (the aural, visual, declarative, goal, manual and problem buffers). A human can actually only handle one thing at once. So when analysts are tasked with several simultaneous tasks or roles, this will definitively produce bad quality results. This is really important to understand to all cyber security seniors and designers, so read the book.

Back to how this applies in practical terms: when analysts manually analyse and decide by expert knowledge, classifying the attributes of full content data and e.g. creates Yara and Snort signatures, it is a reasonable assumption that a number of relevant attributes are never evaluated as even potential anomalies. This greatly increases the possibilities of the threat groups.

Mission Management, derived from Cognitive Automation in Aerospace

Now for a practical example of how cognitive automation can work, this time paralleled with the approach taken by Netflix to movie recommenders. Let's say that you have stored the PDFiD vector of all PDF documents over the last ten years, passing through a network. The vector structure will look like: obj,endobj,stream,endstream,xref,trailer,startxref,/Page,/Encrypt,/JS,/JavaScript,/AA,/OpenAction,/JBIG2Decode, or:

 1. 7,7,1,1,1,1,1,1,0,1,1,0,1,0
 [...]

If 500 PDF files passes through your systems per day on average, that will be 1825' documents over those ten years. In addition time is a significant part of that vector - and other parameters could be file names and so on.

Recommenders for PDF files

If an analyst receives a suspicious PDF file. That file may initially hard to classify by the analyst. In such a case the system should propose other related files to look at. Practically speaking this saves the analyst cognitive capacity to use instict, pattern recognition and creativity to classify the document. The machine on the other hand maintains objectivity, has great stress resistance, can retrieve a lot more information, and it can process and pivot on all those 10 years of documents as opposed to the analyst.

Now that you have gotten an introduction to the world of cognitive automation, I hope this will drive a discussion on how we can take our field to the next level. I am confident that this means understanding and solving problems before attempting to buy our way out of them.

[1] Schulte, D. A. 2002. Mission management and crew assistance for military aircraft - cognitive concepts and prototype evaluation.


Tommy

Tommy (B.Tech., M.Sc.) is a seasoned cyber security analyst with experience from both the government and private industry. He works daily with data- and intelligence-driven cyber security operations.