Abstract
This chapter presents an approach to orchestrating security incident response investigations using cognitive agents trained to detect sophisticated cyber threats and integrated into cybersecurity operations centers. After briefly introducing advanced persistent threats (APTs), it overviews the APT detection model and how agents are trained. It then describes how hypotheses that may explain security alerts are generated using collected data and threat intelligence, how the analyses of these hypotheses guide the collection of additional evidence, the design of the Collection Manager software, used to integrate cognitive agents with selected collection agents, how results of searches are added to the knowledge base as evidence, and how the generated hypotheses are tested using this evidence. These concepts are illustrated with an example of detecting an APT attack. We finally overview our experimental method and results.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Verizon: Learn from Verizon’s 2014 data breach investigations report. http://www.verizonenterprise.com/DBIR/2014/ (2014). Accessed 9 Mar 2015
Mandiant: APT1 - exposing one of China’s cyber espionage units. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf (2013)
Ponemon Institute: The cost of insecure endpoints. https://datasecurity.dell.com/wp-content/uploads/2017/09/ponemon-cost-of-insecure-endpoints.pdf (2017)
Zimmerman, C.: Ten strategies of a world-class cybersecurity operations center. MITRE Press, London (2014)
Meckl, S., Tecuci, G., Marcu, D., Boicu, M., Bin Zaman, A.: Collaborative cognitive assistants for advanced persistent threat detection. In Proceedings of the 2017 AAAI Fall Symposium Cognitive Assistance in Government and Public Sector Applications, AAAI Technical Report FS-17-02, Arlington, VA, pp. 171–178. AAAI Press, Palo Alto, CA (2017)
Tecuci, G., Marcu, D., Meckl, S., Boicu, M.: Evidence-based detection of advanced persistent threats. Comput. Sci. Eng. 20(6), 54–65 (2018)
Boicu, M., Tecuci, G., Marcu, D., Bowman, M., Shyr, P., Ciucu, F., Levcovici, C.: Disciple-COA: From agent programming to agent teaching. Proceedings of the 27th International Conference on Machine Learning (ICML), Morgan Kaufman, Stanford, CA (2000)
Boicu, M., Tecuci, G., Stanescu, B, Marcu D., Cascaval C.E.: Automatic knowledge acquisition from subject matter experts. In: Proceedings of the Thirteenth International Conference on Tools with Artificial Intelligence (ICTAI), pp. 69–78. 7–9 Nov Dallas, TX. IEEE Computer Society, Los Alamitos, CA (2001)
Tecuci, G.: Disciple: A theory, methodology and system for learning expert knowledge. Thése de Docteur en Science, University of Paris South (1988)
Tecuci, G.: Building intelligent agents: An apprenticeship multistrategy learning theory, methodology, tool and case studies. Academic Press, San Diego, CA (1998)
Tecuci, G., Boicu, M., Bowman, M., Marcu, D., Shyr, P., Cascaval, C.: An experiment in agent teaching by subject matter experts. Int. J. Hum. Comput. Stud. 53, 583–610 (2000)
Tecuci, G., Boicu, M., Marcu, D., Stanescu, B., Boicu, C., Comello, J., Lopez, A., Donlon, J., Cleckner W.: Development and deployment of a Disciple agent for center of gravity analysis. Proceedings of the Eighteenth National Conference of Artificial Intelligence and the Fourteenth Conference on Innovative Applications of Artificial Intelligence, pp. 853–860. AAAI Press, Edmonton, AB (2002).
Tecuci, G., Boicu, M., Boicu, C., Marcu, D., Stanescu, B., Barbulescu, M.: The Disciple-RKF learning and reasoning agent. Comput. Intell. 21(4), 462–479 (2005)
Tecuci, G., Boicu, M., Marcu, D., Boicu, C., Barbulescu, M., Ayers, C., Cammons, D.: Cognitive assistants for analysts. In: John Auger, J., Wimbish, W. (eds.) Proteus Futures Digest: a Compilation of Selected Works Derived from the 2006 Proteus Workshop, pp. 303–329. Office of the Director of National Intelligence, and U.S. Army War College Center for Strategic Leadership, Joint publication of the National Intelligence University (2007)
Tecuci, G., Marcu, D., Boicu, M., Schum, D.A.: Knowledge engineering: Building cognitive assistants for evidence-based reasoning. Cambridge University Press, Cambridge, UK (2016)
Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks. 31, 23–24 (1999). https://doi.org/10.1016/S1389-1286(99)00112-7
Peirce, C.S.: Abduction and induction. In: Buchler, J. (ed.) Philosophical writings of Peirce, pp. 150–156. Dover, New York (1901)
Josephson, J.R., Josephson, S.G.: Abductive inference: Computation, philosophy, technology. Cambridge University Press, Cambridge, UK (1994)
Schum, D.A.: Species of abductive reasoning in fact investigation in law. Cardozo Law Review. 22(5–6), 1645–1681 (2001)
Tecuci, G., Schum, D.A., Marcu, D., Boicu, M.: Intelligence analysis as discovery of evidence, hypotheses, and arguments: Connecting the dots. Cambridge University Press, Cambridge, UK (2016)
Tecuci, G.: Plausible justification trees: A framework for deep and dynamic integration of learning strategies. Machine Learning. 11(2–3), 237–261 (1993)
Tecuci, G., Kodratoff, Y. (eds.): Machine learning and knowledge acquisition: Integrated approaches. Academic Press, Cambridge, MA (1995)
Allen, J. F., Chambers, N., Ferguson, G., Galescu, L., Jung, H., Swift M., Taysom W.: PLOW: A collaborative task learning agent. In: Proceedings of the AAAI Conference on Artificial Intelligence (AAAI) (2007)
Azaria, A., Krishnamurthy, J., Mitchell, T.M.: Instructable intelligent personal agent. In: Proceedings of the AAAI Conference on Artificial Intelligence (AAAI), Phoenix, AZ, USA, February 12–17, 2016, AAAI Press (2016)
Elasticsearch: Elasticsearch: Restful, distributed search & analytics. https://www.elastic.co/products/elasticsearch (2015)
Filebeat: Filebeat. https://www.elastic.co/products/beats/filebeat (2018). Accessed 4 July 2018
Chuvakin, A.: The best starting technology for detection? https://blogs.gartner.com/anton-chuvakin/2018/03/06/the-best-starting-technology-for-detection/ (2018)
MuleSoft: What is rest API design?. https://www.mulesoft.com/resources/api/what-is-rest-api-design (2016)
GRR: GRR rapid response: Remote live forensics for incident response. https://github.com/google/grr (2013)
Splunk: Operational intelligence, log management, application management, enterprise security and compliance. http://www.splunk.com/ (2015)
Beats: Beats. https://www.elastic.co/products/beats (2017)
Wigmore, J.H.: The problem of proof. Illinois Law Rev. 8, 77–103 (1913)
Cohen, L.J.: The probable and the provable. Clarendon Press, Oxford, UK (1977)
Zadeh, L.: The role of fuzzy logic in the management of uncertainty in expert systems. Fuzzy Sets Syst. 11, 199–227 (1983)
Acknowledgements
This research was sponsored by Air Force Research Laboratory under contract number FA8750-17-C-0002 and by George Mason University. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Meckl, S., Tecuci, G., Marcu, D., Boicu, M. (2021). Automating the Investigation of Sophisticated Cyber Threats with Cognitive Agents. In: Dasgupta, P., Collins, J.B., Mittu, R. (eds) Adversary-Aware Learning Techniques and Trends in Cybersecurity. Springer, Cham. https://doi.org/10.1007/978-3-030-55692-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-55692-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-55691-4
Online ISBN: 978-3-030-55692-1
eBook Packages: Computer ScienceComputer Science (R0)