Cybersecurity Incident Response Orchestration Using Agile Cognitive Assistants



Journal Title

Journal ISSN

Volume Title



In this work, I explore the problem of autonomously orchestrating cybersecurity incident response using agile cognitive assistants. Detection of sophisticated cyber threat activity has become more complex over time, as the threat landscape has shifted from cyber vandals and pranksters to multi-billion-dollar criminal enterprises and state-sponsored Advanced Persistent Threats. What was once the realm of criminals with a small collection of easily discovered automated tools is now ruled by well-funded and highly sophisticated sets of hackers carefully orchestrating intrusions as a means to advance their criminal enterprise or intelligence collection mission. This research identifies a new approach to intrusion detection and security incident response aimed at leveraging advances in the field of artificial intelligence to improve the ability of a CSOC to detect these sophisticated attacks. More specifically, it demonstrates how agile cognitive assistants leveraging knowledge-based learning and evidence-based reasoning can be used to improve the effectiveness of attack detection for both known and unknown threats. Building on the Disciple learning agent theory and technology, I researched, developed, and demonstrated a prototype framework for agile cybersecurity. The key idea is to integrate a special type of a knowledge-based learning assistant into cybersecurity operations centers. This cognitive assistant can be trained by cybersecurity experts, based on threat intelligence, to automate the investigation of alerts from a variety of intrusion detection devices, integrating multiple detection techniques with automated network forensics, to significantly increase the probability of accurately detecting intrusion activity while drastically reducing the workload of the operators of the cybersecurity operations centers. This dissertation presents the following novel contributions: (1) conceptual modeling of the automatic APT detection process; (2) ontology design for APT detection; (3) automatic generation of abductive triggers from basic intrusion detection systems; (4) autonomous, hypothesis-driven search for evidence; (5) selection and integration of multiple, collaborative, search and collection agents working together to detect and investigate threats; and (6) development of Collection Manager software for translating and optimizing abstract searches into searches executable by real collection agents.