Architecture

Cognitive Security's product range offers an unprecedented level of visibility into an intruder's activities, analogous to 'turning on the light, and surprising the cat burglar'.  With the use of Artificial Intelligence, and Game Theory, this platform provides IT administrators and security practitioners the ability to quickly detect and mitigate against attacks that have traversed their perimeter.  These core competencies are offered through a range of products and services, explained in more detail below, referred to as the Cognitive Analyst products and services.

Cognitive Analyst provides a highly-interactive web interface that allows the analyst to continuously monitor the status of their network security.  Through the use of AI Cognitive Security accelerates the identification of zero day exploits, botnets, or modern malware attacks, which may be used to steal corporate assets, intellectual property, or commit fraud.  The user interface also supports and in-depth investigation of individual security incidents or network anomalies, allowing an administrator to take appropriate actions to protect themselves against the attackers.  Cognitive Analyst is based on a multi-stage, state-of-the-art anomaly detection methodology, and utilizing the Cooperative Adaptive Mechanism for Network Protection (CAMNEP) algorithm.  CAMNEP is based on the latest advancement in the field of trust modeling and reputation handling.  This platform utilizes standard NetFlow/IPFIX data, and does not require the need for supplementary information (i.e. such as application data, user content, etc.).  As a result, the users data privacy and data protection are maintained throughout the security monitoring process.

Cognitive Analyst's products and services utilize a multi-stage detection algorithm to generate a Cognitive Trust Score (CTS), which is effectively a measure of ''Trustfulness' to the data which is being analyzed.  Currently eight stages are used to increase the detection and accuracy of threats, and collectively generate an accurate CTS for an analyst to action and subsequently mitigate against an attack.  A selection of these algorithms are summarized as follows:

• MINDS algorithm [Ertoz et al, 2004] The Minnesota Intrusion Detection System (MINDS) processes data from a number of flows:  1. Data from a single source IP to multiple destinations, 2. flows from multiple sources to a single destination, or 3. a series of flows between a single source to a single destination.
• Xu et al. algorithm [Xu, Zhang et al, 2005] This algorithm serves to classify traffic sources. A normalized entropy is established (i.e. establishing meaningful analysis to the apparent randomness of a data set), determined by applying static classification rules to the established normalized states.
• Volume prediction algorithm [Lakhina et al, 2004] uses the Principal Components Analysis (PCA) methodology, which is a mathematical procedure used to formulate predictive models.  In order to build a model of traffic volumes from individual sources, values are determined based on the number of flows, bytes, and packets generated from each source.  The PCA method then identifies the complex relationships between the traffic originating from distinct sources.
• Entropy prediction algorithm [Lakhina et al, 2005] This algorithm is similar to the PCA-based traffic modeling discussed above, but uses different features than just volume prediction. Entropy prediction aggregates traffic from source IPs, but instead of processing traffic volumes, it predicts the entropy of source and destination ports, and destination IPs.
• TAPS algorithm [Sridharan et al, 2006] targets a specific class of attacks by classifying a subset of suspicious traffic sources and characterizing them by three features: 1. the number of destination IP addresses, 2. the number of ports in the set of flows from the source, and 3. the entropy of the flow size. The anomaly of the source is based on the ratios between these values.

Cognitive Analyst implements between twenty to two hundred agents, summarized into the following groups:

• Detection agents encapsulate the above listed detection algorithms by process all flows from the local probe and use all of the anomaly and trust models to assign a trustfulness score, (represented as either a zero or one), to all flows in the current set. This score establishes an estimate of flow legitimacy by a given agent.
• Theses scores are then processed by an Aggregation Agents that integrate the opinions of all local detection agents, thus building a consolidated trustfulness value. Each aggregation agent embodies one or more averaging functions (such as arithmetic average or best ordered weighted average). These agents also compete against each other to provide the best overall result - A score which is essentially the best combination of the individual agent's opinions. This final score is then designated the Cognitive Trust Score (CTS).
• Finally, the Reporting and Interface Agents export the CTS in an external industry-standard alert formats (IETF IDMEF/TEXT) such as email, ticket reporting, file logs, or syslog.

Partners