Artificial Intelligence Saccades in Cybersecurity

May 18, 2016 5:00:00 AM Ryan Hohimer SIEM, AI, cybersecurity, Artificial Intelligence, Security Information and Event Management

Cyber Saccadic Events in SIEM

The human perceptual systems are pretty darned amazing. Without our conscious control the brain acts to gather the information needed to construct and mold our perception of reality.

Consider our vision. When something first catches our eyes our brains begin to try and figure out what it is we are seeing. Unconsciously our brain starts jerking our eyes about to gather the information needed to correctly classify that something. This is known as "saccadic eye movement" or "eye saccades".

When we first see a face, our motor cortex takes control over our eyes in order to collect up corroboratory information. Basically, our brain says, "If this is a face, I should see a nose here, an eye here, another eye over here, and a mouth here." Each time the eyes jerk from one location to another, they are collecting information that can confirm or nullify that you are looking at a face.

Artificial Intelligent Saccade paths

Licensed under Creative Commons Attribution-Share Alike 2.0 Generic:  https://commons.wikimedia.org/wiki/File:Face_of_SpooSpa.jpg

A biomimicry of this eye saccade process is very useful when constructing computational perception systems. The real intelligence of the brain can be mimicked to create an artificial intelligence (AI).

In cybersecurity, monitoring systems, known as Security Information & Event Management (SIEM) systems, can be thought of as a perception system of the Security Operations Center (SOC). By mimicking the eye saccades, we can create what I have dubbed the "Cyber AI Saccades". When the SIEM system collects an input, an analytic system should start the processes to collect the needed information to form an understanding of what it is. Basically, our analytic system says, "If this is a cyber event I know, I should see log entries here, a device activity here, and related contextual information here." The analytic system should issue queries to corroborate the classification of the cyber event. The queries should collect information that can confirm or nullify that classification.

A simple point I'm trying to make is that a perception is the result of a triggering event that is interpreted by an intelligent classification system. In the case of human perception, the brain is the ultimate classification system, interpreting all the inputs and creating our reality. In the case of cybersecurity perception, mimicking the brain's saccading can significantly improve the classification of cyber events.

Now obviously cyber events aren’t faces. What am I really saying here? When a cyber event occurs, a series of federated queries should be issued by the analytic system to collect up all the information necessary to infer the proper classification (interpretation) of that event. In other words, an analytic process should start when a triggering event occurs; receive a triggering perception, collect corroboratory information, interpret by inference, output a perception. The output perception may be the triggering perception for another perception process!

DarkLight uses a “Cyber AI Saccade” system. It couples these processes together to form a “Description Logics Brief Propagation Network”. Perhaps this a topic for another Blog post.

What do YOU think?

 

Ryan Hohimer

Written by Ryan Hohimer

Ryan has been working with “Big Data” before “Big Data” was cool. Dealing with the challenges of managing massive data sparked his interest in metadata, Semantic Web Technologies (SWT) and Knowledge Representation and Reasoning (KR&R) -- which led to the development of the technology behind DarkLight's patented reasoning engine. Ryan is Co-Founder and CTO of Champion Technology Company.

Subscribe to Email Updates

Subscribe via RSS to the blog

Recent Posts