Context awareness, better known by the English term “situational awareness”, involves obtaining a clear and correct identification of what has happened, what is happening and what may happen in the immediate future. In particular, in the area of cybersecurity, it refers to being able to identify threatening activities and possible vulnerabilities in a given context, so that data, information and processes can be actively defended, identifying any mitigation measures.
An Early Warning System(EWS) provides a mechanism to improve cyber situational awareness through a holistic approach:
- adopting information from different disciplines, such as human intelligence (HUMINT), geo-spatial intelligence (GEOINT), artificial intelligence (AI) and open source intelligence (OSINT), can be combined with a cyber-spatial information sensor (e.g., alerts on the intrusion detection system) to improve cyber awareness of the global context;
- concepts and strategies for achieving cyber awareness of the context require dedicated processes, enabling technologies and collaborative organisations.
Early Warning Systems: AI supporting the Security Analyst
Malicious events are classified to identify false positives, real alarms but which are not necessarily linked to an attack. The objective of an Early Warning System is to simplify the work of a Security Analyst in identifying false positives and to spend more time on real attacks.
In this framework, artificial intelligence plays a crucial role: the system used to detect threats can be even more accurate if equipped with intelligent modules designed based on the most modern techniques of Natural Language Processing (NLP) and Machine Learning (ML).
Extracting insights from intrusion detection systems
In the digital ecosystem (including the internet), it is possible to find different sources of structured information (e.g., CSIRT, threat intelligence database) or unstructured (social networks, blogs, bulletins, reports, books, operating manuals) on security. An extremely cumbersome activity for a Security Analyst is to integrate structured and unstructured information, understand what is reliable and what is not, and then create the information necessary to identify false positives. NLP is a useful technology for reducing human effort and enables the development of systems that analyse and structure the text of unstructured information, highlighting only the useful information. In NLP, the activity that focuses on extraction based on relevance is called Information Extraction (IE). The comprehensive and generative capacity of NLP, both for speech and for text, makes it an important tool in the hands of all types of cybersecurity players.
With Machine Learning, intrusion detection systems can be equipped with intelligent modules based on statistical learning approaches and computational intelligence to tackle the inferential task of reasoning under conditions of uncertainty. Reasoning with uncertainty is, in fact, one of the main sub-fields of AI research, which provides:
- a semantic explanation of the origin and nature of uncertainty;
- a method for representing uncertainty in formal language;
- a set of inference rules that derive uncertain (though well-justified) conclusions, thus achieving cyber awareness of the context.
The interpretability and reliability of AI models also play an important role, as the ability to explain the reason for the detection is an important part of achieving cyber awareness of the context. The user can then make a more informed decision regarding any defensive action to be taken. However, most eXplainable AI (XAI) systems are designed for experienced ML users, who are able to understand the output from these systems, generally through a predefined, static table or graphic representation that cannot be manipulated by the user.
A new battlefield steeped in data
We are therefore in a historical moment in which the availability of data enables the volatility in the behaviour of attackers to be managed with new techniques that require the capability to identify sources, manage them and, most importantly, analyse them in order to promptly report alarms and dangerous situations. In this scenario, one of the most appropriate strategies to manage the new complexity is to support the human intelligence of security analysts by increasing it. In this new battlefield steeped in data and information, within which important supports can be found, Exprivia has created a new generation "strategic weapon", the EWS, which, through Visual and Data Analytics techniques and using latest-generation NLP techniques, seeks to ensure the analyst an important support tool.