The goal of our research into cognitive security is to accelerate the move away from the current generation of reactive systems to a proactive generation of cognitive systems. To achieve this, we look at ways of distilling enormous volumes of structured and unstructured data into information, and then into actionable knowledge to enable continuous security and business improvement. This involves the use of automated, data-driven security technologies as well as techniques and processes that enhance cognitive systems with the highest level of context and accuracy.


Cognitive Security Analytics

Security analysts in a security operations center (SOC) investigate many cyber security incidents every day. Many of them may be originating from false positives of a detection system, whereas for others, they spend significant amounts of time on identifying relevant information and data mining surrounding events or incidents to understand the bigger picture.

We are researching on how we can support SOC analysts in providing them a companion (or co-pilot) assisting them with recommendations and suggestions based on cognitive reasoning, i.e., to reduce the analysts' workload and provide them with insights about a given incident that they would not be able to produce under existing time and complexity constraints. The methods and tools we research on perform activities such as understanding, learning, and reasoning over on-going and past security incidents and events in a SIEM system (IBM QRadar) and combining them with insights obtained from the Security Knowledge Graph (Watson for Cyber Security).


Security Knowledge Graphs

A tremendous amount of security knowledge resides siloed in different repositories, such as threat intelligence databases, malware sandbox reports, threat reports released by security vendors, or blogs. Security analysts are required to search these systems manually, keep track of the findings, and correlate over them to identify actionable insight.

We are researching on methods to consolidate, correlate, and reason over vast amounts of security intelligence data extracted from hundreds of millions security documents (unstructured and structured) leading to billions of facts.


 Andreas Wespi

Marc Stoecklin

Head of Security Research