Cognitive Threat Analytics – Transparency in Advanced Threat Research

September 11, 2015 - 3 Comments

Cisco Cognitive Threat Analytics is a security analytics product that discovers breaches in Cisco customer’s networks by means of advanced statistical analysis, machine learning and global correlation in Cisco security cloud. Attached to Cloud Web Security (CWS) and Web Security Appliances (WSA), it is also capable of integrating the non-Cisco data sources in order to help the broadest possible set of clients.

Our team discovers tens of thousands of ongoing malware infections (aka breaches) per day. These findings are delivered in a customer-specific report or directly into customer’s SIEM system. The customers can easily identify and re-mediate breaches, get to the root cause and apply policy changes that minimize the risk of further infections in the future.

Cognitive Threat Analytics has intentionally been designed to hide all complexity of machine learning, statistics, game theory and security research under the hood. The resulting simplicity and usability is part of the service value, but this approach does have a downside.

Our customers want to understand and assess the details of the system that protects their networks. Openness creates confidence and also allows more objective assessment of vendors. Simply claiming the use of “advanced machine learning”, “deep learning” or “big data”, without providing additional details is hardly helpful. We have therefore decided, consistently with our past publication activity, to actively publish and publicize the technical details of our system.

On the other hand, full disclosure of the system would be imprudent. There is a fine line to walk between disclosing enough (where we benefit customers and the security industry), and disclosing too much (benefiting mostly the attackers).

This problem is hardly unique in the security industry, and we can easily see how critical an open and rigorous approach can be for healthy development of the field. The quality of scientific research and user confidence in cryptography has dramatically increased since the gradual acceptance of Claude Shannon’s (Communication Theory of Secrecy Systems ) reformulation of Kerchhoff’s principle. The original formulations dates from 1883 and the Shannon’s paper was published in 1949. But only in 1970 through 1990s was this area accepted by customers and users as one of the cornerstones of security. Today, using a proprietary encryption algorithm would be considered unusual outside of very specific government usecases.

Our argument is that the field of security analytics needs to adopt a similar, more open approach. We need to be able to prove the quality of our work and the capability of our technologies to our customers. The key technologies and algorithms should be available for public scrutiny and should be rigorously evaluated. Peer-review framework of scientific journals and conferences is ideal for assessment of claims about the capabilities of our algorithms. It also enforces rigorous evaluation and quality control. Should we be afraid of the attackers exploiting this added knowledge? Our answer is no; the foundational pieces of security analytics should not rely on the antiquated security-by-obscurity models.

We have been working very systematically to achieve the level of maturity where the disclosure of system component’s design would not harm its security. We have been designing and publishing self-adaptation techniques grounded in game theory that increase system robustness, and we will discuss them in one of the future posts.

This time, though, we would like to draw your attention to one of our current publications Cognitive Research: Learning Detectors of Malicious Network Traffic. Two papers written by our colleagues Karel Bartos, Vojtech Franc and Michal Sofka outline one of the many methods inside CTA, and will be presented this week at ECML-PKDD 2015  conference in Porto.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Transparency is Hall mark of Leadership ! Customers sometimes have hard time to distinguish between Snake Oil Claims and Reality, especially when advanced methods are being used for modern threats. So this kind of efforts will help them do an objective analysis .

    Great post and Great efforts !

  2. Para five: “the disclosing enough” -> “disclosing enough”;
    “Benefit the customers and security industry” -> “benefit customers and the security industry”;

    Para six: “hardly unique in the security industry”;
    “…how critical an open and rigorous approach can be…”

    Para seven: “…adopt a similar…”;
    “But shall we be afraid of the attacker’s exploiting…” -> “Should we be afraid of attackers exploiting…”;