DarkLight Overview

DarkLight is an expert system, installed as a desktop application, for assisting cyber security analysts with their day-to-day activities. Many of the tasks that analysts must do are simple, yet require a huge amounts of repetition. The vision of the DarkLight team is to reduce the analyst's workload by automating these simple repetitive tasks.

Empirically, we have found that there are tasks that DarkLight can quickly automate to reduce workload.

For example:

  • Attribution of events to employee, service, or vendor accounts.
  • Reduction of false positives from “noisy” security appliances.

DarkLight uses a technology that has not been applied to cybersecurity analysis prior to Champion Technology Company Inc. (CTCI). CTCI brought the technology out of the Pacific Northwest National Laboratory and into the commercial and government markets.

CTCI’s proprietary approach uses Description Logics (DL) and semantic graph analytics to process data from network and security appliances. DarkLight uses a DL inference engine to interpret and analyze facts using an analyst’s unique knowledge of cybersecurity and the enterprise they are protecting. Data feeds from existing network security and threat intelligence systems are normalized. Once normalized, DarkLight automates the attribution and correlation of system, sensor, event, appliance, and user activity logs. Using the knowledge of the analysts, DarkLight can recognize patterns and anomalies in the context of the enterprise.

Description logics are expressed in formal knowledge representation languages. One such language is the Web Ontology Language (OWL). DarkLight uses the OWL language to capture the descriptions of the things and logic in the domain of cybersecurity. By representing common sense knowledge from the cybersecurity community and the knowledge from your enterprise's cybersecurity analysts, tasks and data interpretation can be efficiently and intelligently automated. Trying to protect an enterprise from cybercrime without automation has been likened to "drinking from a firehose". It just can't be done without getting hurt and making a mess of things.

An ontology is a formal way to describe knowledge. As noted above, our technology uses the OWL language to form ontologies. DarkLight enables analysts to create ontologies embedding their own expertise, specific to the needs of their enterprise. Ontologies contain class definitions, property definitions, and facts adhering to these definitions. By describing classes, properties, and rules in the domain of expert cybersecurity, DarkLight can automate the tedious, complex, and overwhelming tasks of the analyst.


Anatomy of an Ontology

  • Class definition: A formal description of a set or category. Classes are also known as Abstract Data Types.
    • Example: Vehicle
  • Property definition: A formal description of the relationship an instance of a class has with another object or data.
    • Data Property: A property relationship with a primitive data type such as string, integer, real number, etc.
    • Object Property: A property relationship with another instance of a class.

Propositional Logic

Logical expressions can be made using propositional logic.

  • Triple: A statement that links one object (the subject) to another object or literal value via a predicate.
    • "Mary had a little lamb" can be expressed with a set of triples:
      • (Mary, type, Person) or type(Mary, Person)
      • (Mary, owns, Lamb) or owns(Mary, Lamb)
      • (Lamb, size, little) or size(Lamb, little)
  • Subject: An object uniquely identified by a URI. URIs are often shortened to a prefix ‘:’ character readability.
    • For example: http://champtc.com/People#john or just :john AKA: Instance, entity, individual
  • Predicate: A relationship from an object to another object or literal value. E.g. :name, rdf:type AKA: property
  • Object: The string of characters: “John” AKA: object, literal

  • start/overview
  • Last modified: 2017/08/15 18:53