Differentiators

DarkLight is a first of its kind, AI-based expert system which sits on top of existing enterprise security investments and enables sense-making and decision-making for active cyber defense and information sharing. It helps an organization develop a scientific, evidence-based foundation for vastly improved cyber security automation and operations.

“Works & Thinks” Like a Team of Analysts

“Works & Thinks” Like a Team of Analysts

DarkLight’s artificial intelligence takes a completely different approach by applying top down logic (general to specific) and “Sherlock Holmes-style” deductive reasoning that ties the evidence in the data to the analytic claim being made by the AI. This allows DarkLight to receive the wide range of hypotheses coming from different machine learning and other cybersecurity solutions an organization has already invested in and to validate the claim based on the evidence in the same way a human cyber expert would.

Expert Knowledge Framework

Expert Knowledge Framework

Embedded in DarkLight’s knowledge framework is a conceptual model of the unified cyber terrain which incorporates many of the Cyber Security Measurement and Management Architecture languages such as OASIS’s STIX, CYBOX, and CIQ and NIST’s CVE, CWE, and CAPEC. Other community-crafted knowledge representations such as CMU CERT’s Insider Threat Indicators Ontology are also part of the extensible knowledge framework.

Cyber Security Knowledge and Activity Graph

Cyber Security Knowledge and Activity Graph

Knowledge and activity graphs were made popular by technology giants like Google, Facebook, Microsoft and others who are using these semantic graphs to enable advanced analytics on their massive datasets.

DarkLight uses the defense and intelligence community's Object-Based Production methodology to organize and build graphs for what is known about enterprise contextual knowledge, adversarial contextual knowledge, and activity-based observations from the cyber ecosystem. The Enterprise Contextual Knowledge graph allows the AI to understand the organization’s people, processes, and technologies. An Adversarial Contextual Knowledge graph allows the AI to understand the threat actors, campaigns, TTPs, indicators and other known threat information from incident response, threat intelligence, and threat sharing.

Explainable Artificial Intelligence / No Black-Box Algorithms

Explainable Artificial Intelligence / No Black-Box Algorithms

Unlike a black box machine-learning approach, all the logic is exposed, defensible, and can be used as a learning method to educate junior analysts. The conceptual model in DarkLight is understandable because it uses the same domain specific concepts and terms cyber security professionals use in their daily jobs. This approach doesn’t require data scientists or mathematicians to create the analytics, it puts the power of self-service analytics in the hands of the analysts and business users to easily create their own prescriptive analytics based on their domain expertise and operational experience in the organization.

Human-Quality Data Analytics at Scale

Human-Quality Data Analytics at Scale

At the core of DarkLight is the Programmable Reasoning Object℠ or PRO℠, which interpret the data like a human analyst. PROs are used to orient or make sense of the observations coming from the cyber ecosystem to support evidence-based decision-making and course of action selection. With the use of multiple reasoners, they transform the data from these discrete sources into actionable intelligence.

Share Analytic Tradecraft, Not Just Information

Share Analytic Tradecraft, Not Just Information

DarkLight enables organizations to share ontologies and PROs for analytics and automated courses of action they create for threat hunting, insider threats, false positive reduction, etc. with other organizations in the same way organization might share threat intelligence and IDS or AV signatures today.

The ability to share the ontologies and PROs is a game changer. Suddenly the ISACs and ISAOs can move from sharing actionable intelligence to sharing actionable intelligence and PROs that can automate the decisions and actions that should be taken based on that intelligence.

This helps the community move from sharing knowledge about threats to sharing step by step machine-readable instructions to automate and orchestrate what to do with that knowledge.

Ready to use the power of DarkLight's AI for Active Cyber Defense?

Start a 30-day free trial

Features

An AI Expert System

When knowledge representation and reasoning is applied to a specific domain like cyber security and the system is taught by cyber security experts, it can create what is known as an “expert system”.

 

An expert system is a computer system that emulates the decision-making ability of a human expert and are designed to solve complex problems by reasoning about the knowledge.  

So what's the difference between an AI Expert System and Machine Learning?  This graphic explains:

Just like machine learning, expert systems have benefited from advances in technology, digitized data, information, and knowledge bases and our ability to apply these analytic solutions to real world problems has greatly increased over the years. In other words, these aren’t the expert systems that dominated artificial intelligence 30 years ago in the 80’s and pushed machine learning out of favor. They’re more powerful, more agile, standards-based, and easier to use.

 

Machine learning and data mining often employ the same methods and overlap significantly, but while machine learning focuses on prediction, based on known properties learned from the training data, data mining focuses on the discovery of (previously) unknown properties in the data. Machine learning is significantly closer to data mining than it is to artificial intelligence.

READ MORE
HIDE

Knowledge Representation & Reasoning

Under the hood, DarkLight's AI leverages formal Description Logics expressed in formal knowledge representation and reasoning languages. (KR&R)

DarkLight uses the Web Ontology Language (OWL) language to capture the descriptions of the things and logic in the domain of cybersecurity.

DarkLight uses the W3C OWL2 standard as its description logic knowledge representation language since this is a mature, 2nd generation standardized language with increasing adoption across industries such as Healthcare and Biomedical, Financial Services, and the Defense and Intelligence Community.

READ MORE
HIDE

Supports a Scientific Foundation to Cyber Security

When the Artificial intelligence (AI) field of knowledge representation and reasoning (KR&R) is applied to the enterprise cyber security ecosystem, it can help organizations develop a scientific foundation to their cyber security program. 

These types of evidence-driven, AI knowledge representation and reasoning solutions should not be confused with the statistical and mathematical modeling based machine learning solutions as the two are very different but complimentary approaches.

This type of artificial intelligence is explainable because the knowledge, logic, reasoning, and evidence could be reviewed and defended by analysts and it could also be shared with the community and reviewed by peers.

When DarkLight makes a claim about some threat, malicious activity, or behavior it observed in your ecosystem, DarkLight backs that claim with evidence and reasoning just like your analyst would and do it in a way that is understandable and explainable.

READ MORE
HIDE

Ontologies, Not Rules

Ontology-based systems classify data and are more powerful than rules-based systems.  To demonstrate this, consider describing how to attach a fastener to a wall.

In a rule-based system you’d specify the attributes you want the system to look for so you can choose the right tool. So for a nail you might say, “If it has a cylinder with a point on the end and a flat disc on the top, hit it with a hammer.” Soon your system is hitting nails with the hammer, but then it comes across a screw and it hits it with a hammer because it matches the rule. So you have to write another rule that says, “If the cylinder has threads on it, use a screwdriver.” You can imagine that as your system runs and finds new fasteners and variations of known ones, you have to write more and more rules.

With an ontology-based system, your fasteners ontology already knows the properties that make up the full set of nails, screw, bolts, etc. so your rule is simply, “Use the appropriate tool on the fastener.” The system can use the limited input it is given (Hex Head, Threaded Body) to deduce the type of object it is (Bolt) and use the correct tool (Wrench).

READ MORE
HIDE

Shareable Institutional Knowledge

The DarkLight PROs can be used again and again, shared between analysts and retained as part of the institutional knowledge.

Practitioners can evolve analytics incrementally as their tradecraft knowledge evolves and scale those analytics with the data by simply adding more PROs encoded with the cyber security analytic tradecraft knowledge of human experts. The goal isn’t to replace the human analysts defending our organizations but to make them more effective and efficient by giving them an army of AI-based virtual analyst experts to assist them in defending our enterprises. Ultimately organizations can apply DarkLight where they need the help and the evidence-based decisions will help them feel more comfortable about enabling AI-based automation since it’s the same evidence and data-driven processes their human experts use.

READ MORE
HIDE

Ready to use the power of DarkLight's AI for Active Cyber Defense?

Start a 30-day free trial