Cyber Resilient Decentralized Agentic Security Operation Center (SOC)

Overview

There is a notable increase in cyberattacks, targeting vital digital services like energy, water, oil plants, communication and transportation infrastructure, etc. The lack of right cybersecurity and resilience solutions can transform the blessing of the digital transformation into a curse, thus leaving significant societal threats and economic damage. Security Operation Centers (SOC) are therefore becoming a necessary part of every digital and critical infrastructure with the main roles of defining cybersecurity policies, processes, and implementing detection and response mechanisms and tools. 

Unfortunately, detection and response tools fall short to address the recent complexity and heterogeneity of real systems being centralized: sensed data is collected from endpoint devices and pushed to the center for processing using AI/ML models, i.e., for detecting vulnerabilities and suggesting responses (e.g., closing ports, installing a patch, etc.). This leads to several weaknesses among them: (1) having the SOC center as central point of attack/failure which disables the effectiveness of the entire detection and defense capabilities; (2) causes huge cost on data in transit from endpoints to the center; (3) inducing more response delays which makes strong adversaries faster in maneuvering than reactive defense. 

This project addresses the above challenges by investigating the feasibility, strengths, and tradeoffs of introducing a Decentralized SOC (D-SOC) architecture. One envisions a continuum of decentralization from endpoints to edge devices, all the way to the center at several levels, e.g., decentralizing monitoring and detection, decision making, decentralizing response, etc. 

The project's scope spans building and integrate mechanisms to mitigate these issues, e.g., by employing TinyML models and/or FPGA accelerators at the edge, and by dynamically adapting to the cybersecurity posture as a response mechanism.