Artificial Intelligence – Logical Reasoning for Cybersecurity
I wanted to start this thread to continue our discussions on using the knowledge representation and reasoning field of artificial intelligence that we started in 2015 and how this supports security science in the operational cybersecurity ecosystem. We previously discussed the concept of a semantic eScience of security platform to better understand a generic technology stack that enables knowledge representation and reasoning and how the technology supported evidence driven science in the operational environment. We also discussed and provided links to different cyber security ontologies written in RDF/OWL, which are knowledge representation languages that describe the people, places, things, and events in the cybersecurity domain.
In this thread, the focus will be on capturing human "analytic tradecraft" knowledge and experience as "programmable reasoning objects" to enable the artificial intelligence to use the human expert's own logic and reasoning to make claims based on the cybersecurity data (evidence) in the operational environment.
To help make this topic a little easier to understand we'll leverage a popular middle school science framework used to teach students to construct good explanations. The Claim Evidence Reasoning (CER) framework. This framework helps students understand if they make a claim that it must be backed by evidence and reasoning to make explicit the step by step thinking showing how the logic connects the evidence to the claim.
Cybersecurity analysts do this all the time when they make a claim about some event or activity they observed in the operational ecosystem. Analysts back up the claim with evidence and provide their reasoning that shows how the evidence supports the claim. Artificial intelligence based virtual analysts should also show the evidence and their reasoning for how the evidence supports the claim.
Since nearly all the major cybersecurity vendor solutions available today have integrated Predictive Analytics, Machine Learning, or Risk/Reputation scoring that use inductive reasoning to pose a hypothesis (conjecture), I created a graphic to help humans cyber defenders better understand AI based reasoning, both inductive and deductive. Scientists use both inductive and deductive reasoning to address problems. Our AI should too.
In your commments, are you thinking about AI in the operational phase of a cyber system's life cycle or are you seeing use of AI in other phases?
Hi Rick,
I'm actually focused on an A.I. Cyber Defense Expert System to emulate the sense-making and decision-making ability of human cyber defense experts as captured in sharable AI playbooks. Our AI expert system was a DoE PNNL technology transfer to industry. Knowledge representation lanaugages are created and used for each of the cybersecurity measurement and management archtecture information representations like STIX, CVE, CAPEC, CEF, etc so the AI can understand the meaning of the security information and to enable object-based production to organize what is known. Then we enable human cyber defenders to encode their standardized process and workflows for things like hypothesis validation to rule out false positives, threat hunting, insider threats, shared situational awareness, etc.
We are focused on operationalizing the Integrated Adaptive Cyber Defense (IACD) framework which is sponsored by NSA and DHS and being lead by JHUAPL. IACD is the same as DoD's Active Cyber Defense (ACD) or DHS's Enterprise Automated Security Environment (EASE). The AI expert system is filling the upper level sense-making and decision-making area. You can read more about IACD here https://secwww.jhuapl.edu/iacdcommunityday/OurWork
Since finishing my tour at NTOC in 2011 I've been focused on helping the human cyber defenders develop a scientific foundation to their day to day analysis and decision making for cyber defense. Everything I've worked on from 2011 onward has been geared towards helping the human's validate the neverending stream of 'probable' alerts and events where each hypothesis is conjecture that needs to be validated in order to make the correct decision about the course of action to take. The other driving factor pushing me is the severe shortage of human cyber defenders needed to actually do the job effectively. This is why since 2011 I've been focused on A.I. Cyber Defense Expert Systems and have been sharing what I know with the SoS community since 2012 when I spent an hour briefing Dan Wolf on it over coffee at BlackHat in 2012 at the request of Charlie Croom and the wider SoS-VO since 2013.
Among those conversations, panelists said, are ways to further integrate artificial intelligence and human analysis, which Rogers asserts is not a binary solution. "Machine learning helps you get to scale to address global problems -- at the same time you need to ask yourself 'how does that fit and where is the human dynamic in all this?'"
Harnessing the power of Artificial Intelligence
Rogers explained this concept carries particular significance in cyber defense.
"If you can't get to some level of AI or machine learning with the volume of activity that you're trying to understand when you're [defending] networks from activity of concern, if you can't get to scale, you are always behind the power curve -- it's got to be some combination of the two."
Cardillo echoed Rogers' sentiment in the evolution of artificial intelligence and innovation writ large, adding that while a solely human-centered approach to answer questions is possible, data is now exposed in ways that could be confusing absent AI assistance.
Source: http://www.defense.gov/News/Article/Article/938941/national-security-experts-examine-intelligence-challenges-at-summit