Thoughts about AI in Cybersecurity

Author: Shawn Riley
September 2019

Generally when people hear the term AI they instantly think of data science derived AI such as machine learning and deep learning. This type of AI is very much needed as the amount of security data keeps increasing. When I started out in security in the early 1990s, the security analysts would have to manually go through the logs and other data sources to look for patterns of interest. As the amount of data grew, we started seeing data science being applied more and more across different data sets. This enabled data science approaches like machine learning to find the probable patterns and produce information for the analyst saying "these are probably the patterns you are looking for". I say probably because approaches like machine learning use probabilistic reasoning where the results are just conjecture until validated by a human with the necessary knowledge to understand the data they are looking at. It's often said the amount of data more than doubles every 2 years and this adds weight to why we need data science approaches like machine learning to do the preliminary analysis of the data for defenders. This also means the information, knowledge, and wisdom layers on top of the data are increasing as well.

As cybersecurity organizations deploy more and more sensors, they are also deploying more and more data science derived AI solutions to do that preliminary analysis. For the past several years this has been causing security analysts to drown in the information being produced in the same way they used to drown in the security data before wide spread use of data science derived AI solutions. The human analysts need to process the information being produced by all those solutions to verify the individual preliminary analysis results produced by algorithms to sort out the false positives from true detections. The problem is there is now far too much information being produced from the underlying data, when combined with information being shared by other organizations about threats and vulnerabilities, for most human security teams to process and take action on. The Ponemon Institute did a survey a few years ago that determined the average company has 75 security solutions, 96% of the information being produced wasn't being addressed, 19% were deemed reliable, 4% were actually investigated. The cybersecurity problems can't be addressed by data science derived AI alone. We also need knowledge engineering derived AI that focuses on organizing information into knowledge and can mimic how human security analysts and investigators apply the knowledge and wisdom contained in the knowledge-base. 

The strength of knowledge engineering derived AI like modern expert systems is being able to mimic how human security analysts apply their knowledge and wisdom to the information to make sense of the preliminary analysis results coming from data science derived AI solutions and validating the performance of the point product producing the preliminary analysis results information.

Another strength of knowledge engineering derived AI is semantic interoperability. Which is the ability to integrate the information across different silos, that is in different formats and serializations into a common format and to organize the siloed information into integrated knowledge using W3C standardized ontologies (knowledge models created from knowledge representation language standards). This means the knowledge engineering derived AI can organize the information coming from the different data silos with knowledge from different frameworks such as MITRE ATT&CK, the NIST Cybersecurity Framework, NIST Cyber Resiliency Engineering Framework, ODNI Cyber Threat Framework, etc so the information is organized and can be looked at through the different lenses of knowledge frameworks and human mental models. Both data science derived AI and knowledge engineering derived AI are required pieces in the DHS and NSA sponsored Integrated Adaptive Cyber Defense (IACD) community.

Knowledge engineering derived AI really focuses on organizing and automating how human knowledge is applied to solve complex knowledge-driven automation challenges. Human memory is both implicit and explicit. An example of implicit memory is that used to ride a bike. Whereas, explicit memory is made up of both Semantic (facts, dates, numbers, words) knowledge and Episodic (experiences) knowledge. Modern AI expert systems focus on encoding the explicit memory of humans and can capture semantic memory in knowledge models called ontologies and episodic memory in knowledge-driven playbooks that support deductive logical reasoning across semantic knowledge graphs.

Knowledge engineering derived AI expert systems can reason over the facts in the information it is looking at and based on those facts, infer (deduce) new facts into the investigation from the knowledge models (ontologies).  It can also infer knowledge contained in the knowledge-base by following the knowledge-driven playbook workflow based on the encoded explicit knowledge of the human analyst. This is ideal for automating complex knowledge-driven processes that require the explicit knowledge and experience of human cyber defense analysts and investigators to make those processes scalable with the increasing amounts of data and information.

Applying AI in cybersecurity starts with knowing which type you need to solve the different problems faced by the security organization. If it's a data problem, then you need data science derived AI. If you've already invested in applying data science derived AI, then you're probably drowning in the information produced by the various data science derived AI solutions and don't have the humans you need to process, verify, and validate all the preliminary analysis results. You need to start thinking about investing in knowledge engineering derived AI solutions if you've reached this level. These are very different types of AI that don't have a lot of overlap but are extremely complimentary when both are used in the security enterprise. Data Science derived AI, Security Orchestration, and Knowledge Engineering derived AI are 3 foundational technologies that are needed to support holistic security automation and to keep the human security team from drowning in the data and information. 

This is a helpful overview chart to see the side by side comparison of both data science derived AI (aka non-symbolic AI) and knowledge engineering derived AI (aka symbolic AI). It's important to remember these two types of AI don't compete with each other but have a synergistic relationship, solving their own sets of problems as part of a holistic approach to applying AI in cybersecurity.