Teaming with the AI Cyber Warrior

Dr. William Streilein

MIT Lincoln Laboratory

5 March 2018

Data-Starved Artificial Intelligence

This material is based upon work supported by the Assistant Secretary of Defense for Research and Engineering under Air ForceContract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Assistant Secretary of Defense for Research and Engineering.

Distribution Statement A: Approved for public release: distribution unlimited.

© 2018 Massachusetts Institute of Technology.

Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work.

Teaming with the AI Cyber Warrior - 2WWS 03/05/18

Cyber Security: Critical Threat Surfaces

Users SystemsData

Attacker

Compromised System Components

• Supply Chain Attacks

• Physical Tamper

• Malicious Logic

• Counterfeit Components

• Malicious Compilers

• …

Compromised Input

• Memory Corruption

• Code Injection

• Database Injection

• Malformed Packet (Ddos)

• Cyber-EW Effect

• …

Compromised User

• Credential Stealing

• Spoofing

• Insider Attacks

• Spear Phishing

• Password Guessing

• …

Teaming with the AI Cyber Warrior - 3WWS 03/05/18

NOTEWORTHY FACTS

• 250K new malware programs are registered each day

• There were 357M new email malware variants in 2016 – 36% more new variants than in 2014.

• There were 463M new variants of ransomware in 2016 – 36% more new variants than in 2015.

• 99 days to detect compromise –adversary gains access in 3

• Internet of Things and Cloud are hot targets (e.g., Mirai botnet) – 2 min to compromise

• Projected cyber-attack costs in 2019: $2.1T

Sophisticated Attacks More Easily Accomplished with Automation

Growth of Threat

202020152010200520001995199019851980

High

Low

Next

Phishing

Ransomware

Firmware

Insider

Password guessing

Self-replicating code

Password cracking

Exploiting known vulnerabilities

Burglaries

Back doors

Sweepers

Disabling audits

Hijacking sessions

Sniffers

Network management diagnostics

Packet spoofing

GUI

Automated probes/scans

Denial of service

www attacks

“Stealth”/advanced scarring techniques

Distributed attack tools

Cross-site scripting

Staging Sophisticated C2

Sophistication Required of Actors Declining

Sophistication of Available Tools Growing

Sop

his

tica

tio

n

Sources: https://www.symantec.com/security-center/threat-reporthttp://expandedramblings.com/index.php/cybersecurity-statistics/http://www.nato.int/docu/Review/2016/Also-in-2016/cyber-defense-nato-security-role/EN/index.htm

https://www.fireeye.com/blog/threat-research/2017/03/m-trends-2017.htmhttps://www.ag-test.org/en/statistics/malware

Teaming with the AI Cyber Warrior - 4WWS 03/05/18

The Cyber Battleground

Offense

StagesEngage

Maintain Presence

Achieve Effect andAssess Damage

Prepare (Recon)

Defense

StagesProtect Detect Respond RecoverIdentify (Recon)

Focused defense ID new attacksDeflect attacks Stop attacks “Mission” fight throughImpact

Know the target Support persistenceEnable attack process Attack effectivenessImpact

Teaming with the AI Cyber Warrior - 5WWS 03/05/18

The Cyber Battleground

Offense

StagesEngage

Maintain Presence

Achieve Effect &Assess Damage

Prepare (Recon)

Defense

StagesProtect Detect Respond RecoverIdentify (Recon)

Focused defense ID new attacksDeflect attacks Stop attacks “Mission” fight throughImpact

Know the target Support persistenceEnable attack process Attack effectivenessImpact

Major Challenges:• Proliferation of malware• Hard to identify critical assets• Overwhelming amount of big data• Analysis and response are manual processes• Attacker will leverage AI

Teaming with the AI Cyber Warrior - 6WWS 03/05/18

Cyber Machine Intelligent Assistant (CyMIA)

Natural language-based

interaction interprets

user queriesAutomatically extract

mission, network, and

threat informationFuse information into

knowledge base, infer

relationshipsChoose CoA based

on threat, knowledge

base, and scenario

How should I protect my mission-

critical networks?

You should segment and isolate your C2

network coupled with the fire-control radar

CyMIA Response

CyMIA processes natural language input in the context of cyber threats and network knowledge to respond with appropriate CoAs (Courses of Action)

Fire Control Radar

Control System

Threat reports

Note: CASCADE is an existing Line funded effort

Teaming with the AI Cyber Warrior - 7WWS 03/05/18

CHARIOT: Leverage HLT to Improve SNR for Cyber Analysts

• Source-dependent extraction/processing

• Feature generation

– Word stemming (hack, hacker, hacks, hacking)

– Term Frequency Inverse Document Frequency (TFIDF)

• Logistic regression classifier

AI approach achieves analyst performance target

False Alarm ProbabilityM

iss

Pro

bab

ility

Teaming with the AI Cyber Warrior - 8WWS 03/05/18

Automated Cyber Decision Making via Mod/Sim and Game Theory

• CASCADE – Cyber Adversarial SCenario modeling and Automated Decision Engine– Dynamically quantifies risk in the face of an adaptive adversary

– Considers mission context to selection optimal course of action (COA)

– Prototype applied to configuration of network segmentation defense

Ris

k

CASCADE Iterations

Teaming with the AI Cyber Warrior - 9WWS 03/05/18

Cyber AI-Related Workshops and Symposiums

Artificial Intelligence for Cyber Security Workshop • Forum for AI researchers and practitioners

to share research and experiences in applying AI to Cyber Security

Graph Exploitation Symposium• Brings together leading experts from

universities, industry, and government to explore the state of the art and define a future roadmap in network science

Sanjeev Mohindra

ChairsChairs

Bill Streilein

Neal Wagner

Dave Martinez

Sal StolfoProfessor of Computer ScienceDept. of Computer Science, Columbia University

Trung TranLaboratory of Physical Sciences, University of Maryland, Baltimore County

Bill Streilein

New Orleans, Louisiana • February 2, 2018 Dedham, Massachusetts • April 23–25, 2018

Keynotes

Technical Co-Chairs

Ben Miller

Rajmonda Caceres

Theme: Applications of AI to Internet of Things

POC: Ben Miller,bamiller@ll.mit.edu

Teaming with the AI Cyber Warrior - 10WWS 03/05/18

• Robust detection capabilities to discover plans for new attacks in structured and unstructured data sources

• Automated methods to discover dependence of mission function on cyber systems (e.g., “mission mapping”)

• Graphical analysis methods to infer relationships and relevance to mission network

• Automated methods to develop simulation models from unstructured and structured data

• Techniques to quantify security risk from newly discovered cyber threats

Areas of Continued and Future Research