Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
Teaming with the AI Cyber Warrior
Dr. William Streilein
MIT Lincoln Laboratory
5 March 2018
Data-Starved Artificial Intelligence
This material is based upon work supported by the Assistant Secretary of Defense for Research and Engineering under Air ForceContract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Assistant Secretary of Defense for Research and Engineering.
Distribution Statement A: Approved for public release: distribution unlimited.
© 2018 Massachusetts Institute of Technology.
Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work.
Teaming with the AI Cyber Warrior - 2WWS 03/05/18
Cyber Security: Critical Threat Surfaces
Users SystemsData
Attacker
Compromised System Components
• Supply Chain Attacks
• Physical Tamper
• Malicious Logic
• Counterfeit Components
• Malicious Compilers
• …
Compromised Input
• Memory Corruption
• Code Injection
• Database Injection
• Malformed Packet (Ddos)
• Cyber-EW Effect
• …
Compromised User
• Credential Stealing
• Spoofing
• Insider Attacks
• Spear Phishing
• Password Guessing
• …
Teaming with the AI Cyber Warrior - 3WWS 03/05/18
NOTEWORTHY FACTS
• 250K new malware programs are registered each day
• There were 357M new email malware variants in 2016 – 36% more new variants than in 2014.
• There were 463M new variants of ransomware in 2016 – 36% more new variants than in 2015.
• 99 days to detect compromise –adversary gains access in 3
• Internet of Things and Cloud are hot targets (e.g., Mirai botnet) – 2 min to compromise
• Projected cyber-attack costs in 2019: $2.1T
Sophisticated Attacks More Easily Accomplished with Automation
Growth of Threat
202020152010200520001995199019851980
High
Low
Next
Phishing
Ransomware
Firmware
Insider
Password guessing
Self-replicating code
Password cracking
Exploiting known vulnerabilities
Burglaries
Back doors
Sweepers
Disabling audits
Hijacking sessions
Sniffers
Network management diagnostics
Packet spoofing
GUI
Automated probes/scans
Denial of service
www attacks
“Stealth”/advanced scarring techniques
Distributed attack tools
Cross-site scripting
Staging Sophisticated C2
Sophistication Required of Actors Declining
Sophistication of Available Tools Growing
Sop
his
tica
tio
n
Sources: https://www.symantec.com/security-center/threat-reporthttp://expandedramblings.com/index.php/cybersecurity-statistics/http://www.nato.int/docu/Review/2016/Also-in-2016/cyber-defense-nato-security-role/EN/index.htm
https://www.fireeye.com/blog/threat-research/2017/03/m-trends-2017.htmhttps://www.ag-test.org/en/statistics/malware
Teaming with the AI Cyber Warrior - 4WWS 03/05/18
The Cyber Battleground
Offense
StagesEngage
Maintain Presence
Achieve Effect andAssess Damage
Prepare (Recon)
Defense
StagesProtect Detect Respond RecoverIdentify (Recon)
Focused defense ID new attacksDeflect attacks Stop attacks “Mission” fight throughImpact
Know the target Support persistenceEnable attack process Attack effectivenessImpact
Teaming with the AI Cyber Warrior - 5WWS 03/05/18
The Cyber Battleground
Offense
StagesEngage
Maintain Presence
Achieve Effect &Assess Damage
Prepare (Recon)
Defense
StagesProtect Detect Respond RecoverIdentify (Recon)
Focused defense ID new attacksDeflect attacks Stop attacks “Mission” fight throughImpact
Know the target Support persistenceEnable attack process Attack effectivenessImpact
Major Challenges:• Proliferation of malware• Hard to identify critical assets• Overwhelming amount of big data• Analysis and response are manual processes• Attacker will leverage AI
Teaming with the AI Cyber Warrior - 6WWS 03/05/18
Cyber Machine Intelligent Assistant (CyMIA)
Natural language-based
interaction interprets
user queriesAutomatically extract
mission, network, and
threat informationFuse information into
knowledge base, infer
relationshipsChoose CoA based
on threat, knowledge
base, and scenario
How should I protect my mission-
critical networks?
You should segment and isolate your C2
network coupled with the fire-control radar
CyMIA Response
CyMIA processes natural language input in the context of cyber threats and network knowledge to respond with appropriate CoAs (Courses of Action)
Fire Control Radar
Control System
Threat reports
Note: CASCADE is an existing Line funded effort
Teaming with the AI Cyber Warrior - 7WWS 03/05/18
CHARIOT: Leverage HLT to Improve SNR for Cyber Analysts
• Source-dependent extraction/processing
• Feature generation
– Word stemming (hack, hacker, hacks, hacking)
– Term Frequency Inverse Document Frequency (TFIDF)
• Logistic regression classifier
AI approach achieves analyst performance target
False Alarm ProbabilityM
iss
Pro
bab
ility
Teaming with the AI Cyber Warrior - 8WWS 03/05/18
Automated Cyber Decision Making via Mod/Sim and Game Theory
• CASCADE – Cyber Adversarial SCenario modeling and Automated Decision Engine– Dynamically quantifies risk in the face of an adaptive adversary
– Considers mission context to selection optimal course of action (COA)
– Prototype applied to configuration of network segmentation defense
Ris
k
CASCADE Iterations
Teaming with the AI Cyber Warrior - 9WWS 03/05/18
Cyber AI-Related Workshops and Symposiums
Artificial Intelligence for Cyber Security Workshop • Forum for AI researchers and practitioners
to share research and experiences in applying AI to Cyber Security
Graph Exploitation Symposium• Brings together leading experts from
universities, industry, and government to explore the state of the art and define a future roadmap in network science
Sanjeev Mohindra
ChairsChairs
Bill Streilein
Neal Wagner
Dave Martinez
Sal StolfoProfessor of Computer ScienceDept. of Computer Science, Columbia University
Trung TranLaboratory of Physical Sciences, University of Maryland, Baltimore County
Bill Streilein
New Orleans, Louisiana • February 2, 2018 Dedham, Massachusetts • April 23–25, 2018
Keynotes
Technical Co-Chairs
Ben Miller
Rajmonda Caceres
Theme: Applications of AI to Internet of Things
POC: Ben Miller,[email protected]
Teaming with the AI Cyber Warrior - 10WWS 03/05/18
• Robust detection capabilities to discover plans for new attacks in structured and unstructured data sources
• Automated methods to discover dependence of mission function on cyber systems (e.g., “mission mapping”)
• Graphical analysis methods to infer relationships and relevance to mission network
• Automated methods to develop simulation models from unstructured and structured data
• Techniques to quantify security risk from newly discovered cyber threats
Areas of Continued and Future Research