Artificial Intelligence for InfoSec (AI) has wavered up and down in reputation over the decades. Sometimes it is seen as being on the brink of great breakthroughs. At other times it is seen as an impossibility. My opinion is; it’s already here. Mostly due to my definition of AI.
Defining Artificial Intelligence for InfoSec
Alan Turing’s definition was written in his paper “Computing Machinery and Intelligence.” He proposed a test that defined AI by judging whether or not the behavior of the machine was indistinguishable from that of a human. For a short few minutes, the computer has to interact as a human would. His test was biased toward generation and interpretation of Natural Language Processing (NLP).
In manufacturing, we’ve had machines replicating the movements of man for some time. Computers are assembling many products, from circuit boards to automobiles. But let’s face it, computer controlled movement and assembly is a much lower bar than computer controlled decision making. Computer controlled decision making is, in my opinion, AI. It can be considered AI if a computer is making decisions indistinguishable from the decisions of a human.
If cybersecurity software makes security decisions that are indistinguishable from that of a human analyst, why would it not be considered AI? If the decisions are the same, then it has earned the right to the AI label. My test is biased toward the generation and interpretations of Cybersecurity Event Processing.
The Key to Intelligence Systems
Perception, interpretation, and action are decision processes I expect to see from an intelligence system. I expect to see a system observing things, understanding them, reasoning about them and then deciding on appropriate actions. With today’s technology, we can automate the observations, interpretation, and actions needed to emulate cybersecurity decisions and tasks.
A key to cyber threat intelligence, or cybersecurity AI, is in the way we represent knowledge and how we reason over it. In order to observe and classify an event, we need to be able to represent knowledge and experience in an invariant form. We then need to compare our input data to the invariant forms to determine if they are to be classified as instances of those forms.
The Importance of Invariant Representations in Artificial Intelligence for InfoSec
Invariant representations are very different from the traditional signature based representations and comparisons of other systems. By example in the non-cyber domain of music; sheet music is an invariant form of a song. A musician can read the sheet music representation and recognize the song even if it is played on different instruments. A signature based approach (variant form) would have to compare the song to every variant of the song it had heard in the past. This is very similar to antivirus software that compares code on your machine to a library of virus signatures that have been seen in the past.
If a computer can use invariant forms of maliciousness to interpret observations and make decisions about those observations that are indistinguishable from a human’s decisions, then we can label that AI.
In the cybersecurity domain, DarkLight™ uses the Web Ontology Language (OWL) to capture the logic and the descriptions of things in invariant form. By representing common sense knowledge from the cybersecurity community and the knowledge from your enterprise’s cybersecurity analysts, tasks and data interpretation can be efficiently and intelligently automated.