AI Dynamics in Cybersecurity: Assessing Knowledge-Based and Generative Approaches to the MITRE ATT&CK Framework

Knowledge-based AI and generative AI, such as large language models, fundamentally approach problems differently, each possessing distinct strengths and weaknesses, particularly their application to cybersecurity and network defense. The efficiency of either method hinges on the specific cybersecurity application. Let's delve into how each might utilize the MITRE ATT&CK framework and discern why one could outperform the other in varying scenarios:

Knowledge-Based AI Utilizing MITRE ATT&CK

In cybersecurity, knowledge-based AI systems are typically rule-based, integrating expert knowledge concerning attack patterns, system vulnerabilities, and typical behaviors of threat actors. These systems are crafted to compare observed behaviors within the comprehensive database of known tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework. · How it works: Upon deployment in a network, a knowledge-based AI system maintains continuous vigilance for indicators of known attack vectors. Referencing the MITRE ATT&CK matrix, it discerns the stages of an attack and foresees subsequent maneuvers by the attacker.

· Efficiency: The advantage of this approach lies in the precision of identifying known threats. Leveraging a predefined knowledge base, it swiftly correlates observed with established TTPs with remarkable accuracy.

· Limitations: The primary drawback is its rigidity when confronted with novel or unknown threats. The system may falter if an attacker employs a new technique absent from the system's knowledge base.

Generative AI or Large Language Models

Generative AI, such as ChatGPT, utilizes pattern recognition to generate information or predictions based on the data from which it has been trained. With the ability to process and learn from vast amounts of unstructured data, generative AI can offer more flexibility than knowledge-based AI.

· How it works: A large language model trained on cybersecurity data could be asked to generate descriptions of normal and abnormal behaviors based on network logs. It could suggest responses or analyze threats in the context of the MITRE ATT&CK framework by generating hypothetical attack scenarios or defenses.

· Efficiency: Generative AI shines in its ability to adapt and deal with ambiguous information. It can process new, previously unseen threats and provide insights based on the patterns it has learned during training.

· Limitations: It may not have the precision of knowledge-based AI when matching specific TTPs from MITRE ATT&CK. There's also a risk of generating false positives or irrelevant information because its outputs are probabilistic and not based on hard- coded rules.

Which Would Be More Efficient?

The efficiency of either system depends on the context:

· When detecting known threats: Knowledge-based AI would likely be more efficient, thanks to its capability to swiftly match observed behavior with known TTPs from MITRE ATT&CK.

· When handling novel threats or requiring adaptability: Generative AI might prove more effective, as it can infer and adapt to new behavior patterns that the existing knowledge base might not cover.

In practice, the most robust defense strategy will involve a combination of both approaches and, even better, the third leg of the AI toolset – machine learning. Knowledge-based AI would serve as a baseline defense against known attack vectors. Generative AI would assist in threat hunting and response by suggesting novel countermeasures or identifying emerging threats. It's important to recognize that present-day generative AI typically requires significantly more computing resources than knowledge-based AI. However, a hybrid approach harnesses the strengths of both systems, offering precision and adaptability in defending against a wide range of cyber threats while optimizing resource usage for cost efficiency.