There are three sources of knowledge in both humans and artificial intelligence:

  1. Inductive Inference
  2. Deductive Inference
  3. Communication

Inductive Inference establishes new facts from data. In technology this is Data Science and Machine Learning which is aimed at making predictions (tentative hypotheses). Inductive probability attempts to give the probability of future events based on past events. It is the basis for inductive reasoning, and gives the mathematical basis for learning and the perception of patterns.

Deductive Inference establishes new facts from existing facts. In technology this is Knowledge Engineering and Expert Systems which is aimed at applying domain specific knowledge and human trade craft/experience knowledge during the investigation. Deductive inference can be used to validate the tentative hypothesis identified from the data with inductive inference. For example, deduction can validate a malicious PowerShell or identify fallacies and/or cognitive bias in the prediction. Deductive inference can then deduce new facts into the investigation from domain specific knowledge and experience based on the validated malicious PowerShell fact such as labeling it as a T1086 MITRE ATT&CK technique, that MITRE T1086 activity is the adversary attempting the meet the objective of “Execution” during the “Presence” stage of the ODNI cyber attack life-cycle.

Communication relays information found using other methods. In technology this is our information sharing infrastructure. For example, STIX and TAXII for communicating and sharing cyber threat intelligence from the threat intelligence community and CASE/UCO for communicating and sharing cyber investigation packages from the digital forensics and incident response community.

In security operations we apply cybersecurity science which uses both inductive and deductive inference for making sense of the evidence and we use communication to share what we know with others. Below is a 3 minute introduction to security science video that further explains inference.

Written by Shawn Riley
Shawn Riley serves as the Chief Visionary Officer and Technical Advisor to the CEO for Shawn also volunteers as the Executive Vice President, Strategic Cyberspace Science and Board of Directors member at the non-profit Centre for Strategic Cyberspace + Security Science in London, England, UK. Shawn is an industry thought leader in the NSA’s Science of Security virtual organization with a focus on applied cybersecurity science and AI-driven science in security operations.