Another strength of knowledge engineering derived AI is semantic interoperability. Which is the ability to integrate the information across different silos, that is in different formats and serializations into a common format and to organize the siloed information into integrated knowledge using W3C standardized ontologies (knowledge models created from knowledge representation language standards). This means the knowledge engineering derived AI can organize the information coming from the different data silos with knowledge from different frameworks such as MITRE ATT&CK, the NIST Cybersecurity Framework, NIST Cyber Resiliency Engineering Framework, ODNI Cyber Threat Framework, etc so the information is organized and can be looked at through the different lenses of knowledge frameworks and human mental models. Both data science derived AI and knowledge engineering derived AI are required pieces in the DHS and NSA sponsored Integrated Adaptive Cyber Defense (IACD) community.
Knowledge engineering derived AI also uses these same types of axioms to support reasoning and inference. Axioms are normally captured as first order predicate logic in knowledge engineering derived AI.
Knowledge engineering derived AI can reasoning over the facts in the information it is looking at and based on those facts, infer new facts into the investigation from the knowledge models (ontologies) and knowledge contained in the knowledge-base.
The below graphic shows the investigation of a windows event for powershell, the knowledge engineering derived AI applied knowledge to detect and verify this was not an authorized powershell usage, gathered up the contextual knowledge about the device and user and asserted this contextual information. Then, based on the facts from the windows event containing the unauthorized powershell and the contextual facts of the device, user, and what parts of the business they support, the knowledge engineering derived AI was able to infer all the information in the green area at the top of the knowledge graph. Inferences such as the specific MITRE ATT&CK technique, the MITRE ATT&CK Tactic, the stage of the cyber attack lifecycle using the ODNI cyber threat framework, the objective of the adversary in performing this activity, the stage of the cyber attack lifeycle using NSA’s more complex Technical Cyber Threat Framework, the impact assessment from this activity, and what courses of action to do or recommend. These course of action recommendations could be passed to human teams or to a security orchestrator for automated response actions.
Written by Shawn Riley
Shawn Riley serves as the Chief Visionary Officer and Technical Advisor to the CEO for DarkLight.ai. Shawn also volunteers as the Executive Vice President, Strategic Cyberspace Science and Board of Directors member at the non-profit Centre for Strategic Cyberspace + Security Science in London, England, UK. Shawn is an industry thought leader in the NSA's Science of Security virtual organization with a focus on applied cybersecurity science and AI-driven science in security operations.