AI & CYBER PROTECTIONAI Effort Moves from Novelty to Front Lines of National Lab’s Cyber Protection

By Tom Rickey

A research effort to explore how artificial intelligence can offer an advantage to cyber defenders has made the leap into computing operations at the Department of Energy’s Pacific Northwest National Laboratory.

“Every large company has a vulnerability management life cycle for detecting and remediating issues over time, but new threats pop up constantly. How can our actions be triaged and prioritized? Which vulnerabilities are most likely to be exploited, which ones hold the most risk?” said Joseph Aguayo, deputy chief information security officer at PNNL and a partner in the new approach. “Our technology organizes the information and delivers it to your desktop multiple times a day so defenders can stay updated right up to the minute.”

The work being implemented by Aguayo’s operations team has its roots in research led by Mahantesh Halappanavar, a chief computer scientist at PNNL whose research using AI links several databases related to cybersecurity. His team used graph theory combined with AI to build bridges between databases and to train the program to extract key information while constantly adapting to new information and settings. The technology brings together available threat intelligence with the unique configuration of a company’s computing assets. 

The award-winning basic research, first published four years ago, uses AI to connect several strands of independent information in the cyber world to create a free-flowing stream of data that better protects against unwanted intrusions into computing systems.

PNNL information technology professionals—the hundreds-strong team that keeps PNNL’s computing operations safe and stable day to day—evaluated Halappanavar’s research and decided to put it to the test on the PNNL network.

Early results are promising, with quicker identification of the most pressing threats and the instant creation of roadmaps that show likely attacks and how they can be stopped.

The new approach takes advantage of a blizzard of data available to defenders, all of it updated regularly: 

●  The National Vulnerability Database contains information on more than 330,000 specific entry points for a cyberattack.

●  The Common Weakness Enumeration database sorts and classifies those bugs into about 1,000 categories with detailed descriptions and prevention techniques.

●  The Common Attack Pattern Enumeration and Classification database draws on both of those resources to spell out how bugs and weaknesses might be exploited and includes more than 500 entries of specific attack patterns.

●  The MITRE ATT&CK database of “adversarial tactics, techniques & common knowledge” contains more than 250 likely attack patterns based on real-world observations.