Introduction

Information security is presently one of the most rapidly expanding fields in the realm of information technology due largely to the complexity of emerging interoperable networks. Contemporary networks contain more than just laptop and workstation computers, and while mobile devices such smartphones and tablets are surpassing traditional machines in consuming a greater percentage of network resources, the variety of devices that are interoperating is increasing further with developments in more pervasive technologies such as “smart buildings”, the Internet of Things, embedded software as found in self-driving vehicles, and medical devices that are capable of wirelessly transmitting information. The phrase “complexity is the enemy of security” has become axiomatic in the cyber-security industry, and the increasing complexity of network systems has provided entirely new planes of attack vectors that have rendered many traditional strategies to be effectively useless.

Techniques and algorithms involving machine learning and adaptive artificial intelligence are also growing, and there are many firms who are working to integrate machine learning techniques into security protocols. Attacks on a networked system can manifest in a multitude ways, ranging from basic web based attacks involving cross-site forgery and SQL injections to more sophisticated orchestrations such as Distributed Denial of Service or Advanced Persistent Threat attacks. “Cognitive computing scans files and data using techniques such as natural language processing (NLP) to analyze code and data on a continuous basis. As a result, it is better able to build, maintain, and update algorithms that better detect cyberattacks, including Advanced Persistent Threats (APTs) that rely on long, slow, continuous probing at an almost-imperceptible level in order to carry out a cyberattack.”[1]

Within the last few years, analytics has also provided insight into determining some of the psychological characteristics of computer users based on social network behavior patterns, thus opening the door to using analytic techniques for discerning personal traits of potential threat agents. Being able to gain insight into the personality of attackers themselves may yield useful information that could provide leverage for an adaptive system to not only detect but effectively defend against an attack. Integrating adaptive AI techniques such as Deep Neural Networks with cybersecurity objectives may be the most effective approach to solving the increasing surface area of attack vectors in modern and emerging networks, and the efficacy of this approach could be greatly enhanced by using psychological determinants that would enable the construction of strategically useful threat models in real time.

Assets, Threats, and Current Practices

One of the first steps required of any organization when developing a security policy is to accurately asses that organization’s assets, relative to both their intrinsic value and to the collateral damage that could be caused by those assets either being rendered unavailable or exploited by malevolent actors. While understanding the value of an organization’s assets is generally useful for determining the appropriate measures for securing a given network [2], understanding the nature and value of assets can be useful for providing insight into building effective threat models. Understanding common characteristics of threat agents such as intention, motivation, and their source can provide a useful basis for the organization to build a taxonomical hierarchy of potential threats[3]. Both the classification and prioritization of these various threat agents can used to provide features and rules for informing the training procedure of an AI’s neural network.

Data mining using social media networks have provided useful resources for researching the potential for predictive personality modeling. One such study, reported in 2013, used a variety of features including linguistic and other social network patterns to determine personality characteristics, and the results were effective enough to encourage future research in this field [6]. The measures of personality used for this study included what are termed the “Big5 test”, which comprise the determinants of Extroversion, Neuroticism, Agreeableness, Conscientiousness, and Openness. It is likely that further research in this domain could render insights into common threat agent attributes such as skill and motivation, or indicating whether they are operating purely motivated by personal gain or anger. This may, in turn, help an AI to effectively exploit the attacker’s personality weaknesses in order to inform an appropriate strategy.

The most common implementations of network security involve both Network Intrusion Detection Systems(NIDS) and Network Intrusion Prevention Systems(NIPS), and most applications of these systems are a composite of both approaches. Signature based detection models have traditionally been the most common approach to detecting attacks; however, with the increasing sophistication and variety of attack methodologies, this approach is proving to be ineffective as a stand-alone solution. Researchers have turned to refining anomaly-based detection methods, but in its current development, this approach is still challenged by often yielding false positives for otherwise normal network behavior. [4] These short-comings for ADNIDS have been successfully mitigated by the adoption of deep learning techniques for accurately classifying network anomalies. [5]
Basic Neural Networks and Current Strategies

The concept of neural networks as a paradigm for designing adaptive artificial intelligence has existed for nearly fifty years, and the original construct of an artificial neuron was the perceptron. The perceptron, developed by Frank Rosenblatt, is essentially a function which accepts a combination of binary inputs in order to produce a single binary output. The most common adaptation of the perceptron used in contemporary models is the sigmoid neuron, which is a perceptron that allows for both weighted inputs and a bas factor for the neuron itself. The weighted input and bias attributes of the sigmoid neuron help to facilitate more effective decision making for the algorithm as a whole, and the training of these neurons involves the ability for the specific weights and bias attributes to adapt according to the information provided to it. [7]

The architecture of deep neural networks are comprised of essentially three classifications of neurons: an input layer, an output layer, and a series of “hidden” layers in-between. The number of these hidden layers varies according to the specific implementation, and a greater number of these intermediary layers allows for more specialized training of the network.[7] Approaches to training neural networks include supervised, unsupervised, and semi-supervised training, with self taught methods considered the most valuable avenue of research for future implementation. The efficacy of a given neural network implementation is generally judged according to its accuracy, and the metrics of determining accuracy are defined as precision, recall, and F-measure, the last being the harmonic mean between precision and recall. [5]

In research, most deep neural network implementations are trained using the Network Socket Layer – Knowledge Data and Discovery dataset, the most pervasive version being the KDD Cup 99 dataset. These implementations are generally used to parse through network logs in order to detect anomalies in network activity, such as unusual packet volume or other user activity. When discussing the viability of deep learning strategies, and unsupervised approach is considered to be the most useful approach, and one methodology includes rule-based clustering, which allows the programmer to establish specific rules and objectives for the algorithm while allowing the network to determine its own categorizations.

Dynamically Incorporating Personality Into Threat Models

Persona non Grata is a threat modeling approach that specifically tasks users with modeling threats according to an attacker’s potential motivations and abuses; however, similar to the signature based NIDS, can be limited to only a predefined subset of threat agents.[8]Threat agent personality characteristics, at least of the intentional variety, can probably be effectively reduced to a specific subset that can serve as a selection of rules for defining the features of a neural network. By both defining anomalous network activity in conjunction with being able to appropriately respond to a given threat based upon its distinguishing characteristics should be the primary goal of the the neural network.

In order to generate a normalized baseline of network activity, it is necessary for the implementation to be able to construct accurate user models in order to determine that the user is an authorized operand of the network. One possible strategy for implementing user profiles is by implementing a silent application of cognitive and behavioral biometrics, such as keystroke dynamics, that could be developed dynamically over time.[9] Using such a practice could help determine if an attack is being orchestrated through compromised access controls, such as a password that had been hacked. This level of detailed user profiling could help establish and maintain a more accurate baseline of network activity, while also detecting compromised accounts.

Defining attacker characteristics and normal network activity would provide a very useful and dynamically configured subset of rules whereby a neural network could train itself and adapt in perpetuity. Since these algorithms operate by continuously scanning through a stream of network logs and other network data, it is important to implement an algorithm that can initiate a Dynamically Expanding Context of analysis while making certain that unimportant anomalies are properly discarded in order to avoid unnecessarily invoking defensive and emergency procedures. This could manifest through a series of virtualized scenarios, such as when designing a predictive algorithm for a chess game, and a pre-defined hierarchy of procedures could be initialized based on stochastic considerations of these virtualized scenarios.

Ethical Considerations and Conclusion

As with any case of invoking artificial intelligence in relation to predicting and monitoring personality attributes, there are ethical considerations that must be integrated into the development process. In profiling user activity, it is important to not allow the algorithm to reveal what is potentially embarrassing or exploitable information on the user, especially if the user’s activities are in compliance with the organization’s use agreement. There is the likelihood that data from using predictive algorithms could be used to execute discriminatory bias against minorities or persons with underlying mental conditions, such as in the case of criminal risk scores [10]. For these reasons it is important that ethical considerations be incorporated into the design process, that there be limitations to the application’s offensive capabilities, and that there should be included sufficient administrative override.

Beyond the mentioned ethical concerns, incorporating personality traits common to threat agents into rule based neural network training has the implication of providing an invaluable toolset to the development of future models of integrated security systems by allowing the AI to essentially “get into the head” of a malicious attacker and exploit their natural inclinations to their disadvantage. An attacker predisposed to irritability and neuroticism could be goaded into making a mistake out of increased frustration, or perhaps if the AI determines that the attacker is financially motivated and is not technically proficient, could be tricked into providing personal identifying information by exploiting their desire for money. This approach could save an organization resources wasted on unnecessary downtime by properly defining normalized user activity through personalized biometrics against which to accurately detect anomalous network activity.

References

1. Greengard, Samuel. “Cybersecurity Gets Smart”, Communications of the ACM, Vol. 59, no. 5, pp. 29-31.
2. Merkow, Mar S. & Breithaupt, Jim. Information Security: Principles and Practices. Pearson Education Inc. Indianapolis, Indiana. 2nd ed.
3. Join, Mouna; Rabai, Latifa Ben Arfa; Aissa, Anis Ben, Procedia Computer Science, Vol 32, 2014. pos 489-496. Classification of Security Threats in Information Systems
4. Lambert, Glenn Monroe. Security Analytics: Using Deep Learning to Detect Cyber Attacks. University of North Florida School of Computer Science, 2017.
5. Quamar Niyaz, Weiqing Sun, Ahmad Y Javaid, and Mansoor Alam. A Deep Learning Approach for Network Intrusion Detection System. College Of Engineering The University of Toledo.
6. Dejan Markovikj, Sonja Gievska, Michal Kosinski, David Stillwell. Mining Facebook Data for Predictive Personality Modeling.AAAI Technical Report WS-13-01 2013.
7. Michael A. Neilson. “Neural Networks and Deep Learning”, Determination Press, 2015.
8. Shull, Forrest. SEI Blog, Nov. 11, 2016. Cyber-threat modeling: an Evaluation of Three Methods.
9. Ciampa, Mark, Security+ Guide to Network Security Fundamentals. Engage Learning. Boston MA, 5th ed. 2015.
10. Julia Angwin, Jeff Larson, Surya Mattu and Lauren Kirchner. Pro-Republica, May 23, 2016. Machine Bias