In recent years there’s been a surge of interest in both cyber security and the areas of Artificial Intelligence (AI) and Machine Learning (ML). This interest is not confined to academic or technical circles, with many high-profile breaches and exciting ML results featured regularly in the mass media. Given this interest, it is not surprising that there has also been an explosion of industry and commercial interest at the junction of technologies – i.e., AI and ML-powered cyber security products – just look at any word-cloud that automatically extracts selected ML terms from the leading cyber security solutions vendors’ website.
While mentioning a cyber tech term does not imply that the corresponding solution is used in a company’s product, it does demonstrate awareness and offers anecdotal evidence of products that exist where the two fields intersect.
And while a detailed explanation of such IT security technologies is outside of the scope of this article, one of the core elements underpinning these algorithmic approaches is, of course, data. We live in a data-rich world, and this is certainly true in a cyber security context, with IP traffic data from network routers and Domain Name System data, for instance, being available for analysis.
Under the auspices of ‘behavioural analytics’ (and in contrast to signature-based methods for security), such data are often processed and fused, to build ‘black-box’ models of the systems being secured, in order to detect any departures from normality which may be indicative of a pending cyber security attack incident.
A data-aligned departure from normality often results in an alert being generated, and cyber security analysts spending their most valuable time trying to ascertain whether the attack was real, or the result of some other factor, such as a new protocol being seen for the first time in a BYOD (bring your own device)-like setting. These data-driven approaches, as our lightweight analysis of the cyber security industry suggests, are becoming increasingly prevalent in cyber products. But the algorithmic deployments often miss one vital source of information: that of the cyber security expert community: purely data-driven approaches of the kind discussed above can be further enhanced to include expert knowledge, thus making them even more effective than before. To illustrate where this point has been used in a world-changing context before, let’s take a step back into history by some 80 years.
Alan Turing is famous for his contributions in computing systems and AI (although the term was coined elsewhere). What’s less well-known about Turing’s work is that his wartime success in cracking the Enigma code was due to his insistence that diversity of thought process be valued, and his use of a branch of statistics that explicitly incorporates expert knowledge in a mathematically principled manner. Working with his collaborator the mathematician Irving ‘Jack’ Good (pictured left), an eminent statistician, they implemented what to contemporary minds appears to be the first practical use of a methodology known as Bayesian statistics. The use of this statistical approach went against all major scientific opinion at the time – and we should be thankful that Turing’s self-belief and determination allowed him and his team at Bletchley Park to focus on discovering the right solution to cracking the Enigma code.
Diversity for problem solving
Working alongside linguists, Turing was able to improve the accuracy of his probability calculations, which sped-up the code-cracking process. Similar probability calculations were used in speech-processing research community until the early 2000s. And, as calculations were at first performed by hand, as their work progressed, Turing’s team introduced simple mathematical concepts (known as the ‘ban’ and ‘deciban’) in order to speed-up humans’ ability to calculate the quantities needed.
It is these kinds of collaborations, these kinds of pragmatic interventions, that The Alan Turing Institute is looking to exploit in order deliver value from data and people – thus reflecting Alan Turing’s legacy. Among his many great achievements, Turing also led the way in demonstrating the modern data science and AI disciplines as we know them in 2019 – diversity being a key ingredient in problem solving.
In the context of cyber security, there is an emerging research literature using the Bayesian statistical methodology, inspired (in part) by Turing and his work, which combines knowledge of a threat vector, attackers’ methodology, etc., in order to produce probabilistically quantified representations of the threats facing a network. This additional context (for example, a-priori knowledge of an attacker’s potential lateral movement in a pass-the-hash type context) has been shown to drive greater performance in detecting ‘departures from normality’ – or signs that malevolent agents are at work on a connected system.
In addition, by working at the intersection of multiple disciplines, we can better model the complex cyber-physical, human-centric, systems-of-systems which we operate and need to secure. Taking a step back from the technical detail, there is a propensity towards instrumenting the virtual world in which we operate, in order to better understand this world, and ultimately to make it cyber-secure.
This leads to some interesting ethical challenges facing senior executives within organisations: is it appropriate and proportionate to collect and analyse personal data (e.g., for an enterprise security system to ‘read’ all email traffic content) for the purposes of security? Is it appropriate to allow a small group of individual employees (an organisation’s Security Operations Centre team, for instance) access to all computer-related data, from which they can build an in-depth intelligence picture (which need not be security related, if they misuse this ‘privilege’)? And is it ever appropriate not to share Threat Intelligence with competitors? How does one share data with third-parties and respect privacy legislation (e.g., General Data Protection Regulation)?
These issues (and others) are present in a cyber security context, but also many other application domains too. There are many interesting technical innovations that attempt to provide technical safeguards to minimise risk associated with the foregoing points. These technical solutions need to be complemented by appropriate legal and ethical considerations; this further illustrates the need for diversity in an organisation’s data team, in line with the theme of this article, with the CIO (or appropriate other c-suite role) taking strategic responsibilities for these issues as part of an integrative approach to organisational strategy and risk management.
New models of the world
With the advent of AI as a transformative technology across all sectors, it is becoming possible to answer questions relating to intervention strategies, and in some cases derive answers to counter-factual questions, in order to drive human-like intelligence into ‘computing machine’. (Modern AI relies on complex mathematical modelling of associations between data, allowing narrow predictability, e.g., object recognition in YouTube videos, which does extend to human-like reasoning in the most general setting.)
As described in Judea Pearl and Dana Mackenzie’s recent work The Book of Why: The New Science of Cause and Effect, it is necessary to produce a model of the world, in order to allow cause and effect reasoning –the kind of support that any business executive would value when deciding pricing strategies, acquisition strategies, competitive positioning, etc. To model the world, one requires expert knowledge of the domain under consideration.
This point is also reminiscent of the major themes under consideration here: the convergence of domain expertise, data, and data scientists will bring early competitive advantage to organisations that embrace the modern information environment in which organisations operate. The Alan Turing Institute is explicitly designed to promote diverse interactions of this kind, and it hopes that this offers a template for progressive data-oriented organisations, in a cyber security context and beyond.