The sheer size, complexity, and rapidly changing nature of modern computer systems, as well as the constantly evolving tactics, techniques, and procedures (TTPs) adopted by powerful adversaries backed by nation-states make it very challenging for human defenders to properly assess these systems’ security posture, process the overflowing amount of security alerts and threat information, identify the attackers, and respond to and recover from attacks. Although many existing cyber-defense solutions incorporate artificial intelligence (AI) and machine learning (ML) technologies to help the human defenders, these solutions tend to automate specific manual analysis tasks, and they typically focus only on parts of a system or individual steps in the security life-cycle.
The ACTION Institute develops revolutionary approaches to cybersecurity, in which AI-enabled intelligent security agents cooperate with humans across the cyber-defense life-cycle tasks to jointly improve the security posture of complex computer systems over time.
New foundational AI research focuses on developing an AI stack that provides novel fundamental primitives for lifelong, continual reasoning and learning with domain knowledge, human-agent interaction that supports effective teaming and decision-making, multi-agent collaboration that is adversary-aware, and strategic gaming and tactical planning that provide provable guarantees about the effectiveness of a course of action.
Intelligent security agents leverage the capabilities provided by this new AI stack to perform a number of cybersecurity functions, supported by reasoning, learning, and collaboration (human-agent and inter-agent) in an uncertain, dynamic, and adversarial environment. In particular, intelligent security agents will support novel threat and vulnerability assessment approaches that take into account the context and dependencies between the components of a system, the detection of sophisticated multi-step intrusions performed by evasive adversaries, the attribution of complex attacks involving cooperating malicious actors, and the planning of effective response and recovery activities.
The ACTION Institute research plan is focused on providing answers to a series of research questions that refer to the capabilities required by intelligent security agents. Each research question has a dedicated research thrust.
- Thrust AI-1: What is the best way to represent domain knowledge so that learning and reasoning can be performed life-long and at-scale with well-defined quality parameters?
- Thrust AI-2: How can humans interact meaningfully with intelligent security agents to provide required domain knowledge and optimize the assignment of tasks?
- Thrust AI-3: How can one assess the capabilities of multiple interacting intelligent agents under adversarial influence and in a fast-changing environment?
- Thrust AI-4: What kind of game-theoretical approaches can effectively model adversarial behavior while providing guarantees on detection effectiveness and the ability to deceive sophisticated attackers?
Addressing these research questions requires overcoming specific challenges and limitations of current AI approaches and techniques. The results of these efforts will create an AI stack providing a set of capabilities that support novel applications of intelligent agents to cybersecurity.
The novel capabilities provided by the AI stack will revolutionize the way in which the cyber-security life cycle is carried out, and each phase of this agent-enabled life cycle is the focus of a use-inspired research thrust.
- Thrust SEC-1: The new AI stack will support the creation of a knowledge-driven approach to vulnerability analysis and threat assessment that is target-centric and context-aware.
- Thrust SEC-2: By providing robust learning techniques it will be possible to protect intelligent security agents involved in intrusion detection from tampering and evasion.
- Thrust SEC-3: The ability to model the behavior and goals of adversaries will support the identification of adversarial collaboration and will support attack attribution.
- Thrust SEC-4: Inter-agent and agent-human collaboration will support effective approaches to response and recovery where newly acquired knowledge makes the system increasingly resilient to future attacks.
The ACTION Institute comprises 11 academic institutions, including 3 Hispanic Serving Institutions (UCSB, UI Chicago, Rutgers), 1 Emerging HSI (UCB), 1 HBCU (Norfolk State University), 1 MSI (UI Chicago), and 9 AANAPISI.
It is this diversity of experience and perspectives that informs the ACTION Institute’s research and education plans, and that will be leveraged to achieve its goals. In addition, the geographic distribution of the academic partners will facilitate the ACTION Institute’s role as a nexus point for collaborative efforts, by effectively creating a "network of networks" for engagement in and dissemination of our research and educational activities.
The ACTION Institute partners with several academic and educational institutions to create a network of organizations focused on advancing the fields of AI and cybersecurity.
The ACTION Institute collaborates with industry partners to perform technology transfer and to gain insights into the challenges associated with deploying AI-enabled cybersecurity solutions in real-world settings.
The ACTION Institute is supported by the National Science Foundation under grant no. IIS-2229876 and is supported in part by funds provided by the National Science Foundation, by the Department of Homeland Security, and by IBM.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.