ADAPTIVE CYBER SECURITY TECHNOLOGIES

It was highlighted that a systems view should be taken, considering People, how they generate Data, which feed Applications, running on Devices connecting to the Cloud and Internet. A process needs to be followed where an Audit is taken, to inform techniques that Protect, Detect and React to threats, and then allows systems to Log and Learn from events. There are multiple control loops within this process on multiple levels and they need to interact sensibly. Consensus was reached that Adaptive Technologies are a fundamental area of future research and there are opportunities to use Adaptive Techniques within each phase of this process.

Humanity adapts and changes constantly and systems need to be able to recognise and deal with an adapting society. Adaptive techniques will produce some of the most effective methods of threat detection/prevention. In fact, some threats such as Insider Threat and Identity Masquerading will potentially only be caught by using adaptive techniques. Adaptive techniques will also introduce opportunity for efficiency in terms of minimising the cost of security where, depending on a given scenario and resources available, the most effective mix of techniques can be utilised for the most efficient result. Adaptive techniques can also provide simplified and efficient reports to users and operators.

There are some risks from using adaptive technologies and aspiring to have autonomous systems. Adaptive techniques could introduce a ‘digital judo’ phenomenon or introduce new vulnerabilities. There is a risk of systems learning the wrong thing and Swarm Technologies and Herd Mentality theory was highlighted. However, in general it was felt that adaptive techniques were not only useful but necessary. The group identified three main areas of opportunity:

1. Normalising/Protecting Systems

Systems need to be able to measure within a closed loop; however the potential dangers of in-band control signalling were highlighted. Adaptive security technologies need to carry out behavioural analytics and behavioural-based trust. In doing so, security mechanisms should be designed to a) minimise interference with normal operation b) control the degradation of systems performance and c) maintain a minimum Quality of Service. In normalising / protecting systems researchers should look at what can be learned from safety critical systems and their approach to architectures and systems engineering. In decomposing complicated intelligent behaviour, researchers should look at Brooks’ work on robotics and subsumption architectures.

2. Hi-Fidelity Detection

Adaptive systems are needed to reduce false positives and false negatives in current detection techniques. Researchers should use big data to their advantage, separate the data from the system, isolate what can change and what is static, and carry out content level analysis. Researchers should look to apply adaptive cyber security technologies to reduce the cognitive burden on humans and harness nature-inspired mechanisms that can deliver faster-than-human response.

3. Intelligence Gathering/Learning/Information Sharing

Adaptive systems will need to be cognitive and have some level of self-awareness, self-learning and self-explanation to be able to address a moving target. There will need to be some predictability based on past data that essentially allows the database to be able to reason about the future, run ‘what if scenarios’ and learn from wrong decisions. Adaptive systems will need to be able to verify, prove, explain and justify system actions. Researchers should look to employ out-of-band management communications, look at new techniques of visualisation, and develop systems that can not only self-learn but will contribute to and learn from the community. Autonomous systems should be developed that automatically learn from attacks and share this learning to a network for all. In turn, this open source information will allow the autonomous systems to profile and mitigate potential attackers and deliver early warnings of hostile reconnaissance.

Key to a research roadmap is having access to and demonstrating solutions on real-world data. Applied researchers need to work with government and industry partners to realise this, connect with the various cyber ranges and aspire to have a standard dataset within the community.