Charles River Analytics has won a contract, in two phases, to develop an artificial intelligence (AI) and machine-learning-based cyber opponent that would enable more frequent and less resource-intensive cybersecurity training.
The $1.1 million Phase ll contract, awarded through the Small Business Innovation Research (SBIR) program, will run through July 2023.
Given the growing threat of cyberwarfare, training exercises in cybersecurity are becoming increasingly imperative. Large-scale exercises are said to require too much time, money, and expertise to execute, meaning training can sometimes slip down in priority. An automated, adaptive, and dynamic training tool that can successfully mimic an adversary would reduce the cost of exercises and potentially increase their frequency.
An efficient automated cybertraining tool must meet the following requirements:
- Deliver realistic adversary behaviours based on real-life exercises, not just simulations
- Easily integrate with existing training networks
- Enable instructors to assess and adjust agent behaviour to meet shifting training objectives
According to Charles River Analytics, the Cyber Reactive Adversary Framework for Training (CRAFT) fits the bill. It provides realistic, dynamic, and customized adversary behaviour to meet training objectives.
Alternative approaches can craft an automated cybertraining tool, but Charles River believes they come with their own challenges. Baseline “smart scripting”, is simple to use but thought to be too elementary in its approach. As a result, adversaries can easily figure out their behavior and circumvent them.
“Intelligent scripting is too simplistic and not very dynamic,” says Sean Guarino, Principal Scientist at Charles River Analytics. “They don’t react very well to the things the defender might do, so they’re easily detected.” On the other end of the spectrum, cognitive architectures can also deliver, but they are seen as too complex and esoteric, leaving the crafting of a tool to only a few skilled professionals.
CRAFT treads the middle “Goldilocks” ground effectively by leaning on its in-house reactive behavior modeling architecture, Hap. Hap agents proactively and dynamically collect information on behavior. “Hap uses active planning so, unlike static behavior-tree approaches, Hap dynamically reconfigures the behaviors it pursues based on what the defenders are doing. Being able to detect, react, and adapt in real time presents a more complex adversary,” Guarino added
According to Charles River, its working on making CRAFT a more accessible interface to it can be, “easily adopted by those who need to work with it,” Guarino added.
CRAFT’s big achievement during Phase I was the development of an agent that can execute a live attack exercise, instead of simulations, and dynamically change behaviors. Phase II will address a wide range of adversary behaviors and attacks, including those outlined in MITRE’s ATT&CK framework.
While CRAFT started out as a tool for the armed forces, it can find commercial applications in corporate and university training programs. “There are a lot of gaps in training in the commercial sector as well. Having a tool such as CRAFT allows organizations to deliver more frequent and effective training,” Guarino says. “It means our cyberdefenders will be better prepared to detect and respond to attacks more quickly and to conduct better cyberforensics to understand what happened during an attack that already occurred.”