13 Jul Use of Expert Systems in cyber defense
Currently a small number of tools that use artificial intelligence are commercially used for cyber defense, and up to now the most common are the expert systems. An expert system is a computer program that mimics the behavior of human specialists (that have expert knowledge and experience in a particular field) in a well-specified manner, using artificial intelligence (AI) technologies. The aim of an expert system is to solve the complex issues in each domain.
The expert system includes a knowledge base, where expert knowledge about a specific application domain is set. Besides the knowledge base, it includes an inference engine for arising answers based on this knowledge and possibly accompanied with additional knowledge about a given situation. Developing an expert system means, first, selection and adaptation of an expert system shell and acquiring and filling the expert knowledge in the knowledge base (the second step is far more complicated and time consuming than the first).
There are several different expert systems knowledge representations, the most used is a rule-based model. But the effectiveness of an expert system depends on the quality of knowledge in the knowledge base, and not so much on the knowledge representation.
The expert system that is mostly used in cyber security is basically a question answer (query) system which makes decisions after analyzing the situations. Possible queries of such an expert system to detect the cyber-attacks may be as under:
- Has more than one user tried to log on with the same password? If yes, then the password is compromised.
- Did the system file change? If yes, which one? Who changed it? Can it be repaired? If not, flag the file and report the violation.
- Did a user try to log on unsuccessfully 10, 100, 1000 times? If yes, then a hacker is probing the system, close the connection.
- Have specific protected files been requested or altered? If yes, then identify the source and record the details for the authorities.
- Is a user making requests of the system that are out of the norm? If yes, then flag the user and restrict access.
- Are all users on the system authorized? If not, shut down unauthorized users and alert administrators.
- Did all users enter the system via the normal logon procedure? If not, then trace their origin and log them off the system.
When the expert system detects a problem/difference, depending on the case and setting it will stop the attack (block user, connection, etc.), or it will send an alert to the authorities