Combining Quantitative Cyber Intelligence with Traditional Qualitative Intelligence Analysis

What is it about?

Cyber threats are becoming more frequent and increasingly menacing. To cope with this, cyber security researchers have created novel ways of automating both detection and analysis of cyber threats using Artificial Intelligence (AI) and Machine Learning (ML). One important application of this is Cyber Threat Intelligence (CTI) where AI and ML methods provide algorithms that automatically analyze huge volumes of leads, traces, and intelligence reports, speeding up the otherwise time-consuming human intelligence analysis process. The quality of automated CTI tends however to be decreasing in realistic settings where evidence can be incomplete and ambiguous, and where threat actors may use deceptive tactics. In practice, AI- and ML-driven approaches to CTI often need to be complemented with human intelligence analysis for achieving high enough quality. This article presents AMBARGO, which is a quantitative framework that combines the efficiency of AI and ML with the contextual and hypothesis-driven nature of human intelligence analysis. What AMBARGO adds is an ability to reason with multiple interpretations of evidence, and to keep multiple possible hypotheses, without committing too early to one of them. This ability, formalized mathematically in AMBARGO, is one of traits that makes the human analyst indispensable for achieving high quality intelligence, namely assessing incomplete, ambiguous, and potentially deceptive evidence.

Featured Image

Photo by Andre Benz on Unsplash

Photo by Andre Benz on Unsplash

Why is it important?

We show experimentally that AMBARGO outperforms state-of-the-art machine learning-based approaches, when compared in a realistic cyber attribution use case with incomplete, ambiguous, and potentially deceptive evidence. AMBARGO further leverages existing machine learning-based algorithms as an architectural component. By this, an implementation could potentially combine the robustness of AMBARGO with the efficiency of legacy machine learning approaches for an improved CTI platform. Our work also challenges the idea that AI and machine learning straightforwardly can replace human reasoning and decision-making. In fields such as intelligence analysis, human cognition still plays a decisive role.