The Department of Defense (DoD) maintains information systems that depend on Commercial off-the-shelf (COTS) software, Government off-the-shelf (GOTS) software, and Free and opensource (FOSS) software. Securing this diverse technology base requires highly skilled hackers who reason about the functionality of software and identify novel vulnerabilities. This process requires hundreds or thousands of hours of manual effort per discovered vulnerability and does not scale sufficiently to secure the continuously growing technology base.
Hackers use program analysis techniques and tools to identify and mitigate vulnerabilities, but this process requires considerable expertise, manual effort, and time. These techniques include dynamic analysis, static analysis, symbolic execution, constraint solving, data flow tracking, and fuzz testing. Due to the rapidity of cyber-attacks, and the sheer volume of attacks that could potentially occur, there is a need for autonomy that can react in milliseconds to protect critical systems and mission components. As these speeds are far faster than human operators can perform, system autonomy will form a critical aspect of cyber defense.
Automated program analysis capabilities can reason over only a few vulnerability classes without human involvement, such as memory corruption or integer overflow, but cannot address the majority of vulnerabilities. These unaddressed vulnerability types depend on subtle semantic and contextual information, which is beyond the grasp of modern automation. Scaling up existing approaches to address the size and complexity of modern software packages is not possible given the limited number of expert hackers in the world, much less the Department of Defense (DoD).
“One of the things driving them to apply AI and ML to security operations is there are not many security experts in the world for hiring. AI doubles the effectiveness of human security experts. It is amazing. Humans with the help of AI are able to detect all kinds of attacks that human alone could not detect,” said Witten. Witten believes that AI should handle tons of data, letting humans focus on strategy.
In a recent blog post, McAfee’s chief technology officer Steve Grobman, said that in the field of cyber security, as long as there is a shortage of human talent, the industry must rely on technologies such as artificial intelligence and ML to amplify the capabilities of the humans.
However, he added as long as there are human adversaries behind cybercrime and cyber warfare, there will always be a critical need for human intellect teamed with technology.
DARPA launched the program called Computers and Humans Exploring Software Security, or CHESS on April 3.
IDST Monthly Access Membership Required
You must be a IDST Monthly Access member to access this content.