Charles River Analytics won a contract, in two phases, to develop an artificial intelligence (AI) and machine-learning-based cyber opponent that would enable more frequent and less resource-intensive cybersecurity training. The $1.1 million Phase II contract, awarded through the Small Business Innovation Research (SBIR) program, will run through July 2023.
Given the growing threat of cyberwarfare, training exercises in cybersecurity are becoming increasingly imperative. Unfortunately, large-scale exercises require too much time, money, and expertise to execute. As a result, training slips down in priority. An automated, adaptive, and dynamic training tool that can successfully mimic an adversary would reduce the cost of exercises and potentially increase their frequency.
An efficient automated cybertraining tool must meet the following requirements:
- Deliver realistic adversary behaviors based on real-life exercises, not just simulations
- Easily integrate with existing training networks
- Enable instructors to assess and adjust agent behavior to meet shifting training objectives
The Cyber Reactive Adversary Framework for Training (CRAFT) from Charles River Analytics fits the bill. It provides realistic, dynamic, and customized adversary behavior to meet training objectives.
Alternative approaches can craft an automated cybertraining tool, but they come with their own challenges. Baseline “smart scripting,” for example, is simple to use but is often too elementary in its approach. As a result, adversaries can easily figure out their behavior and circumvent them. “Intelligent scripting is too simplistic and not very dynamic,” says Sean Guarino, Principal Scientist at Charles River Analytics. “They don’t react very well to the things the defender might do, so they’re easily detected.” On the other end of the spectrum, cognitive architectures can also deliver, but they are too complex and esoteric, leaving the crafting of a tool to only a few skilled professionals.
CRAFT treads the middle “Goldilocks” ground effectively by leaning on its in-house reactive behavior modeling architecture, Hap. Hap agents proactively and dynamically collect information on behavior. “Hap uses active planning so, unlike static behavior-tree approaches, Hap dynamically reconfigures the behaviors it pursues based on what the defenders are doing. Being able to detect, react, and adapt in real time presents a more complex adversary,” Guarino says.
The team is working on making CRAFT with a more accessible interface so it can be “easily adopted by those who need to work with it,” Guarino adds.
CRAFT’s big achievement during Phase I was the development of an agent that can execute a live attack exercise, instead of simulations, and dynamically change behaviors. Phase II will address a wide range of adversary behaviors and attacks, including those outlined in MITRE’s ATT&CK framework.
While CRAFT started out as a tool for the armed forces, it can find commercial applications in corporate and university training programs. “There are a lot of gaps in training in the commercial sector as well. Having a tool such as CRAFT allows organizations to deliver more frequent and effective training,” Guarino says. “It means our cyberdefenders will be better prepared to detect and respond to attacks more quickly and to conduct better cyberforensics to understand what happened during an attack that already occurred.”
This material is based upon work supported by the Small Business Innovation Research (SBIR) Program through the U.S. Army Contracting Command (ACC) – Orlando under Contract No. W900KK-21-C-0010. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Small Business Innovation Research (SBIR) Program through the U.S. Army Contracting Command (ACC) – Orlando.