Overview
Artificial intelligence applied to cyber security should not be a concern, as long as proper care is placed in writing and executing such an application. The same can be said of any autonomous tool or application. The use of the "intelligence" aspect in the form of an expert system assumes learning along with continued monitoring and decision making conducted by humans. Artificial intelligence has gained recent notoriety, of sort, with influential people such as Stephen Hawking initiating a movement to prohibit the use of A.I. applications to weapons systems, defense uses which impact life, and potentially cyber security systems as well.
The use of an expert system or even aspects of expert systems for use in cyber security are an implementation of artificial intelligence. The use of artificial intelligence in cyber security may cause concern to some, though the actual implementations, which are possible, do not create a significant threat. The need for human interaction with cyber security comes with the implementation of resilient network defense. This remains true with systems that have artificial intelligence incorporated in the defensive software. The difference between automation and artificial intelligence is the system with artificial intelligence uses reasoning and can explain the reasoning to a human. A firewall uses a rule-based system to act against threats, but an expert system is capable of performing an action that an expert in the field would choose.
An expert system (ES) relies on a knowledge based along with the ability to follow algorithms in "ïf-then" ruling structures to enable decision making at a level an expert in the field would decide upon. This application maintains the rule structure and algorithms needed, but no knowledge base is provided, as the cyber security field is primarily seen as more of an "art" then science in that the context informs the decision made more than a set procedure to follow. This application, which shall now be referred to simply as QUINE, uses the ruling structure developed by Ivan Bratko for detecting broken fuses in a substation. The adaptation of this rule set is directly applied to network monitoring and cyclic port forensics. Perhaps a predominant feature in any expert system is that it learns. QUINE possess a feature to enable this in subsequent releases, and also create additions to the knowledge base deployed alongside the release. Given the delicacy and potential for high-impact results in each decision made by practitioners of cyber security, it is strongly recommended not to let QUINE operate without a "hand at the helm" meaning a human should always be the final arbiter of an action proposed by QUINE.
Using SWI-Prolog to implement a reason-based system is a natural choice, given the inherent ability to operate within logical predication by virtue of the language itself.
By equating the variable of “Vuln” for “vulnerable” to the argument or “Args” of [_S1], a request from the user to identify if the port specified is in fact vulnerable is possible. With no human input, the next step in this process is to begin the best first search.
The script for the facts in the knowledge base focus on ports and computers along with network protocols.
fact:device(input).
fact:device(udp).
fact:device(syn).
fact:device(ipa).
fact:device(port).
fact:(connected(input,port)):-fact:(connected(port(2),computer2)).
fact:(connected(port(3),computer)):-fact:(connected(port(4),computer)).
parse:connected(syn,udp,ipa):-parse:connected(syn,udp,syn),input(syn,udp,ipa).
parse:device(syn,udp,ipa).
parse:device(defines,classification,port).
parse:(output(classification(syn|X,udp|Y,ipa|Z))):-input(unknown(X,Y,Z)).
The best first search script has a modification to enable network monitoring upon completion, and therefore incorporates predicates for port scanning. The principle behind the best first search is that the search algorithms do not act traditionally but instead use approximations for the solution to allow faster calculations.
bagof(syn/ipa).
goal(_):-goal(n).
bestf(Vuln,Solution):-expand(Vuln,l(Vuln,0/0),9999,_,yes,Solution).
bestf([T|_],F):-f(T,F).
bestf([],9999).
expand(P,l(N,_),_,_,yes,[N|P]):-goal(N).
expand(P,Tree,Bound,Tree1,Solved,Solution):-port(P),port(Tree|Bound|Tree1;Solved|Solution).
expand(P,l(N,_),_,_,yes,[N|P]):-goal(N).
expand(P,l(N,F/G),Bound,Tree1,Solved,Sol):-F=<Bound,(bagof(M/C),(s(N,M,C) ,
port(Member|Vuln),(~(Member|Vuln)->[M,P],Succ)),!,succlist(G,Succ,Ts),bestf(Ts,Fl),
expand(P,t(N,Fl/G,Ts),Bound,Tree1,Solved,Sol);Solved=0).
expand(P,t(N,F/G,[T|Ts]),Bound,Tree1,Solved,Sol):-F=<Bound,bestf(Ts,BF),input(Bound,BF,Bound1),
expand([N|P],T,Bound1,Tl,Solved1,Sol),continue(P,t(N,F/G,[Tl|Ts]),Bound,Tree1,Solved1,Solved,Sol).
expand(_,t(_,_,[]),_,_,never,_):-!.
expand(_,Tree,Bound,Tree,no,_):-f(Tree,F),F>Bound.
The dynamic data exchange (DDE) feature within this software, in combination to the rules shown using best first search actively seeks vulnerabilities through port scans and communication protocols. The principle factor of the software hinges upon the ability to monitor network communication based upon port access and network protocols. This comes from the use of “port” as a predication of several variables.
port(_) :-
strip_module(port((Module)--> Plain),Module,Plain),
Plain =.. [Vuln|Args],
gather_args(Args, Values),
Goal =.. [Vuln|Values],
Module:Goal,
port(port->close).
port(close):-(rl_write_history(port)).
port(classification(on_signal(Vuln|Scan,Vuln|Open,Open))):-(parse:output(Scan)).
port(retractall(Vuln)):-port(Vuln).
port(retractall(parse:parse(Vuln))):-port(Vuln).
port(Open|Scan):-('$dde_execute'((port(_)),Scan,Open)).
((port(Access;Open)):-('$dde_request'(((Access)),write([vulnerabilities]),(Open),(port(_))))).
(((port(IP)) :-dde_current_connection((Scan|Vuln),Scan, Vuln),IP)).
port((_,_)):-'$dde_disconnect'((_,_,_,_)).
The ability of the software to isolate useful forensic data along with data relevant to network defense is shown by output which comes from entering the request of “gather_args(X,Y).” in the prolog terminal. The option to trace calls of predicates and variables starts when the user enters “trace.” into the terminal. The following is the listed output from a trace that comes from the gather_args query:
X = Y, Y = [] ;
Redo: (7) gather_args(_G8151722, _G8151723) ? Listinggather_args([], []).
gather_args([+A|C], [B|D]) :- !,
unknown(port(A, B)),
gather_args(C, D).
gather_args([A|B], [A|C]) :-
gather_args(B, C).
gather_args(port(A), port(B)) :-
on_signal(A, B, _),
port(A),
port((B| A)).
gather_args(file(D, E), G) :-
'$append'(A, [tuple('All files', *.*)], B),
A=..[chain|B],
current_prolog_flag(hwnd, F),
working_directory(C, C),
call(get(@display,
win_file_name(D,
A,
E,
directory:=C,
owner:=F),
G)).
win_menu:gather_args([], []).
win_menu:gather_args([+A|C], [B|D]) :- !,
gather_arg(A, B),
gather_args(C, D).
win_menu:gather_args([A|B], [A|C]) :-
gather_args(B, C).
The binding of T0 to [] is a signifier of both the ability to again structure lists from the scan as well as the capability to further refine the use of the best first search by restructuring the software. If required, the ability to set T0 to X from the output listed by the gather_args query, in addition to the [_S1] argument as a binding to a port, the hypothesis of the list resulting is of forensic information associated with that port.
The principle behind the infinitely recursive prime lattice structure is a distance function between prime number locations on a natural number line, upon a modified natural number line. The traditional natural number line is a single line where each natural number has an equidistant position.
matrix(node(A,B,C),edge([_]),bestf([],9999)):-matrix((node(A,B,C;d(_))),port(A),input(A)).
matrix(Line,Node,Distance):-edge(Line|Node+Distance).
matrix(A|Node_x;(B|Node1,(C|Node3)):-edge(A|Node1),edge(B|Node3), edge(C|Node_x)).
node(d([prime+1=prime])).
node(d([prime+2=prime])).
node(d([prime+1=prime])).
edge(X,Y):-(matrix(lattice,([])|X,Y)).
edge([Node1,Node2];[(C;Node3)],[_]):-matrix(Node1|_,Node2|C,Node3).
edge([A,B];[B,C];[C,B]):-node(3),edge([A,B,C]),distance((node + edge =Distance)),matrix(edge,node,Distance).
Willard van Orman Quine was a mathematician and philosopher. He authored several works throughout his life, including an excellent book titled "Mathematical Logic." Quine is quoted as saying > “it is within science itself, and not in some prior philosophy, that reality is to be identified and described”
Quine is also known to have married logic and science, a marked difference from his colleagues in the field.
SEP Site on Quine - Philosopher
SWI-Prolog may be known as a theorem proof system to some, but also has strong applications to artificial intelligence. Ivan Bratko has written a work on this relationship, and himself was head of an institute which studied and developed A.I.