DISA Applies AI to Network Defense

As it advances its application of robotic process automation, the Defense Information Systems Agency is expanding its artificial intelligence efforts through a research agreement and a new pilot program. The agency is using these latest efforts to examine the application of artificial intelligence capabilities to network defense—as it conducts its daily around-the-clock mission of protecting the Department of Defense Information Network.

In one effort, the agency is working with Vienna, Virginia-based software company NT Concepts through a cooperative research and development agreement, or CRADA, to apply machine learning (ML) to defensive cyber operations.

“The focus of the CRADA is to evaluate NT Concepts’ Machine Learning Operations (MLOps) life cycle to methodically identify candidate state-of-the-industry machine learning technologies,” explains Roy Hendrix, Global Change and Configuration Branch chief at the Defense Information Systems Agency’s (DISA’s) Enterprise Engineering and Governance Directorate. “The goal is to determine how these technologies can be employed to deliver operational insights and strengthen DODIN [Department of Defense Information Network] cyber defense mechanisms.”

Hendrix, who is the principal investigator on the CRADA, had championed its preparations over the last year—along with Quanita Bost, DISA’s CRADA manager—helping to scope the three-year effort and define possible use cases.

“The [plan for the] first of several use cases is to automate, better utilize cyber analyst time, harness data as a strategic asset and avoid the ‘needle-in-a-haystack’ problem,” Hendrix says. “We want to tap data sources once, leverage AI[artificial intelligence]/ML computing capabilities to automate data pipelines and use them for both performance and cybersecurity. The data will provide valuable insights into correlating events and are considered to be on the same side of the coin—not the opposite.”

“NT Concepts is pleased to collaborate with DISA on this mission-critical defensive cyber operations AI/ML pilot,” adds Darin Powers, president and chief operating officer of NT Concepts. “Our goal is to provide DISA’s defensive cyber analysts with tools that increase the security of DoD Networks.”

Moreover, the effort will contribute to the agency’s employment of zero-trust architecture, considering how ML capabilities can aid the defense of the DODIN under zero trust. “The end state goal is to drive DISA toward true zero trust [architecture] using data-driven decision making,” Hendrix notes.

In addition, DISA is embarking on a new pilot program in its Emerging Technology Directorate to evaluate how to apply AI/ML capabilities to detect cyber anomalies and adverse activity and offer incident response guidance, states Deepak Seth, chief engineer, who is the technical lead for the directorate’s pilot. Seth expects the effort to run over the next several months.

“We’re trying to apply AI primarily toward cyber event detection and incident response, which traditionally have been manual activities for our analysts,” he says. “Today, the analysts have to basically comb through a tremendous volume of cyber sensor data. It is very time-consuming and often riddled with false positives. So, we are trying to see if AI can really provide us with some additional breakthrough capabilities in the area of cyber defense.”

For the AI-related cyber incident response capabilities, the pilot team will examine historic cyber data sets to see if the solutions can deliver the same type of responses that humans provide. “What can the machine tell us?” he asks. “[With] any of the AI models or algorithms that are trained on historic DISA data, can we use those to make some kind of predictions that we can use to assist analysts in incident response and investigations?”

For the necessary AI-related infrastructure, the agency is turning to the U.S. Defense Department’s Joint Artificial Intelligence Center, known as JAIC, to provide the key components, including the Joint Common Foundation (JCF), a cloud-based platform, other tools and expertise, Seth offers.

“One of the decisions we made early on was that instead of building our own environment or AI development platform, we would utilize the JAIC’s Joint Common Foundation,” he states. “We’re working with them to leverage their cloud-based infrastructure, their data science tools and services. We want to be able to use the joint foundation for doing our AI development and then create a capability, deploy it inside DISA and apply it to the data being collected from the big data platforms. We’ve got the initial building blocks that we need.”

The JAIC, led by Lt. Gen. Michael Groen, USMC, is now under the authority of the deputy secretary of defense, aiding the Defense Department’s effort to be “AI ready” by 2025 and elevating the access to the tools and processes to reinforce AI priorities. DISA and JAIC have worked closely over the last two years building their relationship, according to both parties. “The JAIC and DISA partnership is a strong one,” Gen. Groen emphasizes. “DISA is leveraging the JAIC’s Joint Common Foundation and its DevSecOps [development security operations] environment to build and train their models and is advancing network intrusion detection through the creation of labeled data sets. Additionally, the JAIC has been developing, testing and piloting a platform for cyber data normalization and analytics orchestration that enables scalable analytics at near real-time speeds. It allows for reusing existing capabilities developed by the cyber community, academia, or acquired from the commercial sector. Keeping our data, algorithms architecture and interfaces protected is an absolute priority for the whole team. We are focused on mission assurance and mission accomplishment.”

As a relatively new capability for the Defense Department, the JAIC’s Joint Common Foundation will be bolstered by early adopter partnerships and projects such as DISA’s Emerging Technologies pilot program, Gen. Groen says. “[They] are perfect for maturing our development environment,” he notes. “The JCF provides great capabilities to DISA developers, and benefits from feedback from data scientists, AI engineers and end users to make our services better. DISA and JAIC are on this journey of transformation together.”

In addition to the Operations Directorate Group, the Cyber Development Directorate and the risk management executive for data protection may also be developing possible use cases for the pilot’s evaluation, a DISA spokesperson confirms.

“Through AI, we can detect and discern any malicious behavior much more efficiently compared to traditional approaches, and it can be done at greater speeds and greater accuracy than humans can,” Seth concludes. “And so, what we’re hoping through this pilot is that we will be able to prove out some of these benefits.”­