Threats to the cyberspace are increasingly complex, and new approaches for attacks prevention, detection and investigation are required. We propose AICS2: Artificial Intelligence for Cyberspace Security, to address the two core challenges: 1) define a new model for anomaly detection, GAD, the Graph-based model for Anomaly Detection; 2) build the new Artificial Intelligence primitives to identify and characterize cmoplex attacks in system logs and network traffic. The target environment of AICSS2 is able to generate complex, heterogeneous log information matching individual actions. Out of these logs, behaviour graphs can be extracted to model the individual users, services and systems.
The GAD (Graph-based model for Anomaly Detection) framework entails 3 layers: data layer (data lake), analysis layer (execution of the core of attack detection algorithms) and knowledge layer (learning from the expert for data annotation, control or evaluation). Artificial Intelligence algorithms are highly specific of the expected properties of attack detection. A strong requirement for GAD is the availability of explicit, explainable, input and output layers representing actual artefacts from the system to be protected. This coupling enables the support of explainable Artificial Intelligence, which is critical in attack detection systems to enable cyber-investigator intervene rapidly for preventing the attacks from spreading and finalizing it.