A Developmental Approach to Learning Causal Models for Cyber Security Jonathan Mugan 21CT, Inc., Austin, Texas, USA www.21ct.com ABSTRACT To keep pace with our adversaries, we must expand the scope of machine learning and reasoning to address the breadth of possible attacks. One approach is to employ an algorithm to learn a set of causal models that describes the entire cyber network and each host end node. Such a learning algorithm would run continuously on the system and monitor activity in real time. With a set of causal models, the algorithm could anticipate novel attacks, take actions to thwart them, and predict the second-order effects of those actions. Designing such an algorithm is a complex task because computer systems generate a flood of information, and the algorithm would have to determine which streams of that flood were relevant in which situations. This paper will present the results of efforts toward the application of a developmental learning algorithm to the problem of cyber security. The algorithm is modeled on the principles of human developmental learning and is designed to allow an agent to learn about the computer system in which it resides through active exploration. Children are flexible learners who acquire knowledge by actively exploring their environment and making predic- tions about what they will find, 1, 2 and our algorithm is inspired by the work of the developmental psychologist Jean Piaget. 3 Piaget described how children construct knowledge in stages and learn new concepts on top of those they already know. Developmental learning allows our algorithm to focus on subsets of the environment that are most helpful for learning given its current knowledge. In experiments, the algorithm was able to learn the conditions for file exfiltration and use that knowledge to protect sensitive files. Keywords: machine learning, automation, automation assurance, autonomic computing, verification and vali- dation, cyber resilience, causal models 1. INTRODUCTION Our current cyber defenses are insufficient to counter the sophistication level of modern attacks. 4, 5 Signature- based detection is too brittle and results in too many false negatives. 6 Attempts have been made to move into machine learning and anomaly based approaches, 7 but anomaly based detection is often too myopic and results in too many false positives, 6 and classification-based machine learning can only find what it is told to look for. We must expand the scope of machine learning to address the breadth of possible attacks. An expanded machine learning algorithm could learn a causal model to represent the entire cyber network and each host end node. Such a learning algorithm would run continuously on the system and monitor activity in real time. With a causal model of the system, the algorithm could anticipate novel attacks, take actions to thwart them, and predict the second-order effects of those actions. Designing such a learning algorithm is a complex task because computer systems generate a flood of information, and the learning algorithm would have to determine which streams of that flood are relevant in which situations. Additionally, the causal mechanisms of a system cannot be learned through observation alone. 8 This idea is highlighted by the old maxim that observing that prison inmates tend to have tattoos does not mean that tattoos cause crime. To learn a useful causal model out of the flood of network information, we present Cy-QLAP. Cy-QLAP (patent pending 9 ) is an extension of the Qualitative Learner of Action and Perception, QLAP, 10, 11 to protect cyber assets. Send correspondence to Jonathan Mugan at jmugan@21ct.com. PA Approval Number: 88ABW-2013-1346. Approved Date: 2013-03-20 10:42:35.