Doers, not Watchers: Intelligent Autonomous Agents are a Path to Cyber Resilience

TL;DR

This paper advocates for transforming cyber defense tools from passive watchers into active autonomous agents capable of rapid response and recovery to enhance cyber resilience.

Contribution

It explores the vision of autonomous intelligent cyber defense agents (AICA) and discusses a high-level reference architecture for such systems.

Findings

Highlights the limitations of current passive cyber defense tools.

Proposes the integration of autonomous response and recovery capabilities.

Discusses the potential benefits of AI-driven active cyber defense agents.

Abstract

Today's cyber defense tools are mostly watchers. They are not active doers. To be sure, watching too is a demanding affair. These tools monitor the traffic and events; they detect malicious signatures, patterns and anomalies; they might classify and characterize what they observe; they issue alerts, and they might even learn while doing all this. But they don't act. They do little to plan and execute responses to attacks, and they don't plan and execute recovery activities. Response and recovery - core elements of cyber resilience are left to the human cyber analysts, incident responders and system administrators. We believe things should change. Cyber defense tools should not be merely watchers. They need to become doers - active fighters in maintaining a system's resilience against cyber threats. This means that their capabilities should include a significant degree of autonomy and intelligence for the purposes of rapid response to a compromise - either incipient or already successful - and rapid recovery that aids the resilience of the overall system. Often, the response and recovery efforts need to be undertaken in absence of any human involvement, and with an intelligent consideration of risks and ramifications of such efforts. Recently an international team published a report that proposes a vision of an autonomous intelligent cyber defense agent (AICA) and offers a high-level reference architecture of such an agent. In this paper we explore this vision.