DVIDS – News – DTRA Cyber Security Project Using AI and ML to Save Time, Protect

By DTRA Public Affairs

FORT BELVOIR, Va. – The Cybersecurity experts at the Defense Threat Reduction Agency (DTRA) are on the cusp of implementing a new system, called Bird Dog, that has the potential to greatly enhance the cybersecurity defenses of not just the agency, but DoD community as a whole.

“We generate about 3.5 terabytes of data every day; that’s 3.5 million gigabytes, or approximately 250 million pages of data, every single day,” said Jason Phillips, chief of DTRA’s Cybersecurity Department. “It is a daunting task trying to figure out what data requires immediate attention in order to determine whether a compromise has occurred. Without a significant infusion of resources (money and qualified subject matter experts), we simply can’t look at everything. We need to prioritize our limited resources to focus our efforts and attention on the events that really need to be inspected or analyzed.” Using artificial intelligence (AI) and machine learning (ML), Bird Dog might be able to do the most time-consuming part of a cyber-investigation in the blink of an eye.

DTRA is one of about two dozen Cyber Security Service Providers (CSSP) across the DoD. That means the agency provides its own multi-layered cyber defense, and is certified and accredited to protect its portion of the DoD network, other 4th Estate components, and cleared defense contractors that require access to DoD Networks. The current practice is to use a layered defense that filters out most of the cyber events that don’t require a human analyst to investigate. However, the human analysts still have a mountain of data to look at as they monitor our networks.

“It’s like panning for gold – once we can move the big rocks out of the way, we can start sifting the dust,” said Phillips. “But out of about 1.5 million events generated every day, we still have 20-30 thousand events that we actually need to investigate, which requires a human analyst to review and determine what has or is occurring. To do this, analysts follow a systematic approach of identifying the who, what, and when of a cyber-event by performing queries. These queries can range from 50 – 150 questions depending on the specific event being investigated, and the ensuing results can cause things to get very complicated very quickly.”

The Bird Dog system, which DTRA is now working with the DoD’s Joint Artificial Intelligence Center (JAIC) to bring online, should be able to start the investigation before the events are sent to the analysts. Using AI and ML to train our systems what to look for, what to ignore, what connections to make and when to ask more questions, Bird Dog could turn what would normally take about three hours of human analyst work and get the answers in less than a minute.

“This problem isn’t unique to DTRA,” said Chris Paulson, DTRA’s CSSP Team lead. “It’s the same problem not just in the DoD, or the U.S. government, but even across the private sector – how much can we afford, and what level of protection is reasonable?” But Bird Dog isn’t meant to save money or replace human analysts – it makes them more efficient. “From the technical standpoint, we’re maximizing the ROI (return on investment) of our human analysts… they’ll spend much less time trying to figure out IF there is a problem that needs to be investigated (and then fixed, blocked, contained, or shared with other networks), and more time investigating events that may not have been previously seen.”

While the Bird Dog idea was first discussed several years ago, the DTRA IT team started the in-house work back in 2019, and joined up with the JAIC in the fall of 2019. The incredibly difficult task of getting a machine to not only think for itself – artificial intelligence – but to LEARN how to think for itself – machine…