Cyber attacking is easier than cyber defending - attackers only need to find one breach, while the defenders must successfully repel all attacks. This preliminary work uses s(CASP) as a framework for modelling networks of devices, and their associated insecurities and defenses. Cyber defenders often need to reason with missing, uncertain, and contradictory evidence. This position paper demonstrates that cyber defenders can amplify their capabilities by joining forces with eXplainable-AI (XAI) utilising interactive human machine collaboration mediated through s(CASP).
Defending assets from cyber attack remains challenging. There are many asymmetries that
disadvantage the defender, including – rare symptoms of compromise are buried within
burgeoning log files of (most likely) normal behaviour; – specification of the assets are rarely
complete and accurate; – public knowledge of exploits are always out of date, with the continual
emergence of new zero-day attacks; – systems may have a vulnerable component, but the
deployment context and configuration may make it unexploitable. This leaves the defender
having to reason in the complex world where the information they have access to cannot be
relied upon. Ultimately, skilled cyber defenders admit that it is almost impossible for them to
give any security guarantees [
Cyber defenders apply their skill and reasoning in much the same way that a detective solves a murder case. They constantly form hypotheses, collect more evidence, and focus their investigations. They will use abductive reasoning to form hypotheses and seek yet-tobe discovered evidence, whilst forming constraints based on the evidence that will rule out incompatible hypotheses and lines of enquiry. They may be able to conclude, based on reasonable probability, the motive, opportunity, and weapon used by a suspect. Once the case is solved, then it is possible to follow a deductive reasoning process that explains the case and its artefacts1.
Logic programming has a long history of knowledge representation and reasoning. Despite
its longevity and many successes standard Prolog, with its sound semantics and elegant
computation model (e.g [
s(CASP) has been used in various applications. Varanasi et al. [23] use s(CASP) to model
the safety-critical behaviour of a timed system. Hall et al. [
Real computer networks can be arbitrarily complex. For example, detailed analysis of a small organisation’s network, where data was collected for half a year, showed that 181 devices were connected within its networks[16]. Some of the devices are for normal operational duties (for example laptops, network routers, door swipe access controllers), others are defensive in nature (for example virus and vulnerability scanners). All devices pose a risk of expanding the organisation’s attack surface.
Cyber defenders are keen to incorporate both controls (for example network firewalls) and monitoring as part of their defensive toolkit. Monitoring can be passive like the continuously running network security monitoring system Zeek [24], or it can be active, like the vulnerability scanner OpenVAS [17] where probes for known vulnerabilities are commissioned.
In this initial work we start by modelling a simple network of devices as shown in the block diagram in Figure 1 . There are networks and there are devices. A router device can connect more than one network. In the simple network the router openwrt01 connects the networks 192.168.15. and 192.168.116.; while the IoT door control device frontdoorring01 and the vulnerability scanner openvas01 are connected to the 192.168.116. network.
Designing a secure device is fundamentally challenging. Certifying the level of security
for a particular device is also challenging and costly (e.g. [
Scanning systems for probing devices for known vulnerabilities are sometimes used to catalogue the status of devices. There is clearly a time-lag between the discovery of exploits and the knowledge being operationably available to a vulnerability scanner (e.g. Zero-day attacks are by definition unknown to the broader defense community). Vulnerability scanning is not perfect, and like all decision systems, they make errors. A scan of a device may return false
negatives4 and false positives5
Installers of devices rarely know precisely how the device should behave. There is a growing
appreciation for published device information from the device manufacturers themselves helping
to improve security (e.g. [
In this section we provide a flavour of the modelling and reasoning it supports for the very simple network of devices shown in Figure 1.
The code listing in Figure 2 provides illustrative fragments of the s(CASP) program that encodes the network and the security characteristics of the devices. In line 1 a device is identified, and line 9 a scanner is defined, thus introducing some of the basic objects of the domain. Line 12 through 16 encode how scanners identify that devices are good or bad. 1 device(frontdoorring01). 2 3 bad(Device) :- device(Device), not
good(Device). 4 good(Device) :- device(Device), not
bad(Device). 5 6 scan_outcome(bad). 7 scan_outcome(good). 8 9 scanner(openvas01). 10 device(Scanner) :- scanner(Scanner). 11 3.1. Interrogating the Model 12 scan(Device, Scanner, bad) :13 device(Device), scanner(Scanner), 14 not scan(Device, Scanner, good). 15 scan(Device, Scanner, good) :- device(
Device), scanner(Scanner), 16 not scan(Device, Scanner, bad).
With a plausible initial encoding of the domain we can interrogate the model by posing it queries. The code listing in Figure 3 provides illustrative security queries we can pose to the s(CASP)6 program that encodes the network and the devices. Note that each query starts with ? indicating to the SWI-Prolog top-level that we are posing the query to the s(CASP) system and not just the Prolog.
5The scanner reports the device has a vulnerability when it actually does not.
6Software versions: SWI-Prolog (threaded, 64 bits, version 9.1.10); and scasp@0.10.0.
Cyber defenders are interested to determine existing security weaknesses in the assets they are responsible for. For example they are constantly wondering “Are there any bad devices on my network?”. They are curious to know “Is the network secure?”, or better still “What makes the network insecure?”. A sample list of s(CASP) queries that cyber defenders may be interested in is shown in Figure 3.
The answers being simply yes or no does not allow the defender to identify specific actions they can take. However, interacting with the s(CASP) model provides answers supported with the elements that must hold. These elements allow the defender to determine where (and, sometimes, how) to remediate so as to improve security. For example, the response that a particular network is insecure, the s(CASP) accompanying explanatory model identifies that for the network to be insecure, it can be caused by a particular device being bad. This allows the defender to actively improve the security of the device, so that the overall network is more secure. Figure 4 shows the s(CASP) query and corresponding s(CASP) model to determine which device is bad, and the supporting reasoning that makes it so. 4. Discussion
The results presented are preliminary, but they do demonstrate the feasibility of the approach. Using Logic Programming syntax to describe complicated networks and security properties has a relatively low impedance to human cyber defenders. Human-computer comprehensibility has been a long standing requirement for those interested in strong AI (e.g. [15]), and is crucial for eXplanatory AI environments. Ultimately, we aim for systems that interact in a strong way with deep human experts so that both the humans and the machines can critique and improve each other’s understanding (see [22]). The ability to identify actionable remedies is a particular strength of the approach ofered by s(CASP).
There are many directions for expanding this work. The incorporation of pre-existing cyber security domain knowledge will make it possible to expand the encoding. Sikos [21] provides semantic web style ontologies for the cyber security domain.
The current simple encoding does not take into account the temporal nature of the domain.
Much cyber information is recorded in log files with time stamped entries. The Logic
Programming community has long been interested with temporal problems and reasoning about actions
and change. One well studied formulation is the Event Calculus (e.g. see [20]). The Event
Calculus has been used with ASP which requires the discretisation of the time dimension. Ray
[18] provides a discrete-time version of the Event Calculus resolving many issues in previous
formulations, but remains not fully compatible with real world scenarios requiring continuous
time. Some authors ( [23] and [
The logical language of s(CASP) makes it easy for a cyber defender to interact and reason
about security and take action. But cyber defenders are a scarce global resource7. Future
work would consider putting the reasoning into a smart gateway [
The domain of cyber security has been studied to demonstrate co-inductive Machine Learning and reasoning [19] where both human and machine work together to come to an understanding of a cyber incident. Although promising, it fails to achieve full two-way explainablility as defined by Srinivasan et.al. [22]. Future work may seek to combine approaches from both the goaldirected execution of Answer Set Programming (s(CASP)) and Inductive Logic Programming (ALEPH and ACUITY).
This preliminary work demonstrates the feasibility of the s(CASP) approach as an enabler of human-computer reasoning in the field of cyber security. Providing actionable information about the state of cyber defenses underlines the value of eXplanatory AI to the improvement of security in our networks of devices.
This work is supported by the Innovate-UK 105592: CyberStone: Collaborative Secure IOT Gateway (ManySecured) grant.
https://doi.org/10.6028/NIST.IR.8425, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_ id=935382 (Accessed February 28, 2023) [15] Donald Michie. 1988. Machine Learning in the Next Five Years. In D. Sleeman and J.
Richmond editors, Third European Workshop Session on Learning (EWSL ’88), p. 107 - 122.
University of Strathclyde, Pitman, London. [16] Steve Moyle. 2022. Simple Good-Turing Frequency Analysis applied to Network Monitoring for volatility indication. Internal Project Report – 105592: CyberStone: Collaborative Secure IOT Gateway (ManySecured). [17] OpenVAS - Open Vulnerability Assessment Scanner. https://openvas.org/, June 2023. [18] Oliver Ray. 2021. Learning and Revising Dynamic Temporal Theories in the Full Discrete Event Calculus. In the proceedings of the 30th International Conference on Inductive Logic Programming (ILP), LNAI 13191:219-233. [19] Oliver Ray and Steve Moyle. 2021. Towards expert-guided elucidation of cyber attacks through interactive inductive logic programming Proceedings of the 13th International Conference on Knowledge and Systems Engineering (KSE), IEEE Press. [20] Murray Shanahan. 1997. Solving the Frame Problem: A Mathematical Investigation of the
Common Sense Law of Inertia. MIT Press. [21] Leslie F. Sikos, Markus Stumptner, Wolfgang Mayer, Catherine Howard, Shaun Voigt, and Dean Philp. 2018. Representing network knowledge using provenance-aware formalisms for cyber-situational awareness. In Procedia Computer Science, 126, 29-38. https://www. sciencedirect.com/science/article/pii/S1877050918311803. [22] Ashwin Srinivasan, Michael Bain, and Enrico Coiera. 2022. One-way Explainability Isn’t
The Message. arXiv https://arxiv.org/abs/2205.08954, May 2022. [23] Sarat Chandra Varanasi, Brendan Hall, Joaquín Arias, Elmer Salazar, Fang Li, Kinjal Basu, Kevin Driscoll, and Gopal Gupta. 2021. Modelling and Verification of Timed Systems with the Event Calculus and s (CASP). ICLP Workshops. https://ceur-ws.org/Vol-2970/gdepaper2.pdf [24] The Zeek Network Security Monitor. https://zeek.org/, June 2021.