- Chapter Objectives
- Technical Aspects of AI in Threat Intelligence
- Case Study: Using CNNs for Malware Classification
- Case Study: Detecting and Analyzing Phishing Campaigns
- Leveraging AI to Automate STIX Document Creation for Threat Intelligence
- Case Study: Automating Threat Intelligence for a Financial Institution
- Autonomous AI Agents for Cyber Defense
- Case Study: Using MegaVul to Build an AI-Powered Vulnerability Detector
- AI Coding Agents
- Summary
- Multiple-Choice Questions
- Answers to Multiple-Choice Questions
- Exercises
This chapter is from the book
This chapter is from the book
This chapter is from the book
Answers to Multiple-Choice Questions
1. Answer: C. They could detect new threats without labeled attack data. The chapter explicitly stated that unsupervised models could detect anomalies without requiring labeled attack data, making them particularly effective for uncovering new or stealthy threats. This capability was especially valuable because it allowed systems to identify novel intrusion patterns or insider misuse that deviated from normal baselines, even when there was no prior example of such attacks in the training data.
2. Answer: B. To introduce nonlinearity. The chapter specifically discussed that the ReLU (Rectified Linear Unit) activation function was used to introduce nonlinearity in the convolutional layers. This nonlinearity was crucial because it allowed the network to learn more complex patterns and relationships in the data, such as edges, shapes, and textures, which were important for malware detection tasks.
3. Answer: C. To preserve privacy while sharing threat data. The chapter emphasized that federated learning was primarily used to train AI models across decentralized data sources without pooling sensitive data in one place. This approach allowed organizations to benefit from collective threat intelligence while maintaining data privacy, which was crucial for security and compliance requirements.
4. Answer: B. A standardized language for representing cyber threat intelligence. This chapter addressed STIX (Structured Threat Information eXpression)—a standardized language designed to represent cyber threat intelligence in a consistent, machine-readable format. It allows organizations to describe entities such as indicators, threat actors, campaigns, and observed data in a common format that both humans and machines could process effectively.
5. Answer: B. They could operate continuously and adapt their focus based on learning. The chapter described how autonomous agents could continuously patrol networks and endpoints 24/7, adapting their focus based on what they learned. A case study addressed the adaptive capability that allowed an organization to investigate suspicious activities in real time and modify their hunting strategies based on feedback and experience.
6. Answer: A. To coordinate multiple AI agents in a structured workflow. LangGraph is a framework used to create structured AI workflows, allowing multiple AI agents to work together in a coordinated “graph” of tasks and decisions. It served as the backbone for orchestrating different specialized agents (such as asset discovery, vulnerability assessment, and threat monitoring) in a cohesive ASM system.
7. Answer: C. Potential false positives requiring human verification. The chapter identified false positives as a significant challenge in AI-driven threat intelligence systems. It explained that especially when first introduced, AI systems might flag benign activities as malicious, requiring human investigation and potentially overwhelming security teams if too frequent.
8. Answer: C. Analysis of unstructured text data from various sources. The chapter described how NLP techniques were used to interpret and analyze unstructured text data from various sources, including logs, security reports, email content, and dark web forums. This capability allowed systems to extract indicators of compromise, attacker TTPs, and infer attacker intent from text-based sources.
9. Answer: D. To secure the transport of threat data. The chapter defined TAXII (Trusted Automated Exchange of Indicator Information) as a protocol specifically designed for the secure exchange of cyber threat intelligence over HTTPS. It provided the mechanism for organizations to securely share STIX-formatted threat intelligence with trusted partners.
10. Answer: C. Optimization of response policies through learning from outcomes. The chapter explained that reinforcement learning was used to optimize response policies over time through learning from outcomes. For example, an RL agent in a SIEM could learn which responses effectively mitigated threats with minimal disruption by receiving rewards for successful actions, allowing it to refine its response strategies based on experience.
