Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutives
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
    Contact Us
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
  2. Artificial Intelligence
Share:
A rainbow cyber image

CISA Artificial Intelligence Use Cases

See how CISA is using Artificial Intelligence (AI) responsibly to improve its services and cybersecurity on several fronts, while maintaining privacy and civil liberties. The use cases below offer current examples of efforts that are underway.  Check back for additional use cases as CISA explores other ways to integrate AI into its mission.

AIS Scoring & Feedback (AS&F)

Automated Indicator Sharing (AIS), a CISA capability, enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect against and ultimately reduce the prevalence of cyber incidents. AIS is offered as part of CISA’s broad authority to share information relating to cybersecurity risks, including authority to receive, analyze, and disseminate information, and fulfills CISA’s obligation under the Cybersecurity Information Sharing Act of 2015 to establish and operate the federal government’s capability and process for receiving cyber threat indicators and defensive measures, and to further share this information with certain other agencies, in some cases in a real-time manner. For more information, please visit: https://www.cisa.gov/ais.

AIS Automated Scoring & Feedback (AS&F), built on the AIS Scoring Framework, defines an algorithm by which organizations can enrich Structured Threat Information Expression Indicator objects, shared via AIS, with (1) an opinion value that provides an assessment of whether or not the information can be corroborated with other sources available to the entity submitting the opinion and (2) a confidence score that states the submitter’s confidence in the correctness of information they submit into AIS. When leveraged by CISA, AS&F uses artificial intelligence / machine learning to perform descriptive analytics from organizational-centric intelligence to support confidence and opinion classification of indicators of compromise. Together, these enrichments can help those receiving information from AIS prioritize actioning and investigating Indicator objects.

AI techniques used: Descriptive Analysis, Machine Learning, Natural Language processing (NLP)
Stage of System Development Life Cycle: Operation and Maintenance

Read more
An abstract image showing cyber code
Automated Indicator Sharing (AIS) Automated PII Detection

CISA's Automated Personally Identifiable Information (PII) Detection and Human Review Process incorporates descriptive, predictive, and prescriptive analytics. Automated PII Detection leverages natural language processing tasks including named entity recognition coupled with Privacy guidance thresholds to automatically detect potential PII from within Automated Indicator Sharing submissions. If submissions are flagged for possible PII, the submission will be queued for human review where the analysts will be provided with the submission and artificial intelligence-assisted guidance to the specific PII concerns. Within human review, analysts can confirm/deny proper identification of PII and redact the information (if needed). Privacy experts are also able to review the actions of the system and analysts to ensure proper performance of the entire process along with providing feedback to the system and analysts for process improvements (if needed). The system learns from feedback from the analysts and Privacy experts.

Through the incorporation of the automated PII detection, CISA complies with Privacy, Civil Rights and Civil Liberties requirements of CISA 2015 and scaled analyst review of submissions by removing false positives and providing guidance to submission to be reviewed. Through continual audits CISA will maintain integrity and trust in system and human processes. For more information, please visit: https://www.cisa.gov/ais.

AI techniques used: Natural Language processing (NLP)
Stage of System Development Life Cycle: Operation and Maintenance

Read more
Advanced Analytic Enabled Forensic Investigation

CISA deploys forensic specialists to analyze cyber events at Federal Civilian Executive Branch (FCEB) departments and agencies, as well as other State, Local, Tribal, Territorial, and Critical Infrastructure partners. Forensic analysts can utilize advanced analytic tooling, in the form of Artificial Intelligence implementations to better understand anomalies and potential threats. This tooling allows forensic specialists the capabilities to comb through data in an automated fashion with mathematically and probabilistically based models to ensure high fidelity anomalies are detected in a timely manner.

AI techniques used: Machine Learning
Stage of System Development Life Cycle: Initiation

Read more
Abstract cyber image
Advanced Network Anomaly Alerting

Threat hunting and Security Operations Center (SOC) analysts are provided terabytes per day of data from the National Cybersecurity Protection System's (NCPS) Einstein sensors. Manually developed detection alerts and automatic correlation via off the shelf tooling are common, but not comprehensive. Many network attacks can be probabilistically determined given sufficient training data and time. Analysts use automated tooling to further refine the alerts they receive and produce additional automated alerts based on aggregated information and backed in subject matter expertise. This tooling allows CISA analysts the capabilities to comb through data in an automated fashion with mathematically and probabilistically based models to ensure high fidelity anomalies are detected in a timely manner.

AI techniques used: Machine Learning
Stage of System Development Life Cycle: Initiation

Read more
cybersecurity abstract image
AI Security and Robustness

Frameworks, processes, and testing tools developed to govern the acquisition, development, deployment, and maintenance of AI technologies. Technology integrators within CISA as well as the rest of the federal enterprise use AI-enhanced tools to assure the trustworthy, robust, and secure operation of their AI systems. These tools use Machine Learning and Natural Language Processing to enhance the assessment of AI technology within the agency by speeding up data processing.

AI techniques used: Machine Learning, Natural Language Processing (NLP)
Stage of System Development Life Cycle: Initiation

Read more
Highway roads lit up at night
Critical Infrastructure Anomaly Alerting

The Cyber Sentry program provides monitoring of critical infrastructure networks. Within the program, threat hunting analysts require advanced anomaly detection and machine learning capabilities to examine multimodal cyber-physical data on IT and OT networks, including ICS/SCADA. The Critical Infrastructure Anomaly Alerting model provides AI-assistance in processing this information.

AI techniques used: Machine Learning, Visualization
Stage of System Development Life Cycle: Initiation

Read more
Cyber screen
Cyber Incident Reporting

Cyber Threat Intelligence Feed Correlation uses AI enabled capabilities to provide accelerated correlation across multiple incoming information feeds. This enables more timely enrichment to improve the externally shared information feeds. AI allows the algorithm to use the information items and results to learn most efficient ways to perform the task. Additionally, tailored algorithms could be created to provided sustained surveillance of threat actor TTPs.

AI techniques used: Machine Learning, Natural Language Processing (NLP)
Stage of System Development Life Cycle: Initiation

Read more
Cyber nodes on a blue background
Cyber Threat Intelligence Feed Correlation

Cyber Threat Intelligence Feed Correlation uses AI enabled capabilities to provide accelerated correlation across multiple incoming information feeds. This enables more timely enrichment to improve the externally shared information feeds. AI allows the algorithm to use the information items and results to learn most efficient ways to perform the task. Additionally, tailored algorithms could be created to provided sustained surveillance of threat actor TTPs.

AI techniques used: Machine Learning, Natural Language Processing (NLP)
Stage of System Development Life Cycle: Initiation

Read more
lock
Cyber Vulnerability Reporting

Vulnerability analysts require advanced automation tools to process data received through various  vulnerability reporting channels, as well as aggregate the information for automated sharing. These tools leverage Machine Learning and Natural Language Processing to increase the accuracy and relevance of data that is filtered and presented to human analysts and decision-makers. Machine Learning techniques also assist to aggregate the information in reports for presentation and further analysis. This includes data in the KEV and CVE databases.

AI techniques used: Natural Language Processing (NLP), Visualization
Stage of System Development Life Cycle: Initiation

Read more
Malicious cyber
Malware Reverse Engineering

Reverse engineering of malware, and software analysis more broadly, will continue to be a critical activity in support of CISA’s cyber defense mission. Threat Focused Reverse Engineering (TFRE) leverages advanced engineering, formal methods, and deep learning techniques for better cyber threat intelligence. Without scalable, automated tools, it is difficult to disrupt sophisticated adversaries’ malware development lifecycle. New, unique, automated techniques are needed to better target adversaries, augment analysts, and create sophisticated tools for end users. Core tools disrupt the adversary’s development lifecycle by exposing tactics, techniques, and procedures (TTPs). Analysts could spend more time and energy to hunt/takedown threats; adversaries can spend less time operating malware and must commit more resources to reorient. TFRE consists of a broader development pipeline providing tool hardening, enhanced computational abilities, understanding of deployment environments, and other important capabilities.

AI techniques used: Machine Learning
Stage of System Development Life Cycle: Initiation

Read more
Public crowd with cyber code
Operational Activities Explorer

Duty officers and analysts in CISA's Operations Center use a dashboard powered by artificial intelligence to enable sensemaking of ongoing operational activities. Artificial intelligence uses new near-real-time event data (from open source reporting, partner reporting, CISA regional staff, and cybersecurity sensors) coupled with historical cybersecurity and infrastructure security information and previous operational response activity to recommend courses-of-action and engagement strategies with other government entities and critical infrastructure owners and operators based on potential impacts to the National Critical Functions.

AI techniques used: Machine Learning, Natural Language Processing (NLP), Visualization
Stage of System Development Life Cycle: Initiation

Read more
a photo of cyber locks
Security Information and Event Management (SIEM) Alerting Models

Threat hunting and Security Operations Center (SOC) analysts are provided terabytes per day of log data. Manually developed detection alerts and automatic correlation in Security Information and Event Management tool are common, but not comprehensive. Many cyber attacks can be probabilistically determined given sufficient training data and time. Analysts  use automated tooling to further refine the alerts they receive and produce additional automated alerts based on aggregated information and curated subject matter expertise. This tooling allows CISA analysts the capabilities to comb through data in an automated fashion with mathematically and probabilistically based models to ensure high fidelity anomalies are detected in a timely manner.

AI techniques used: Machine Learning
Stage of System Development Life Cycle: Initiation

Read more
Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback