Deductive Forensics: Anticipating Attacks and Precrime

5.1 Artificial Intelligence and Machine Learning
As early as the 1950s, the quest for computer systems that can learn has been a vision of those involved in the field of artificial intelligence and machine learning. However, it was not until the advent in the 1980s of new algorithms coupled with increased computing power that the vision of machine learning was realized via symbolic classifiers such as decision trees, neural networks, and genetic algorithms. A new generation of researchers began to develop machine learning algorithms such as C4.5 and CART for the classification of arbitrary classes of objects on real-world problems such as segmentation and prediction.

Machine learning forensics is not so much a single technique as much as a “hybrid” approach, which uses multiple algorithms and tools such as link analysis, text analytics, clustering, and decision trees to discover hidden knowledge from multiple data sources. It is important that the forensic investigator be aware that no single algorithm can solve the problem of knowledge discovery; some algorithms will perform well on some part of the data set, whereas others are useless. The important fact is that these algorithms, such as decision trees, scale up very well for large data sets, which increasingly are the norm in most organizations. It is vital to counsel with domain experts during the course of organizing a strategy as to the data sources and algorithm to be used in forensic investigations. Human guidance and experience are a major component of a digital forensic investigation; at every juncture, consulting with the client is essential to ensure that the machine learning tools are being used properly and with the maximum chance of success. Behavioral forensics will always rely on human expertise coupled with the brute analysis of machine learning algorithms.

Another advantage of decision trees, or rule generators, is that they lend themselves to easy interpretation so that decision makers can readily grasp the graphs and rules they generate, which is not the case with other machine learning algorithms such as back-propagation neural networks, which generate “black box” formulas that contain no information on how they arrived at their solution. The single exception is the SOM neural network, which by design allows for free-form unsupervised learning via autonomous clustering and the generation of easy-to-comprehend clusters and graphs.

In addition, symbolic classifiers such as C4.5, CHAID, and CART and other proprietary decision trees tools outperform neural networks or statistical regression when it comes to analyzing corporate data sets, which typically contain numeric and categorical attributes such as gender, married status, etc. This, coupled with their transparency in explaining their finding in a simple set of conditional rules, make them ideal for the presentation of the finding to decision makers. A major multinational, multi-industry, multi-data sets project known as StatLog during the 1990s concluded after comparing several classification algorithms that symbolic classifiers were superior in the classification of corporate data sets to regression and neural networks. It is important that the forensic investigator be flexible and be prepared to develop hybrid solutions, detection systems, and investigations using various techniques and algorithms.