Audrey Woods, MIT CSAIL Alliances | July 14, 2025
What do co-evolution and cybersecurity have in common? MIT CSAIL Senior Research Scientist Una-May O’Reilly says more than you might think. If co-evolution can be understood as an arms race for resources, two species evolving new ways to get what they need while their prey or competitors co-adapt to thwart them, Dr. O’Reilly sees these same dynamics playing out in cyberspace between threat actors and cybersecurity defenses. She bridges nature and cybersecurity with her evolutionary algorithms which allow her to develop novel approaches to cyber defenses. Even her own career has been an evolving process of generating and adapting different technical ideas while testing them on critical problem domains.
In the fast-moving age of AI, it has never been more important to fully grasp the ever-changing nature of adversarial intelligence. Dr. O’Reilly is now leveraging generative AI to access dispersed but related knowledge about cyber threats and defenses. She is also transforming coevolutionary algorithms by hybridizing them with large language models to gain a deeper understanding of the evolutionary dynamics between attackers and defenders in cyberspace.
Dr. O’Reilly wasn’t originally drawn to Computer Science. In middle school when people were still programming with punch cards, she had little inherent interest in the field. However, having come from a family who believed in the importance of STEM education, she signed up for Computer Science courses in her first year of college. There were no more punch cards and, to her surprise, she enjoyed them. “I just loved this idea that you could write then pass very precise instructions to a machine and the machine would execute them, handling conditional choices and repetition.” In many ways, this process reminded her of human intelligence where “our brain is getting inputs from our senses, then executing in some biological way to make decisions and help us behave in the world in a very robust way.” Dr. O’Reilly was inspired to learn how we might program machines to behave as intelligently as humans do in the world, which led her to Artificial Intelligence. Thinking of how evolution has resulted in intelligence in many forms led her to evolutionary algorithms.
While evolutionary algorithms used to be a “modest, almost marginal approach to machine learning,” Dr. O’Reilly has watched them become so mainstream that most computer scientists don’t even note using them anymore. Two large reasons for this shift are the successful application of research to solve practical and important real-world problems and the ease with which concepts like population-based selection of fitter solutions and genetic adaptation of those solutions can be implemented in algorithms.
“My PhD work centered on using machine learning to generate code,” Dr. O’Reilly says, clarifying, “in fact, I was trying to evolve code.” This meant generating a variety of different code options, selecting the better ones and then applying variations to those repeatedly. Later, at CSAIL, she was approached to collaborate on investigating the “evolutionary arms race between taxpayers abusing the tax code and attempts to prevent the abuse.” The project modeled tax abuse competing with tax auditing to anticipate the range of possible abusive strategies. Dr. O’Reilly says, “this co-adaptation between two adversaries got me generally thinking about adversarial behavior and how it could be replicated with my evolutionary algorithms in other domains.”
One of these critical domains is cybersecurity. Presently, Dr. O’Reilly aims to replicate the adversarial intelligence that supports threat actors and defenders when they engage competitively in cyberspace. Cybersecurity has also been dramatically impacted by Generative AI, which has “tremendous capabilities in natural language processing, images, voice, and video.” While generative AI gives worrisome new abilities to attackers, it also offers opportunities to integrate knowledge and enable the better defenses that Dr. O’Reilly’s Anyscale Learning for All (ALFA) group at MIT CSAIL is actively exploring.
One ongoing project in ALFA consolidates different cyber knowledge sources. This allows generative AI to reason about that information and evolutionary algorithms to predict what attackers might do next. ALFA has created and maintains the open-access, cyber graph database known as BRON. BRON is a large amalgamation of different open source data sources with information about cyber threats—TTPs (tactics, techniques, and processes), weaknesses, vulnerabilities, attack patterns, and defensive tools. The enormous new capacities of generative AI mean that “it is possible to now reference BRON to find combinations of TTPs, vulnerabilities, and exploits that pose threats.” Dr. O’Reilly and her group are using BRON, generative AI, and classical AI planning to show how exploits may be chained through a network. This knowledge helps network security teams prioritize defensive measures that address vulnerabilities. It can also assist red teams, a term used for those role playing as a threat actor in cybersecurity.
“People are very worried about AI agents in cybersecurity, and I agree that’s a legitimate concern” notes Dr. O’Reilly. “The threat of intelligent autonomous AI agents being deployed in networks or devices while they consult an LLM is highly unlikely. You would detect something running that was making calls to a language model.” That’s the good news. “But what can happen now with generative AI is that adversaries use it beforehand to prepare their attacks with greater speed, accuracy, and volume.” Dr. O’Reilly’ and ALFA are using generative AI to consider the different capabilities defenders must expect and how to address them.
Overall, Dr. O’Reilly’s group is “really moving upwards from thinking about the low level aspects of cyber attacks toward thinking about the behavior or co-evolutionary dynamics of attackers and defenders in cyberspace.” For enterprises who want to understand their risk, she says, “ the more technologists like me can tell you about the new nature of threat actor strategies and tactics, based on the improvements of technology such as generative AI, the more informed you can be about what's under threat and how it will be threatened. That allows you to be more accurate in estimating what risk you're facing and to take the right countermeasures to mitigate that risk.”
A central pillar of cybersecurity that Dr. O’Reilly recommends companies keep in mind is to always be thinking adversarially. Comparing cyberattacks to bank robberies, she says you can spend a lot of money and effort shoring up your defenses to known attacks (like building better locks or bulletproof glass) but unless you think about an attacker’s strategies, you probably won’t anticipate a new behavior that subverts those defenses (like password hacking for e-transfer). Staying up to date on adversarial intelligence also means sharing experiential data that companies may often want to keep private. “Breeches and times when it feels wrong to share information are actually the right time to do it—in a private and safe setting, because pooling information about what has happened to you helps people like me come up with models of attackers’ strategies, models of their tactics, and ways to predict what they’ll do next.”
Dr. O’Reilly also stresses the importance of agility and rapid adaptation. The technology is changing “underneath our very feet” and the challenge is to move as quickly as possible and consider how threat actors and defenders can capitalize on new information and technology. ”There’s plenty to be concerned about—deepfakes, explainability, new AI capabilities, and the unforeseen societal drawbacks of generative AI. But technology is a double-edged sword and can be equally recruited for defensive means”.
Learn more about Una-May O’Reilly on her group’s website or her CSAIL Page.