Blog Series
The Main Concepts of AI and Machine Learning
Why do we need Machine Learning in Cybersecurity, and how can it help?
Data: The fuel that powers Machine Learning
AI is everywhere.
Its usage is most often connected with virtual assistants such as Cortana or Siri for example or with self-driving cars. There isn’t practically any industry where AI has no impact. Most of the time, AI appears as a game changer.
The recent advances in Artificial Intelligence have enabled near-to perfect machine translations from and to almost any language. It allows many software to operate faster and much more efficiently, for example in fraud detection, image recognition, biometrics and in many other areas. However, if there is one domain where AI can make a strong difference, then this is within cyber security.
Looking at the market
Market data reveals that digital threats keep growing exponentially in volume, frequency, and impact. One reason for this is the growing scale of cyberspace that expands the threat surface (IoT, e-commerce, remote work, BYOD, etc.). Everything about professional and personal life is becoming susceptible to cyber risks. (Microsoft Digital Defence Report , October 21)
In addition, cybercrimes are becoming more professional and coordinated. The “as a service” cybercrime model, cloudification of everything and even DevOps used by attackers – along with many other factors such as the rise of cryptocurrencies – enable attackers to accumulate budget and data, to invest in R&D to create more optimized and impactful attacks with higher volume, variety, and velocity.
SOC (Security Operations Center) teams, who already have a heavy workload are unable to deal with this exponential growth on their own. Given the attacker’s professionalisation in terms of speed, scale, precision, and stealth; it’s becoming increasingly challenging to keep-up with this fast-evolving landscape simply relying on traditional rule-based and signature-based systems. This is where AI can enter the game.
The World Economic Forum (WEF) list AI & Machine Learning (ML) as second most important trend to shape cyberspace, stating that “It is critical that the cyber security community quickly prepares to combat fast-emerging AI-enabled attackers, by continuing to evolve technologies and operational capabilities that can match their pace, dynamism and sharpened predictive capabilities. While non-AI risk controls will form an important baseline, this likely means using faster and more dynamic AI-enabled defenses.”
The general background
Cybersecurity was born from the existence of cyberthreats. As the networks developed exponentially over the last 30 years, everything became more and more connected. With the creation of such a new world, cyberspace, a new breed of predators emerged: ruthless ‘hackers’, internet pirates, cybercriminals, creators of malware, digital extortionists , scammers, skinners, and more.
With the necessity to protect the worldwide networks, especially the internet, cyber security became more and more vital. We all know how omnipresent in our professional digital lives are antiviruses, firewalls, routers, network scanners or databases of vulnerabilities.
With the advancement of AI, a legitimate question is: how will AI impact cyber security? Is AI capable of boosting cyber security or even performing autonomous tasks such as automatic detection of threats, auto-reparation, and systems self-defense? These are very legitimate points which we will develop in what follows.
So… what is AI anyway?
Before we develop in more detail these points, it’s worth providing a brief reminder on what exactly AI (Artificial Intelligence) is.
The term AI is a broad term that groups several methods and algorithms which allows a computer to ‘think’, that is to say to solve a problem in autonomous ways. AI contains a large number of various algorithms such as tree searches algorithms, statistical-inspired algorithms or machine learning algorithms, for instance.
Machine learning algorithms are subdivided into six subcategories: supervised, semi-supervised, unsupervised, reinforcement-based, transduction and learning to learn (see [2]).
Machine learning supposes the existence of a ‘training’. In general, it represents a machine which is able to learn. The artificial neural networks are currently an important area of development in AI, especially with deep learning and very deep learning, which is defined by the amount of layers in the neural networks. (see [1] for a good, comprehensive, introduction about machine learning)
There are other ways to see through the prism of AI. For now, AI machines are reactive and achieve limited memory (e.g. they react to input by providing an output and they can store dynamical data from the situation that they encounter during their real lifetime and re-use these data for becoming better and better). It is yet to be explored whether these AI machines may achieve theory of mind and self-awareness in a near or not-so-near future.
In all cases, the quality and quantity of input data used to learn is critical for machine learning- based AI. Similar to a human who has only seen a few things in his/her life or who have been taught few or/and incorrect things, an AI which is able of limited memory (and so, beyond the stage of reactivity) but which has no real data cannot and will not – in general – behave correctly.
Cyber Security + AI = ?
Here is an interesting equation which may hold the answer to many vital questions regarding the future of cybersecurity. The main challenges to be addressed by AI in cybersecurity are (see [3]) :
Using AI techniques in order to facilitate the prediction of future cyberattacks or the existence of potential vulnerabilities,
Using AI for forensic investigations, following a cybercrime,
Using AI to design more secure cyber protection softwares.
AI can be used, for example, to predict network attacks (Alexander Branitskiy and Igor Kotenko in [3]) or exploits (Mohammed Almukaynizi, Eric Nunes and al in [3]). This means that by analyzing on-the-fly network packets, an AI can potentially accurately predict (modulo the FAR and FRR rates) that an attack is ongoing and warn another system or an operator. An AI can also predict if a vulnerability will be exploited and give birth to an exploit.
Other uses of AI in the context of cyber security includes intrusion detection in general, RASP (Real-time Application Self-Protection) or anti-malware. An interesting case is that, if an AI is used to perform cybersecurity tasks, then this AI itself can be attacked and its learning set can be poisoned by false positives or false negatives.
Cybersecurity involves, indeed, a permanent war in which cyber-attackers will try increasingly audacious and unpredictable moves to win and where cyber-defenders will employ the best possible techniques to stop the attackers. Using AI could be one of these moves and new techniques, providing advantage over the adversary.
The importance of Input Data when using AI in cyber security
As we mentioned, data is vital to winning the cyberwar. After all, it’s not so hard these times to get important computational abilities and AI algorithms as well as their source code can be generally obtained for free from publicly-available websites. Hence the big difference when it comes to AI and cyber security is within the input data.
Indeed, cyber security works with a certain model which involves databases: databases of vulnerabilities, of exploits, of attacks and statistics. Some of these data may be obtained from specific organizations, like the database of open-source vulnerabilities or the CVE (Common Vulnerabilities and Exposures) database.
These open databases account for a small percentage of what an AI can use. The real data, which will be – for example – the base of the learning set of an AI, can be obtained ‘in the wild’, as a result of real attacks performed by real attackers. Cyber-Security companies with a broad application and access to wide data can leverage this to rapidly learn and stay ahead of those who do not have access to a similarly wide data range.
Use cases in Cyber-Security
The World Economic Forum lists the following cyber security use cases as the most important:
Improving security posture
Identifying and managing code and hardware vulnerabilities
Al-enabled reprogramming to secure vulnerable environments
Dynamic threat detection
Dynamic defenses that can identify novel and evolving threats (unlike traditional detection methods based on matching historical patterns). Autonomous detection and identification of malware, network anomalies and intrusions, spam and hornets, next-generation antivirus.
Proactive defense
Refinement of cyber deception to proactively create environments that are difficult for attackers to operate
Fast response and recovery
Automatic real-time responses to interrupt and contain machine speed attacks. Enriched analytics to support human investigation and response. Potentially faster recovery from incidents, for example, through the use of sell-regenerating networks to reinstate pre-compromise states.
Attribution
Using the pattern-recognition and analytical capabilities of Al in the forensic analyses underpinning cyber attribution
According to Gartner, (Emerging Technologies: Tech Innovators in AI in Attack Detection — Product and Business, Gartner Report, November 21 ), the main requirements for AI in security are improving detection and decreasing false positives . Supporting SOC tasks and automating investigation and response come next as further evolution points.
Gartner resumes in the report that “AI methods and techniques are being integrated into products in all security market segments, potentially making this technology, in aggregate, the largest impact on attack detection development for the next five to eight years.”
Gartner has studied 19 potential AI use cases in cyber security. The top 5 are all linked to threat detection: transaction fraud detection, file-based malware detection, process behavior analysis, abnormal system behavior detection, web domain and reputation assessment (Gartner AI Use-case Prism for Cybersecurity , 2021).
Conclusion
In this article, we only scratched the surface of what AI can bring to cybersecurity. The topic is huge, and we can expect several developments in the next few years.
The cybercrime ‘industry’ is blooming. Sadly, as we mentioned before, it has become a full economical (or even institutional) model in some parts of the world. The dark web is full of identically ‘dark’ online shops who sell viruses, zero-day attacks, exploits, infamous softwares to penetrate online banking, or individuals selling “services”. Grey or Black hats (all hats are grey at night…), ex-security consultants turned rogue or cyberbots masters looking to rent their zombie PCs.
Against such a growing criminal ‘ecosystem’, AI provides robust algorithms which will help to defend banks, administrations, or businesses against the cyber-plague. In other terms AI will help by improving detection, reducing false positives, sorting tons of information, monitoring logs, shaping better softwares with less flaws etc.
Anyway, it’s hardly possible to use AI without experts in cyber security who constantly accompany, evaluate and if necessary, correct the evolution of the data models and resulting algorithms.
AI will not replace the existing solutions in cyber security but it’s certainly something which will impact the whole cyber security model.
Follow VMRay’s series about AI and cyber security. We will shed light on specific features, risks, opportunities and trends and look at many of Gartner’s AI use cases in depth. We will also explain how VMRay is applying Machine Learning based AI around data analysis and concluding phishing and malware prediction, the company’s choice of algorithms and how this will lead to a continuous enhancement of the company’s dynamic threat detection.
References
Machine Learning: The Art and Science of Algorithms that Make Sense of Data. Peter Flach, Cambridge University Press, Year: 2012
Types of Machine Learning Algorithms. Taiwo Oladipupo Ayodele, University of Portsmouth United Kingdom
AI in Cybersecurity,Intelligent Systems Reference Library 151, Leslie F. Sikos Editor
Microsoft Digital Defense Report, October 21