Why do we need Machine Learning in cybersecurity and how can it help?
Machine Learning Blog Post Series – 3
By Shazia Saqib
MACHINE LEARNING BLOG SERIES
- Machine Learning & Cybersecurity – An Introduction
- The main concepts of AI and Machine Learning
- Data – The fuel that powers Machine Learning
In 2021, cyber-crime continued to reveal new threats and breaches that have escalated the need to modernize security strategies and operations. According to Forbes, 61% of enterprises claim that they are unable to perform intrusion detection without using AI and ML [1].
For example; AI and ML techniques are powerful at detecting malicious insiders and attacks such as advanced persistent threats (APTs). User and Entity Behavioral Analytics (UEBA) can detect anomalous activities that may require further action, and network detection and response (NDR) uses AI and ML techniques to monitor network traffic in order to detect malicious activities.
In our first article “Machine Learning and Cyber Security: An Introduction”, we outlined a general introduction of the state of cyber security and explained why AI is increasingly entering the scene. In our second article, “The Main Concepts of AI and Machine Learning: An Overview” we shed light on the main concepts of AI and Machine Learning. In this third article, we will explore the growing role of AI, particularly Machine Learning in cyber security, and explain why it is ranked as one of the most important trends to shape cyberspace by organizations such as World Economic Forum (WEF).
Why the Support of AI / ML is Required in a Disruptive IT-Landscape
The IT-landscape is rapidly changing, and this brings new threats and challenges incumbent cyber-security concepts. There has been a shift from “computing” to “networks”, and then, from networks to “web based, social media and cloud” as well as “edge computing”. The age of “ambient computing” will follow, with infinitely many network connections linked through sensors and intelligent user apps. This enormous change means that cyber-attacks have increasing potential to disrupt everyone’s professional and personal lives. The expansion of cyberspace such as E-Market, IoT, e-commerce, remote work, etc. leads to an exponential increase in the threat surface. Not only that, but also cyber-crime is turning into an “as-a-service” industry.
Source: Microsoft Digital Defence Report, October 21
As part of the trend towards “cloudification of everything”, the dark web is now providing an organized business platform. It enables attackers to hit networks in a more organized manner, with greater velocity, volume, and variety. As a result, organizations are now facing an industrialized attacker profile that provides specialization and a trade of banned and harmful commodities. The Figure above shows many products that are available in the dark markets at a very low cost, which ultimately scales up the volume of cyber-attacks. [3].
It’s very hard to combat this fast-evolving threat landscape with traditional rule-based/signature-based solutions only. This is why the support of Machine Learning will help cyber security to match the pace of the ongoing change.
The analytics and automation capabilities of AI and ML facilitate to bridge the gaps in cyber security by uncovering hidden patterns in identifying attacks and automatically mitigating them. With high-speed internet and big data, AI can offer advanced cyber security tools that help in the prevention of cyber-attacks [2].
Artificial Intelligence for IT Operations (AIOps), a term coined by Gartner, applies machine learning and analytics to big data for analyzing massive networks and machine data to uncover underlying patterns to identify the root cause of the existing and future problems. According to Gartner, AIOps uses both ML and big data for operations like causality determination, anomaly detection and event correlation. This AIOps market is worth $17 billion annually and is expected to grow rapidly.
AIOps and the use of Machine Learning can add value also in advanced threat detection by providing a more predictive and prescriptive solution for detecting and resolving threats, and thus, identifying, and mitigating risks. AI based solutions can detect threats in enterprise networks, cloud, data centers, and IoT devices. AI tools can also provide smart solutions to cyber-attacks on payload, network, antivirus, and firewalls, as well as providing efficient forensics analysis of cyber-attacks [4].
Use cases of AI methods in cyber security
Artificial Intelligence can be used for four different types of analytics:
- For descriptive analytics, which examine “what happened?”
- For explanatory analytics that reveal “what factors contributed to this outcome?”
- For predictive analytics that tell us “what is likely to happen in the future?
- For prescriptive analytics which – when used for optimization purposes – focus on the effects that different actions have on end results.
According to Gartner, the main requirements for AI in security are improving detection and decreasing False Positives (FP’s) (a case in which a model incorrectly predicts the positive class).
Another Gartner study ranks 19 of the most prominent AI use cases in Cybersecurity. This study can be seen as a strong indicator that the threat detection category potentially offers the highest value to the market, compared to “policy” and “response” categories.
In this report, Gartner evaluates these use-cases in terms of 5 dimensions of business value and feasibility:
- Security Posture Improvement focuses on threat detection, policy management, and incident response.
- Threat Vector Criticality gives us insight into how technology is helping against critical threats.
- Operational Efficiency determines how the automated process helps improve the system with the same resources.
- Technical Feasibility tells how technology helps in using existing control, a new dedicated solution.
- Organizational Readiness measures how easily an organization adopts to a use case without any major cost.
Of the 19 use cases listed on Gartner’s “AI use-case prism,” the top 5 are all linked to threat detection:
- transaction fraud detection,
- file-based malware detection,
- process behavior analysis,
- abnormal system behavior detection,
- web domain and reputation assessment [5].
Source: Gartner Infographic: AI Use-Case Prism for Cybersecurity, 2021
And two of these top five are among the core strengths of VMRay: “advanced detection of web/URL-based and file-based malware and phishing attempts.” VMRay’s Machine Learning Lab has developed and deployed a machine learning model as part of VMRay’s comprehensive stack of cutting-edge technologies to leverage on these strengths and enhance threat detection capabilities.
Conclusion
In this article, we covered the fast expansion and evolution of the cyber threat landscape and scratched the surface of the potential use cases which AI and Machine Learning can address.
Artificial Intelligence indeed can offer great value in many use-cases, but we should also keep in mind that it is not a silver-bullet. It should not be seen as a stand-alone solution; it will not be sufficient to provide ultimate protection by itself. However, when embedded in a framework of meshed tools, it can significantly enhance the accuracy and speed of automated threat detection, all while reducing the rate of false positives, which are among the top priorities of SOC teams. Prerequisite to this is the provision of accurate and noise-free data as a reliable starting point for the machine learning algorithm.
As one of the pioneers of advanced threat detection, VMRay has developed its machine learning model on top of its Advanced Threat Detection Platform. Throughout the years, they have moved beyond their strong basis -their groundbreaking sandbox technology- by developing 20+ cutting-edge detection and analysis technologies. And this number keeps growing with each new release.
In the next article, we will get deeper into how Machine Learning models are developed and validated, and what it takes to create the most reliable models.
References
