Do Machine Learning and Artificial Intelligence have a role in cybersecurity?

We are thriving in a digital era when digital systems have become the backbone of our daily activities. Now, when a cyberattack realizes itself, it has the potential to hamper our lives in many ways. A recent security research highlights that most companies have poor cybersecurity policies and unprotected data, making them vulnerable to cybercrimes.

As per Gartner, worldwide spending on cybersecurity is expected to reach $133.7 billion by 2022. As businesses increasingly feel their cybersecurity risks are augmenting, they will look toward more sophisticated methods of dealing with risks by preventing, curing, and mitigating them through modernized cybersecurity solutions.

Artificial intelligence and machine learning are now heralded as a way to help companies detect and correct cybercrimes quicker.

While AI and ML have been around for decades in the form of concepts, their recent surge in popularity can be linked to two factors:

  • AI/ML programs are computationally intensive. The recent availability of cloud computing technologies has made these algorithms feasible, and tremendous new hardware devices helped a lot too.
  • Training AI and ML modules needs massive data. The rise in big data platforms has improved the effectiveness of AI and ML programs, making them “better than humans” in a myriad of applications.

In the purview of cybersecurity, AI and ML can be used to impart knowledge to a machine about everything we know is good and everything we know is bad. So, when an anomaly crops up, the machine will be able to detect it as good or bad.

Let’s explore this in greater detail.

The Possibilities when AI/ML Come to Ensure Cyber Resilience

Cyberattacks keep on getting bigger and more complicated with IoT attacks, phishing and spam, crypto jacking, data breaches, mobile malware, spying operations and ransomware. Data losses and disruption through these attacks cost companies money and their reputation.

Machine learning presents an interesting advantage to us pertaining to ensuring cyber resilience. The ability of ML algorithms to analyze large data sets and identify anomalies and patterns in an instant is critical to detecting and responding to cybersecurity events.

Automatic updates to existing software programs based on a sophisticated assessment by AI and ML-backed solutions can help tackle cybersecurity at scale.

Large email providers are already using these technologies to prevent spammy links, violent images, detect phishing links, malware, and instances of fraudulent payment demands. Machine learning showcases massive potential as a defense from viruses and malware.

Until recently, antivirus defense solutions have been mainly signature-based. Meaning, they identify malicious programs by extracting a unique fingerprint. The traditional signature-based detection process is now outdated.

These signatures are useful in recognizing a given viral form and proposing a direct diagnosis or even an associated cleaning. But, when malicious tools become all the more complex and you have to deal with a million of them, such a solution can’t do the needful.

You now need tools to detect what is not known and remains invisible. For this purpose, artificial intelligence-based technologies will no longer be an option, but a necessity in the coming times.

When a child distinguishes a dog from a cat, both of which belong to the animal family, they are not assigning a basic signature to “dog” or “cat”. They are using a powerful recognition mechanism in their brain.

A matured cybersecurity infrastructure in 2020 needs the same ability: to be able to identify “goodware” or “malware” in the same way. Deep Learning then takes on its full meaning, especially when we talk about a CSOC/CSIRT.

A few pioneers have embarked on this journey to mechanize efficient artificial intelligence, capable of sorting and assisting humans in the face of millions of malicious tools.

Use Cases of AI/ML in Cybersecurity

Here are a few ways AI and ML can be applied to cybersecurity:

  • Forensic analysis with clustering – Data that does not fit preset parameters is grouped according to its similarities or anomalies. Forensic analysis sheds light on the method of attack and the damage. As clustering allows us to gather data without any know-how of its group, it can help teams piece together the various elements after a breach.
  • Phishing and spam filtering with classification – Classification means classifying data based on preset parameters. Using this technique for spam and phishing detection can help classify activities with precision and speed.
  • Incident response and risk management – The recommendation approach makes ML algorithms learn from inputs, past experiences, and associations to recommend decisions and approaches. This can be useful in training the algorithm as per various actions taken on various events. As it picks up patterns, the algorithm can then make recommendations to mitigate risks and respond to events.
  • Pentesting with generative frameworks – Based on historical data inputs, ML-based programs can generate possibilities that can be applied to data as new and challenging inputs. This could also lead to new offensive technologies in the near future.
  • Managing zero-day threats – Zero-day threats have no known or recognizable signatures. Experts use technologies such as sandboxing or memory dumps to analyze some of these threats. Sandboxing includes installing a suspicious file or program in a VM (virtual machine) sandbox and then observing its behavior to determine good or bad. This process, when done manually, can take several minutes, while AI/ML models can deliver the verdict in a few milliseconds.

The Limitations of AI and ML in Cybersecurity

A core principle in cybersecurity is defense in depth, which means having multiple security layers and not relying on one technology. There is a hype about AI and ML capabilities in cybersecurity, but for a well-rounded cybersecurity strategy, you need to ensure all the content a user accesses is scanned, that the systems are patched and up to date, and so on.

Moreover, some classes of cybersecurity issues are better suited to be handled by AI and ML than others. Phishing detection, say, has a visual component to it. Advances in AI and ML vision algorithms has led us to apply those techniques to detect fake websites and ring an alarm.

Similarly, AI and ML can be used in detecting unusual user behavior by training the neural network on what the usual is. Any other use cases of AI and ML in cybersecurity might still be in infancy and need testing.

When trained by experts in cybersecurity, AI and ML-based cybersecurity solutions can be a great add-on to your enterprise’s security arrangements.

Learn more about our neural network-based engine that can intelligently detect malware, a sub module included in TEHTRIS EDR product. A public version is also available on VirusTotal, called eGambit, and we have a specific enhanced AI proposed to our customers in our Cyber Threats Intelligence infrastructure.

In 2020, look out for new features toward improving how our tools help you SOC (Security Operation Center) using the latest technology.