The role of AI and machine learning in cybersecurity
By George Ralph, RFA – The use of Artificial Intelligence is becoming decidedly commonplace. Wikipedia describes AI research as “the study of intelligent agents: any device that perceives its environment and takes actions that maximise its chance of success at some goal.” AI is often used interchangeably with Machine Learning, which is described as the subfield of computer science that, according to Arthur Samuel, gives "computers the ability to learn without being explicitly programmed."
Machine Learning more accurately describes the technology that we are seeing more and more often in the IT industry, with machines programmed to have neural networks, which can plug into the internet and get access to the vast amounts of data and information stored there, and then interpret and classify that data in a similar way to the human brain. Feedback on whether the machine has predicted correctly or incorrectly closes the loop and allows the machine to learn, in order to modify future behaviour.
Is it all hype though? Gartner listed Machine Learning at the very top of the ‘Peak of Inflated Expectations’ in its 2016 Hype Cycle for Emerging Technologies, but I’ve seen some evidence of ML being applied in real life, and what interests me most is how this technology is being used by cybersecurity vendors. The pace that is being set by the world’s cybercriminals is phenomenal. Governments, industry and security professionals are struggling to stay one step ahead of the relentless and inventive tide of cyberattacks. This is really where the forward-thinking cybersecurity vendors come in, with solutions that can interpret unstructured data like blogs, websites and research papers, and correlate it with structured data to identify and prioritise threats and insights. These can then automatically trigger remedial action, or protect further against cyber breaches.
Next generation antivirus solutions have been touted as cybersecurity’s silver bullet and work by examining every process on every endpoint, using algorithms to automatically detect and block malicious tools, tactics, techniques and protocols. Traditional antivirus solutions came unstuck with completely new malware not derived mainly from a known family as this could evade detection. Likewise, legitimate software being used maliciously could be hard to spot. Some next generation antivirus solutions include functionality which can observe how the software is behaving and correlate that with known behaviours of malicious malware. This means you can identify malware, even when it hasn’t been seen before. The ML element of this means that the antivirus will learn from the behaviours it sees and recognise them next time. Antivirus alone is not enough to stop cyberattacks completely, even ML enabled next generation antivirus, so a multi-layered solution is always the best approach.
Next generation web filtering solutions use ML to understand what web content has previously been categorised, using existing lists. The speed at which the machine can seek out subtle differences in requests and responses would be impossible for a human, and this process can be an effective layer.
Behavioural analytics are the other mainstay of AI and ML in cybersecurity, and work by establishing a baseline of normal behaviour, by observing the network or users over a period of time. If the behaviour of either the network, or the user deviates from the norm, that can be seen as malicious and action can be taken. ML offers what some call “many eyes”, or the ability to observe behaviour and activity continuously in real time, and to correlate across thousands of events every day. The scale and automatic nature of ML is where it comes into its own.
Of course, whilst AI and ML are a natural step forward for the cybersecurity industry, they are a reaction to the scale and pace of cyberattacks, and while the technology can be used for preventing attack, it is also being used for launching attacks. AI and ML will be studied very carefully by cybercriminals and it won’t be long before we’re seeing ML working across different social channels, research and phishing attacks, to launch coordinated, large-scale attacks that will continue to become ever more sophisticated.