Artificial intelligence applied to cybersecurity: The way forward

Every day, on 2017, the world registered over 400 000 new malicious programs (malwares). As most of these malwares are Polymorphic – which means, upon infection, they change a bit of their code to evade detection, while keeping their destructive capability unaltered –, they were detected only once, rendering most of anti-virus programs ineffective. Today, cyberattacks are even more sophisticated, and increasingly automated. The vulnerabilities are also diverse and more exposed (Bring your Own Device, Internet of Objects, etc.).

So, the sophistication of cyberattacks puts us in a position of questioning the classical, signature-based approach of cyber protection. All the more so that the cognitive capacity of humans (security analysts) can hardly keep up the speed and the breadth of cyber threats. Traditionally, the security analysts’ approach is reactive (analyzing logs and patterns of traffic, patching, scanning, etc.) rather than proactive (classifying, predicting, simulating etc.). Moving forward with a new generation of cyber defence is a timely issue. This is where Artificial Intelligence (AI) comes into play. Its great strength lies in being able to learn from past events and to adopt a holist and a real-time approach to secure digital infrastructures. 

As it is depicted in the figure above, the traditional approach to cyber security relies on:

1) signatures: which are unique identifiers of malwares (a virus, a trojan, etc.). Antivirus vendors are constantly looking for new malwares. When they are detected, they are added to the known malware list and sent out to the antivirus program as an update.

2) Rules: Tools such as Antivirus programs, Firewalls, or Intrusion Detection Systems, are built on a set of rules, generally (if-then based instructions). Their limitations is that they have no learning capability and rely on existing signatures. As such, they may not flag attacks or malicious files for which signatures have not yet been developed.

3) Analysis: refers to the set of activities security analysts perform to respond to the cyber threats (filtering, routing, etc.)

The artificial intelligence based approach to cybersecurity is a new paradigm that evolves from signatures, rules and analysis to 1) Big Data, 2) Deep learning and 3) Security analytics.

Big Data: Data is central to cyber defence in an AI approach. AI is capable of processing large volumes of data at greater speed. Sources of data include not only logs, transactions, business applications, emails, files, web pages, network flows, API, etc., but also behavioral data which comprises behavior of devices (e.g. pattern of traffic, amount of data transmitted over the internet, consumed processor power, etc.) and behavior of users (time and place of authentication, Identity and access management data, patterns of use -mouse, keyboard-, etc.)

Deep Learning: The aggregated data is used to train a machine learning system (a virtual agent). Through supervised learning, the virtual agent learns progressively based on daily validations performed by human analysts. When the system is trained thoroughly and well it becomes capable of differentiating normal events and anomalies. Multiple cycles of validation make the model stable and predictive. One of machine learning's greater strengths is leveraging user and entity behavior analytics (UEBA) which determines whether an activity of a given device is anomalous

Security Analytics. Security analytics, powered by AI, leverage the work of security analysts. By correlating events and taking the whole context of a cyber threat into account, AI-based security analytics facilitates a proactive security incident detection and response. For example, monitored network traffic could be used to identify indicators of compromise before an actual threat occurs. Or else, a ransomware could be detected and neutralized practically on real-time before it spreads out to the entire organization. Security analytics can be implemented for a wide variety of use cases such social reengineering, surveillance, anti-spam. anti-phishing, network analysis, data exfiltration, detection of compromised accounts, and so on.

Artificial intelligence is the new way forward for cybersecurity. The approach provides a unified view of the enterprise and offers both a real-time and historical view of events. This unified view allows for smarter remediation, faster response and better decision making.