Artificial Intelligence in Cybersecurity

All articles are my personal opinions made on personal basis.

Machine Learning (ML) and Cybersecurity are tightly related to each other but has always been confusing the way actually they interact or how they can be useful to each other.

First of all these days apparently everything can be solved through the "magic" of Artificial Intelligence (AI) and my answer might disappoint you and is that AI is not a “silver bullet”, other thing that you might have not noticed is how I interchanged concepts of AI, ML, Deep Learning (DL) like if they where the same, which is a common thing and my intention is not being a “purist” or set the rules but at least start the discussion with a common baseline.

Let’s start for the tasks that ML is really good doing such as regression, prediction, and classification. When we talk of incredible amounts of data this techniques are really useful and in the realm of cybersecurity are part of the daily battlefield reality. This article objective is giving you an introduction to the use of such ML and its application in the cybersecurity world.

Clarifying terminology

AI (Artificial Intelligence) is a broad concept that nowadays is being abused for multiple things, let’s start with the concept that AI is a series of techniques that where designed to try originally to “emulate” the human reasoning and learning process. Is important to notice that despite its recent popularity in pop culture AI is a concept that began to be researched in the early 70’s and is heavily based on statistical and algebraic methods to achieve the mentioned objectives.

ML (Machine Learning) is a superset of AI techniques, ML has suffered multiple transformations over time and even being referred with different names like data mining depending the moment in time, ML’s objective simplified is to recognize patterns in the data either by “learning” from prior knowledge or training or with more modern approaches by inference of the data that is input in the models that we’re creating.

DL (Deep Learning) is the smallest subset of the family of ML techniques used to recognize patterns e.g models used in computer vision systems, language analysis, machine teaching and the most modern implementations of ML. DL is the discipline with most accelerated advancement in ML but with one big flaw that researchers are making strides on solving that is explainability of results until now most of the results are part of a “black box” process.

Most of the techniques that we will be referring to in this article refer into the general ML world, however is important to callout that important research is being done in DL applications.So Now we defined a common baseline that you might agree or not, but let’s agree to disagree let’s move into some of the tasks that can support the Cybersecurity efforts.

Chasing the rabbit 

Regression or prediction - This might be the most common task in the ML world and the bread and butter of any data scientist but indeed a task that can create such a mysticism behind it that can take its practicality with it. The task can be reduced to predict a value based on previous values and let’s leave it just with that simple concept.

Classification — let’s say that in a world of mixed and confusing data we’re trying to organize things, so classification is the task of separating and categorizing that data

Clustering - Is very similar to the prior technique but the classes are unknown , if you think about it this is a very common scenario, raw data, we don’t know what it is so how we can categorize something we don’t even know what it is? well clustering can help.

Recommenders - This is one of the “Holy grails” of ML, the use of data to make recommendations based on data, patterns or previous experience this has controlled our reality even without noticing, the way we consume media, goods, financial products and even in cybersecurity has amazing applications that we will dive in.

Dimensionality reduction - When we talk of analyzing, hexa , peta or even bigger amounts of information available for secure our experience and despite the fact processing power and storage is getting better and more efficient, we still need a way to efficiently analyze or generalize huge amounts of data and infer analysis from them. DR help us to achieve this task with elegant algebraic approaches but efficient in term of computing costs and results.

How do machines learn?

An important concept to internalize is, how machines learn and for the sake of the article I will simplify it into two concepts or better said to ways on how the different techniques that where described in the prior section process and “learn” from the data.

Supervised learning - The principle is “feed” the models with labeled data, meaning we’re telling the model what is the data that we’re feeding and based on those labels it can make decisions.

Unsupervised learning - Like the name says, the data comes “raw” to the model and it will figure out not only the class of the data but what to do with it, will infer and get conclusions from self identified patterns.

Machine learning applied in cybersecurity. 

Based on all the background of information presented the question to be answered is how this actually is applied in practice to cybersecurity? 

Let’s understand the common cybersecurity tasks first in order to understand how ML supports them, first we analyze all cybersecurity tasks on three dimensions Why, What and How?

The first dimension is a goal, or a task for example detecting threats, predict attacks, etc. According to Gartner all security tasks can be divided into five categories:

• Prediction
• Prevention
• Detection
• Response
• Monitoring

The second dimension is a technical layer and an answer to the “What” question for example:

• Network traffic analysis and intrusion detection
• Anti-malware
• Firewalls
• Anti-Fraud

The third dimension is a question of “How” for example - How to check the security of a particular area?

• In transit and real time 
• at rest
• historically

Some tasks should be solved in three dimensions. Sometimes there are no values in some dimensions for some tasks. Approaches can be the same in one dimension. Nonetheless, each particular point of this three-dimensional space of cybersecurity tasks has its intricacies.It’s difficult to detail them all so we will focus on the most important dimension, technology layer. Look at the cybersecurity solution from this perspective.

Machine Learning for Network Protection 

Network protection is not a single area but a set of different solutions that focus on a protocol such as Ethernet, wireless, SCADA, or even virtual networks like SDN’s.Network protection refers to well-known Intrusion Detection System (IDS) solutions. Some of them use a kind of ML years ago and mostly dealt with signature based approaches.

ML in network security implies new solutions called Network Traffic Analytics (NTA) aimed at in-depth analysis of all the traffic at each layer and detect attacks and anomalies.

How can ML help here? There are some examples:

• Regression to predict the network packet parameters and compare them with the normal ones;
• Classification to identify different classes of network attacks such as scanning and spoofing;
• Clustering for forensic analysis.

Machine learning for Endpoint Protection

The new generation of anti-viruses is Endpoint Detection and Response. It’s better to learn features in executable files or in the process behavior. Keep in mind that if you deal with machine learning at endpoint layer, your solution may differ depending on the type of endpoint (e.g., workstation, server, container, cloud instance, mobile, PLC, IoT device). Every endpoint has its own specifics but the tasks are common:

• Regression to predict the next system call for executable process and compare it with real ones;
• Classification to divide programs into such categories as malware, spyware and ransomware;
• Clustering for malware protection on secure email gateways (e.g., to separate legal file attachments from outliers).

Machine learning for Application Security

Where to use ML in app security? — WAFs or Code analysis, both static and dynamic. To remind you, Application security can differ. There are web applications, databases, ERP systems, SaaS applications, micro services, etc. It’s almost impossible to build a universal ML model to deal with all threats effectively in near future. However, you can try to solve some of tasks.

Here are examples what you can do with machine learning for application security:

• Regression to detect anomalies in HTTP requests (for example, XXE and SSRF attacks and auth bypass);
• Classification to detect known types of attacks like injections (SQLi, XSS, RCE, etc.);
• Clustering user activity to detect DDOS attacks and mass exploitation.

Machine learning for User Behavior

This area started as Security Information and Event Management (SIEM). SIEM was able to solve numerous tasks if configured properly including user behavior search and ML. Then the UEBA solutions declared that SIEM couldn’t handle new, more advanced types of attacks and constant behavior change.

The market has accepted the point that a special solution is required if the threats are regarded from the user level.However, even UEBA tools don’t cover all things connected with different user behavior. There are domain users, application users, SaaS users, social networks, messengers, and other accounts that should be monitored.

Unlike malware detection focusing on common attacks and the possibility to train a classifier, user behavior is one of the complex layers and unsupervised learning problem. As a rule, there is no labelled dataset as well as any idea of what to look for. Therefore, the task of creation a universal algorithm for all types of users is tricky in user behavior area. Here are the tasks that companies solve with the help of ML:

• Regression to detect anomalies in User actions (e.g., login in unusual time);
• Classification to group different users for peer-group analysis;
• Clustering to separate groups of users and detect outliers.

Machine learning for Process Behavior

The process area is the last but not least. While dealing with it, it’s necessary to know a business process in order to find something anomalous. Business processes can differ significantly. You can look for fraud in banking and retail system, or a plant floor in manufacturing. The two are totally different, and they demand a lot of domain knowledge. In machine learning feature engineering (the way you represent data to your algorithm) is essential to achieve results. Similarly, features are different in all processes.

In general, there are the examples of tasks in the process area:

• Regression to predict the next user action and detect outliers such as credit card fraud
• Classification to detect known types of fraud
• Clustering to compare business processes and detect outliers

You can find research papers related to banking fraud as ICS and SCADA systems security is much less represented.

Conclusion

There are more areas left. This article outlines the basics. On the one hand, machine learning is definitely not a silver-bullet solution if you want to protect your systems. Undoubtedly, there are many issues with interpretability (particularly for deep learning algorithms), but humans also cannot interpret their own decisions, right?On the other hand, with the growing amount of data and decreasing number of experts, ML is an only remedy. It works now and will be mandatory soon. It is better to start right now.

Keep in mind, hackers are also starting to use ML in their attacks.