AI has made some inroads in the cybersecurity sector and several AI vendors claim to have launched products that use AI to help safeguard against cyber threats. At Emerj, we’ve seen many cybersecurity vendors offering AI and machine learning-based products to help identify and deal with cyber threats. Even the Pentagon created the Joint Artificial Intelligence Center (JAIC) to upgrade to AI-enabled capabilities in their cybersecurity efforts.
In this article, we list out some of the more common use-cases for AI in cybersecurity, where there has been some evidence of real-world business use. Specifically, we cover:
- AI for Network Threat Identification
- AI Email Monitoring
- AI-based Antivirus Software
- AI-based User Behavior Modeling
- AI For Fighting AI Threats
We begin our analysis of AI in the cybersecurity space with an explanation for why AI is such a good fit for cybersecurity.
The Natural Fit for Artificial Intelligence in Cybersecurity
For a business safeguarding their data, network security is critical, and even small data centers might have hundreds of applications running, each of which need to have different security policies enforced. Human experts might take several days to weeks to fully understand these policies and make sure the security implementation is successful.
Cybersecurity inherently involves repetitiveness and tediousness. This is because identification and assessment of cyberthreats require scouring through large volumes of data and looking for anomalous data points. Companies can use the data collected by their existing rules-based network security software to train AI algorithms towards identifying new cyberthreats.
Understanding the consequences of the attack and the response needed from the company also requires further data analysis. AI algorithms can be trained to take certain predefined steps in the event of an attack and over time can learn what the most ideal response should be through input from cybersecurity subject-matter experts.
Human security experts cannot match the speed and scale at which AI software can accomplish these data analysis tasks. Additionally, AI-based cybersecurity data analysis software can complete the task with consistently higher accuracy than human analysts. Large-scale data analysis and anomaly detection are some of the areas where AI might add value today in cybersecurity.
Many cybersecurity intrusions usually operate over the enterprise network monitoring the data going in and out of the network is one way to detect cybersecurity threats. Monitoring each ‘packet’ of data that is part of the enterprise networks communications is almost impossible for human analysts to monitor accurately.
Machine learning-based software can potentially use multiple techniques such as statistical analysis, keyword matching, and anomaly detection to determine if a given packet of data is different enough from the baseline of data packets used in the training dataset.
All of this seems to indicate that artificial intelligence is now starting to be seen as an effective tool to gain serious advantages against fraudsters and hackers.
AI for Network Threat Identification
Enterprise network security is critical for most companies, and the hardest part about establishing good network cybersecurity processes is understanding all the various elements involved in the network topography. For human cybersecurity experts, this means time-consuming work in tracking all the communications going in and out of the enterprise network.
Managing the security of these enterprise networks involves identifying which connection requests are legitimate and which are attempting unusual connection behavior, such as sending and receiving large volumes of data or having unusual programs running after connection to an enterprise network.
The challenge for cybersecurity experts lies in identifying which parts of an application, whether on the web, mobile platforms, or applications that are in development or testing, might be malicious. Identifying the malicious applications amongst thousands of similar programs in a large-scale enterprise network requires enormous amounts of time and human experts are not always accurate.
AI-based network security software can potentially monitor all incoming and outgoing network traffic in order to identify any suspicious or out of the ordinary patterns in the traffic data. The data in question here is usually too voluminous for human cybersecurity experts to accurately classify threat incidents.
In a real-world example, the startup ShieldX Networks claims they use AI to speed up the process of identifying which security policies are applicable for each application. In addition, the company claims their software can study the network communications data for each application over a period of time and then generate suggestions for security policy for that application.
Apart from this, in the banking sector AI vendors such as Versive (now acquired by eSentire) offer enterprise cybersecurity AI software that use anomaly detection to identify network security threats. The company claims their software can help financial firms and banks with adversary detection and cybersecurity threat management.
AI vendor Versive (now acquired by eSentire) offers enterprise cybersecurity AI software called the VSE Versive Security Engine, which they claim can help banks and financial institutions analyze large datasets of transactions and cybersecurity-related data using machine learning.
Versive claims banks NetFlow (network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic), proxy, DNS data (computer network data) as inputs to the Versive Security Engine. The software can then monitor enterprise networks using anomaly detection to alert human officers in case of deviations in the data that might be similar to events in past cyberthreats.
AI Email Monitoring
Enterprise firms understand the importance of monitoring email communications in order to prevent cybersecurity hacking attempts such as phishing. Machine learning-based monitoring software is now being used to help improve the detection accuracy and the speed of identifying cyberthreats.
Several different AI technologies are being used for this use-case. For instance, some software use computer vision to “view” emails to see if there are features in the email that might be indicative of threats, such as images of a certain size. In other cases, natural language processing is used to read through the text in emails coming in and going out of the organization and identify phrases or patterns in text that are associated with phishing attempts. Using anomaly detection software can help identify if the email’s sender, recipient, body, or attachments are threats.
This use-case again highlights AI’s strengths with large scale data analysis. It is not difficult for a human employee to read through an email and identify suspicious features, but doing so for millions of emails sent and received within large organizations on a day-to-day basis is simply impossible. AI software can instead read through all the incoming and outgoing emails and report the most likely cases of cybersecurity threats to security personnel.
For instance, Tessian claims to provide email monitoring AI software that can help financial firms prevent misdirected emails, prevent data breaches and phishing attacks. The company’s software likely uses natural language processing and anomaly detection in different steps in order to identify which emails are likely cybersecurity threats.
AI-based Antivirus Software
Traditional antivirus software function by scanning files on an enterprise network to see if any of them match the signature of known malware or viruses. The problem with this approach is that it is dependent on security updates for the antivirus software when new viruses are discovered. Additionally, this method makes traditional antivirus software slow in terms of real-time threat detection and makes deploying a scalable system challenging.
In contrast, AI-based antivirus software in many cases uses anomaly detection to study program behavior. Antivirus systems using AI focus on detecting unusual behavior generated by programs rather than matching signatures of known malware.
While traditional antivirus software works well for threats that have been previously encountered and identified through its public signature, new threats are not easily detected and resolved by these types of software. Steve Grobman, SVP at McAfee claims that most traditional antivirus software can achieve a 90% threat detection rate. The added advantage that AI brings to the table in this use-case is in increasing the threat detection rate to even 95% or above.
Cylance, which was acquired by Blackberry, claims their Smart Antivirus product offering uses AI to predict, detect and respond to cybersecurity threats. The company claims that unlike traditional antivirus software, Cylance’s AI-enhanced Smart Antivirus does not need virus signature updates but rather learns to identify patterns that indicate malicious programs from scratch over time.
AI-based User Behavior Modeling
Some types of cybersecurity attacks on enterprise systems can compromise specific users in the organization by taking over their login credentials without their knowledge. Cyberattackers who have stolen a user’s credentials can gain access to an enterprise network through technically-legitimate means and are thus hard to detect and stop. AI-based cybersecurity systems can be used to detect a pattern of behavior for particular users in order to identify changes in those patterns. In doing so, they can alert security teams when that pattern is broken.
AI vendors such as Darktrace offer cybersecurity software that they claim uses machine learning to analyze raw network traffic data to understand the baseline of what normal behavior is for each user and device in an organization. Using training datasets and inputs from subject-matter experts, the software learns to identify what constitutes a significant deviation from the normal baseline behavior and immediately alert the organization to cyber threats.
AI For Fighting AI Threats
Companies need to improve the speed at which they detect cyberthreats because hackers are now employing AI to potentially discover points of entry in enterprise networks. Thus, deploying AI software to guard against AI-augmented hacking attempts might become a necessary part of cybersecurity defense protocols in the future.
In the past couple of years, companies around the world have succumbed to cyberthreats and ransomware attacks such as WannaCry and NotPetya. These types of attacks spread rapidly and affect a large number of computers. It’s likely that the perpetrators of these types of attacks might use AI technology in the future. The advantage that AI could give these hackers is similar to what AI offers in businesses: rapid scalability.
Cybersecurity Vendor Crowdstrike claims their security software, Falcon Platform, uses AI to guard against such ransomware threats. The software reportedly uses anomaly detection for end-point security in enterprise networks. The video below demonstrates how the software works:
The Future of AI in Cybersecurity
AI-use in cybersecurity systems can still be termed as nascent at the moment. Businesses need to ensure that their systems are being trained with inputs from cybersecurity experts which will make the software better at identifying true cyber attacks with far more accuracy than traditional cybersecurity systems.
Businesses need to understand that these systems are only as good as the data that is being fed to them. AI systems are usually famously touted to be “garbage in, garbage out” systems, and a data-centric approach to AI projects is necessary for continued success.
The one challenge for companies using purely AI-based cybersecurity detection methods is to reduce the number of false-positive detections. This might potentially get easier to do as the software learns what has been tagged as false positive reports. Once a baseline of behavior has been constructed, the algorithms can flag statistically significant deviations as anomalies and alert security analysts that further investigation is required.
Cybersecurity applications are among the most popular AI applications today. This is in large part due to the fact that these applications rely on anomaly detection which machine learning models are very well suited for. Additionally, most large businesses might already have existing cybersecurity teams, product development budgets and IT infrastructure to handle large amounts of data.
Header image credit: Vice