Machine Learning Critical for Cybersecurity Defenders

One of the fields where AI is getting a lot of attention is in cybersecurity. Many of the cyber threats faced by organizations on a daily basis play perfectly to AI’s strengths. Instead of the traditional human-designed algorithms used for detecting the bad guys, machine learning is increasingly at the forefront of the battle for cyberspace.

AI in AV

Traditionally, antivirus software has used signature detection for identification of malware on your computer. Every file on your computer is compared to a list of fingerprints of known bad files. Any file that matches a fingerprint on the list is quarantined or deleted to prevent it from harming your computer.

While this approach has worked in the past, it’s starting to have a couple of issues in the modern world. For one, you need a signature to detect malware, meaning that someone needs to write that signature and your AV needs to store the signature and scan every single file against it. Secondly, some malware has gone “fileless”, meaning that it never stores a file on disk for your AV to test for fingerprint matches.

One of the ways that machine learning has started helping out in cyber is by allowing AVs to move from signature detection to anomaly detection. Rather than testing against a list of known “bad” fingerprints, the machine learning algorithm looks for anything out of the ordinary occurring on your computer. This way, malware can be detected as soon as it starts misbehaving, rather than waiting for a signature to match.

Going With the Flow

Another issue that cybersecurity defenders have is the sheer volume of data that they need to process. Enterprise networks can have network traffic coming through at hundreds of megabytes or even gigabytes per second. A cybersecurity network analyst is responsible for ensuring that there is nothing malicious or unusual going on in all that traffic.

Processing massive amounts of data and looking for anomalies is one of the things that machine learning algorithms are best at. Simple network statistics monitoring can enable a network defender to detect serious deviations like those caused by a Denial of Service attack or attempted data exfiltration. More in-depth anomaly detection can scan every packet and let the network defender know if one “looks weird”, which can help with detection of more subtle types of attacks.

Is That Really You?

Humans are awful at passwords. We create weak ones and reuse them across multiple sites. As a result, hackers can often guess or steal the legitimate password for an account. Data breaches, brute force guessing attacks, and credential stuffing attacks have all been shown to be viable ways that hackers can log into a website as you.

This is a fairly major issue since passwords are a significant part of how security works on the Internet, at home, and on corporate networks. These systems make the assumption that only you know your password, so, if someone authenticates using the right credentials, they’re given complete access.

Machine learning has come to the rescue here as well by performing anomaly detection on user behaviors. If someone using your account does something odd (like logging in from another country or accessing computers that you never use), the machine learning algorithm sets off an alarm. As a result, your account may be locked down for a bit and have a forced password change, but it’s better that happens on a false alarm than doesn’t happen during a real attack.

Looks Good to Me

Many cybersecurity experts will say that humans are the weakest link in enterprise cyber defenses. They aren’t mistaken, which is why many hackers have decided that it’s not worth the effort to find a hole in an organization’s cyber defenses when they can just send a user an email that installs malware while showing them a video of 2019’s top fails.

Detecting phishing emails is a serious challenge since attackers are putting a lot of effort into making them look plausible to human eyes. However, computers see things a lot differently than a human. Many anti-phishing solutions have deployed machine learning components designed to identify emails that are designed to look benign (but aren’t). These components scan the email body, links, attachments, etc. looking for anything suspicious so that they can give you the warning not to click.

The Changing Face of Cybersecurity

Artificial Intelligence and machine learning have already had a significant impact on the field of cybersecurity. Humans are not great at processing massive amounts of data or picking out an anomaly from a crowd, but luckily these are some of the tasks that computers excel at. This is readily apparently in their ability to help with malware detection, network statistics monitoring, detecting unauthorized access to accounts, and fighting against the threat of phishing.

Currently, the main challenges with cybersecurity defenses based upon artificial intelligence and machine learning are the potential for false alarms and missed detections; however, these will decrease as the algorithms in use become more sophisticated and have access to more training data. These algorithms are already making a difference in the cybersecurity threat landscape, and they will continue to evolve over time, making the Internet a safer place for everyone.