Artificial Intelligence in Cybersecurity
The Origins of AI
Artificial intelligence has been a topic of interest since ancient antiquity when the Greek myths of Hephaestus and Daedalus incorporated the idea of intelligent robots and artificial beings like Pandora.
There was a resurgence of intrigue and technological advancements toward this fundamental idea of creating an ‘electronic brain’ in the earlier decades of the twentieth century. This led computer scientists including Alan Turing to design mechanisms like the ‘Turing Test’, a test to determine whether or not a computer is capable of thinking like a human being. The field of artificial intelligence research was officially created at Dartmouth College in the mid-1950s. This is when John McCarthy first coined the term ‘artificial intelligence’.
There were several ‘AI winters’ in the latter half of the twentieth century, due largely to funding cuts in the field. However, AI gradually restored its reputation in the later twentieth and earlier twenty-first centuries. From this point, artificial intelligence has been a subject of popular fascination.
At the turn of the millennium, AI hit the headlines during the fateful 1997 chess series in which IBM’s AI bot ‘Deep Blue’ beat Gary Kasparov – the world number one chess player. Whilst this might seem to be an insignificant event in today’s digital age, at the time Deep Blue’s win was symbolically significant, a sign that artificial intelligence was catching up to human intelligence.
Now, the utility of AI has expanded beyond the lofty goal of general artificial intelligence, and chess, towards solving specific problems. The field has also split out into several differentiated disciplines.
Types of AI
A few prominent examples of AI include:
Machine learning (ML) – an application of AI that implements a process of learning (or “fitting”) so that systems learn and improve from experience without being explicitly programmed to do so.
Supervised machine learning – requires labelled data, such as input and output pairs, and attempts to create models that will reliably take the input and produce the correct output.
Unsupervised machine learning – does not use labelled data and looks for patterns or clusters amongst a large dataset, or as part of the learning.
Deep neural networks (DNNs) or deep learning – deep learning is a subfield of machine learning concerned with algorithms inspired by the brain’s structure and function called artificial neural networks.
Natural language processing (NLP) – is the branch of AI that is concerned with giving computers the ability to understand text and spoken language in the same way that humans can. NLP combines computational linguistics and rule-based modelling of human language with statistical, machine learning, and deep learning models.
AI cloud services – provide AI model building tools, APIs and associated middleware that enable the building/training, deployment and consumption of machine learning models running on prebuilt infrastructure as cloud services. These services include automated machine learning, vision, and language services.
Artificial general intelligence (AGI) – the hypothetical intelligence of a machine that can understand or learn any intellectual task that a human being can. It is also referred to as strong AI.
AI in Cybersecurity
Cyber adversaries are getting smarter at an alarming rate. Ransomware attacks, for example, are now happening every 11 seconds. For this reason, many security teams are now looking for AI-powered security tools to stay ahead of novel threats and automate processes to speed up threat detection and response.
With the catastrophic rise of zero-day vulnerabilities, businesses now need to be protected against a host of unknowns. This is where smart, AI-enabled tools like SenseOn come into their own to make the seemingly impossible, possible.
AI is quickly becoming a business norm, with 86% of executives at U.S. companies telling PwC that AI/ML would be a “mainstream technology” in their environments by the end of 2021.
Benefits of AI
AI has limitless potential for real-world applications and this is certainly true for cyber security. Three of the biggest benefits that AI is currently bringing to the field are:
Drastically improved threat & anomaly detection
Artificial intelligence can be used to improve anomaly detection that helps systems locate threats in a network by accommodating, and adapting to, unexpected data.
For example, SenseOn has developed a method of modelling typical user and device behaviour, identifying instances that do not conform to established baselines. We have designed a unique method of anomaly detection and classification that starts with unsupervised statistical learning, performs autonomous class labelling, and finally builds a supervised classification engine.
Enriched Alert Information
AI is now being used to accurately inform human analysts of alert severity and prioritise alerts accordingly. This eradicates millions of false positive alerts and the ‘alert fatigue’ that has become commonplace in cyber security. Traditionally, security tools have been unable to fully correlate and enrich security alerts. The typical use of multiple telemetry sources results in differing speeds, volumes and complexity of alerts means that telemetry is extremely difficult to contextualise, thereby obscuring potential critical information.
SenseOn, on the other hand, collects endpoint and network telemetry at the source, unifying the data into one consistent set. Then the platform uses artificial intelligence and machine learning to perform a recursive search to find increasingly minute details that result in the enriched alerts that are presented to the platform user.
Automation of Security Operations
Automation of security operations has been a hugely beneficial application of AI and ML in this field. Automated responses allow organisations to expedite their incident detection and response capabilities, thereby minimising the scope of potential threats and strengthening their security postures.
As Daniel Miessler put it in the Financial Times, “it’s not so much that AI does it better, but that it works unendingly and consistently without getting tired.” At present, most security teams are only looking at “a tiny fraction – less than 1 per cent” of their data, AI can expand this capability several times over.
AI Skeptics
Whilst the increasing predominance of artificial intelligence is an exciting prospect for many, the mere use of the term ‘AI’ does evoke scepticism in some. Particularly within the cyber security industry, the mention of ‘artificial intelligence’ will evoke exasperated sighs from beleaguered security pros.
With research claiming that 40% of ‘AI startups’ in Europe don’t actually use AI, it is no wonder that buyers are fatigued by misleading marketing ploys and inaccurate claims. Additionally, the lack of transparency amongst cyber security vendors as to where their product uses AI has been a source of confusion and frustration for many.
There is no denying the fact that ‘snake oil’ promises of artificial intelligence within the cyber security space have damaged the reputation of AI in security. Nevertheless, artificial intelligence is a term that encompasses a wide range of technologies and AI is an appropriate tool in certain circumstances.
Whilst every new technological advance will receive a healthy amount of scepticism, the thousands of searches per month made on phrases such as ‘how ai is changing cyber security’ attests to the fact that AI is making waves in the cyber community.
What’s Next for AI in Cybersecurity?
The bounds of artificial intelligence are loose enough that the real-life applications are endless.
AI is once again taking precedence in the media with a growing number of humans reporting on the sentience of AI. For example, Google placed senior software engineer Blake Lemoine on leave after he went public with his belief that the company’s AI chatbot LaMDA was a self-aware person. Chillingly, Lemoine claimed that “LaMDA is a sweet kid who just wants to help the world be a better place for all of us”. This has sparked a more general discussion about human belief in AI sentience, pointing to a worrying trend whereby humans are being taken in by advanced neuro-linguistic programming (NLP), a type of AI.
Whilst we can leave the ethicists to debate whether or not AI has truly become sentient, the fact that artificial intelligence can now dupe humans is worrying from a cyber security perspective. Within the security space, we’re seeing early examples of attackers using new, easily accessible open-source AI technology to create fake photos, videos and speech as part of phishing campaigns. This is pointing to a precarious future where AI is widely used by criminals and nation-state actors seeking to advance their hacking capabilities.
This AI-enabled problem requires an AI-enabled solution. An increasing number of cyber security vendors are now looking to improve their AI capabilities for this reason. Current Gartner research points to AI-based threat detection and prevention as the next big industry trend.
In a changing climate, AI-based attack prioritisation and remediation will be the only methods fast enough to combat the ever-increasing number of zero-day threats. Security professionals need improved detection and faster response to enable employee productivity and operational efficiency.
Whilst the rest of the industry is moving towards AI-enabled solutions, SenseOn has already been recognised for its unique AI-based threat triangulation by the World Economic Forum (WEF). SenseOn was named WEF Technology Pioneer for 2021, past recipients of this accolade include Google, Airbnb, Spotify, TransferWise and Twitter. This recognition marks SenseOn as a “growth stage company that is involved in the design, development and deployment of new technologies and innovations that are poised to have a significant impact on business and society”.
How Does SenseOn use AI?
Representing a generational leap forward in the way we protect organisations, SenseOn is a self-driving system for cyber-defence, capable of automating the process of AI-enabled threat detection, investigation and response. We have developed, for the first time globally, a security architecture that is instantly deployable across the enterprise via a single piece of software.
SenseOn takes a realistic and practical approach to the use of AI. Specifically, SenseOn uses AI for anomaly detection. Whilst we recognise that machine learning is not a stand-alone solution it does, nevertheless, introduce several benefits in this context. Firstly SenseOn’s use of ML alleviates reliance on explicit rules or signatures, secondly, it accommodates, and adapts to, unexpected data. These two factors allow SenseOn to be agile and adaptive to changing threat actors and techniques.
This ML for anomaly detection is used within our revolutionary Universal Sensor. The Universal Sensor is a single piece of software deployed across devices, servers, databases and cloud environments that can, for the first time, capture user, device, process and network telemetry all the way down to deep packet inspection.
By capturing network telemetry from the endpoint, we provide granular visibility of the estate and all machines connected to the network, including host-level information about each asset, with all data collected natively and in a consistent format. This allows us to run over 300 detection methods in parallel.
The traditional cyber security approach has siloed point solutions each looking at a small subset of the estate, all capturing different data sets, in different formats, using different methods for detection with different thresholds for raising alerts, which in turn contain different information.
Siloed tooling can work when there is only a single threat in one area of the ecosystem. However, when threats are coming from multiple areas, as threat actors traverse across the infrastructure, this leads to a fundamental data problem. Each tool’s alerts will contain different information in different formats, causing issues when trying to pull it together.
SenseOn’s novel approach, on the other hand, enables a complete view across the estate to provide analysts with the crucial context needed to assess the breadth and severity of threats as they come in, in a single data format.