3. A Brief of AI and ML
Google definition : Artificial Intelligence (AI) is the branch of computer sciences that
emphasizes the development of intelligence machines, thinking and working like humans.
For example, speech recognition, problem-solving, learning and planning.
Application of AI:
Machine learning is an application of artificial intelligence (AI) that provides systems the
ability to automatically learn and improve from experience without being explicitly
programmed. Machine learning focuses on the development of computer programs that
can access data and use it learn for themselves.
4. How AI and ML works in CyberSec
AI allows you to automate the detection of threat and combat even
without the involvement of the humans. Powering your data to stay
more secure than ever. Since AI is totally machine language driven,
it assures you complete error-free cyber-security services.
Moreover, companies have also started to put more resources than
ever for boosting AI driven technologies.
6. Machine Learning tasks and Cybersecurity
Let’s see the examples of different methods that can be used to solve machine learning
tasks and how they are related to cybersecurity tasks.
Regression
Regression (or prediction) is simple. The knowledge about the existing data is utilized to
have an idea of the new data. Take an example of house prices prediction. In cybersecurity,
it can be applied to fraud detection. The features (e.g., the total amount of suspicious
transaction, location, etc.) determine a probability of fraudulent actions.
As for technical aspects of regression, all methods can be divided into two large
categories: machine learning and deep learning. The same is used for other tasks.
7. Let’s look at the common cybersecurity tasks and machine learning opportunities. There
are three dimensions (Why, What, and How).The first dimension is a goal, or a task (e.g.,
detect threats, predict attacks, etc.).
According to Gartner’s PPDR model, all security tasks can be divided into five categories:
● prediction;
● prevention;
● detection;
● response;
● monitoring
8. The second dimension is a technical layer and an answer to the “What” question (e.g., at
which level to monitor issues). Here is the list of layers for this dimension:
● network (network traffic analysis and intrusion detection);
● endpoint (anti-malware);
● application (WAF or database firewalls);
● user (UBA);
● process (anti-fraud).
Each layer has different subcategories. For example, network security can be
Wired,Wireless or Cloud. Restassured thatyou can’t apply the same algorithms with the
same hyper parameters to both areas, at least in near future. The reason is the lack of data
and algorithms to find better dependencies of the three areas so that it’s possible to change
one algorithm to different ones.
9. The third dimension is a question of “How” (e.g., how to check security of a particular
area):
● in transit in real time;
● at rest;
● historically;
● etc.
For example, if you are about endpoint protection, looking for the intrusion, you can
monitor processes of an executable file, do static binary analysis, analyze the history of
actions in this endpoint, etc.
Some tasks should be solved in three dimensions. Sometimes,there are no values in some
dimensions for certain tasks. Approaches can be the same in one dimension. Nonetheless,
each particular point of this three-dimensional space of cybersecurity tasks has its
intricacies.
10. Cybersecurity is a promising area for AI/ML. In theory, if a machine has access to
everything you currently know is bad, and everything you currently know is good,
you can train it to find new malware and anomalies when they surface. In practice,
there are three fundamental requirements for this to work. First, you need access
to data -- lots of it. The more malware and benign samples you have, the better
your model will be. Second, you need data scientists and data engineers to be
able to build a pipeline to process the samples continuously and design models
that will be effective. Third, you need security domain experts to be able to classify
what is good and what is bad and be able to provide insights into why that is the
case. In my opinion, many companies touting AI/ML-powered security solutions
lack one or more of these pillars.
11. Network protection refers to well-known Intrusion Detection System (IDS) solutions.
Some of them used a kind of ML years ago and mostly dealt with signature-based
approaches.
ML in network security implies new solutions called Network Traffic Analytics (NTA)
aimed at in-depth analysis of all the traffic at each layer and detect attacks and anomalies.
How can ML help here? There are some examples:
● regression to predict the network packet parameters and compare them with the
normal ones;
● classification to identify different classes of network attacks such as scanning and
spoofing;
● clustering for forensic analysis.
12. 4 tools company specific tools that employ Ai for cybersec
TAA tool (Symantec’s Targeted Attack analytics):
This tool was developed by Symantec and is used to uncover hidden and targeted attacks. It
applies AI and machine learning to the processes, knowledge and capabilities of Symantec
security experts and researchers.
The TAA tool was used by Symantec to fight a Dragonfly 2.0 attack last year. This attack
targeted several energy companies and tried to gain access to operational networks.
The TAA tool analyzes incidents in the network against incidents found on their Symantec
threat data lake. TAA reveals suspicious activities at each endpoint and compiles the
information to determine whether each action indicates hidden evil activity. The TAA tool is
now available for Symantec Advanced Threat Protection (ATP) customers.
13. X Sophos Intercept Tool:
The tool, the Intercept X, uses deep learning neural networks that work similar to the
human brain.In 2010, the US Defense Advanced Research Project Agency (DARPA)
created their first Cyber Genome Program to uncover ‘DNA’ of malware and other cyber
threats, which led to the creation of algorithms on the Intercept X.
Before the file is executed, the Intercept X can extract millions of features from the file,
conduct in-depth analysis, and determine whether the file is benign or dangerous in 20
milliseconds. This model is trained about real-world feedback and sharing two-way threat
intelligence through access to millions of samples provided by data scientists. This results
in a high level of accuracy for existing malware and zero-day malware, and a lower false
positive level. Intercept X uses behaviour analysis to limit new ransomware and
boot-record attacks. Intercept X has been tested on several third parties such as the NSS
laboratory and received a high score. It was also proven in VirusTotal since August 2016.
14. Darktrace Antigena:
Darktrace Antigena is Darktrace’s active self-defence product. Antigena extends
Darktrace’s core capabilities to detect and replicate digital antibody functions that identify
and neutralize threats and viruses. Antigena utilizes Darktrace’s Enterprise Immune
System to identify suspicious activities and respond in real-time, depending on the severity
of the threat. With the help of the underlying machine learning technology, Darktrace
Antigena identifies and protects against unknown threats as they develop.
This does this without the need for human intervention, prior knowledge of attacks, rules
or signatures. With such automatic response capabilities, organizations can respond to
threats quickly, without disrupting normal business activity patterns. The Darktrace
Antigena module helps manage user and machine access to the internet, messaging
protocols and machine and network connectivity through various products such as
Antigena Internet, Antigena Communication, and Antigena networks.
15. IBM QRadar Advisor:
QRadar Advisor IBM uses IBM Watson technology to fight cyber attacks. Using AI to automatically investigate
indicators of all compromises or exploits. QRadar advisors use cognitive reasoning to provide critical insight and
further accelerate the response cycle. With the help of IBM QRadar Advisor, security analysts can assess threat
incidents and reduce their risk of losing.
IBM QRadar Advisor features: Automatic incident investigation, Give smart reasons, High priority risk
identification, Key insights about users and important assets.
The QRadar advisor with Watson investigated threat incidents by mining local data using what could be observed in
the incident to gather a broader local context. This then quickly assessed the threat about whether they had passed a
layered or blocked defence. QRadar identifies possible threats by applying cognitive reasoning. It connects threat
entities associated with genuine incidents such as malicious files, suspicious IP addresses, and malicious entities to
attract relationships between these entities. With this tool, one can get critical insights about an incident, such as
whether the malware has been executed or not, with supporting evidence to focus your time on the threat of higher
risks. Then make a quick decision about the best response method for your business. QRadar IBM can detect
suspicious behaviour from people through integration with the User Behavior Analysis Application (UBA) and
understand how certain activities or profiles affect the system.
