By Smit Kadakia, Co-founder, Seceon
The goal of artificial intelligence is to enable the development of computers to do things normally done by people — in particular, things associated with people acting intelligently. In the case of cybersecurity, its most practical application has been automating human intensive tasks to keep pace with attackers! Progressive organizations have begun using artificial intelligence in cybersecurity applications to defend against attackers. However, on it’s own, artificial intelligence is best designed to identify “what is wrong.”
For today’s enterprise, that’s only half the challenge for defending against attackers. What today’s enterprise needs to know is not only “what is wrong” in the face of a breach, but to understand “why it’s wrong” and “how to fix it!” By combining artificial intelligence with machine learning to analyze and interpret actions and behaviors to predict attack patterns and recommend actions to stop threats in motion, technologists have devised a means to generate actionable intelligence. This article will seek to explain how artificial intelligence and machine learning can be used to practical effect in defending the enterprise in real-time.
Machine Learning (ML) and Artificial Intelligence (AI) have been around in one form or another since the latter half of last century, but have picked up significant pace and applicability to change our day to day life in the last few years. The data science which now includes both ML and AI, among other things, has taken off on its own to become a major discipline in the educational world.
Business stakeholders have also recognized the importance of this discipline and have been leveraging contemporary data science methods to mine valuable information, make smarter business decisions and explore new opportunities using existing or newly harvested information.
The internet and mobile revolution of the last few decades have helped generate volumes of valuable information with the potential to derive critical behavioral and structural insights from its collection. Naturally, the information gathering was vastly helped by the highly connected world of people, the devices that they use and the mechanisms that facilitate collaboration on both a professional and social level. However, along with such benefits comes the dark side of exposing this information, leaving it open to bad elements of society for unintended use, such as financial exploitation through ransomware and malware types of cybersecurity attacks.
In the face of these attacks, technologists have begun developing a combination of cybersecurity defense techniques that rely on the collection of large volumes of real-time network, application and user interaction and behavioral data. This mix of data science techniques is the crux of how ML and AI disciplines can be leveraged in cybersecurity for proactively thwarting such attacks.
So, how are ML and AI different? How do they leverage interaction and behavior, and why is this important?
Machine Learning can be broadly defined as a focused approach of math and statistics-based algorithms that are designed to improve the performance of specific tasks through experience or learning that may or may not be easy to do by humans. On the other hand, Artificial Intelligence can be defined as a focused engineering approach for computing machines to do the tasks that we as people can do quite naturally, but conduct them without mistakes and, sometimes, much faster.
Andy Veluswami of Change.org expresses a visionary insight as, “We’re going to have a day, and I hope it’s soon, where machines aren’t just smart, but they’re also wise – and they have a context. Once we start getting there, and we already are, we’re going to start making a lot more progress.” We all intuitively know that this change is happening all around us, however, the practical aspect of this development, such as translating learning into “Actionable Intelligence,” is a key requirement that today’s cybersecurity practitioner must-have.
So, how do we define what is and is not actionable intelligence in cybersecurity defense?
In the study of Machine Learning, the focus is on supervised and unsupervised learning. (We will not be considering deep learning in this article.) Supervised learning and many aspects of unsupervised learning require the known anomalies to be available to learn from and then predict anomalies in test data using the trained models and then fine-tune them through techniques such as cross-validation. In cybersecurity, one is usually looking for an anomaly in the midst of a huge amount of normal traffic or behavior. Such a characteristic makes the anomaly detection a very difficult problem—like finding a needle in a haystack. Furthermore, it is unrealistic to expect that training with anomalous data points in one industry says eCommerce, is applicable to another one such as a healthcare data center. Additionally, modern attacks are more sophisticated and they hide among many false attacks to defeat threat detection systems. Such complexity makes identifying anomalous training data points for all target industries a huge uphill battle. Lack of or difficulties in obtaining training data points makes unsupervised learning a necessity in the world of cyber defense.
Given that unsupervised learning is required for such environments, one has to think through its pitfalls, recognizing that the prediction of the anomalies does not increase false positives or compromise accuracy. Various measures are used to assess the confusion matrix for accuracy, sensitivity, etc., such as the Matthews Correlation Coefficient, however, it is not easy to consistently get good measures from the matrix in practice, demonstrating that more than just Machine Learning is needed to get to the desired results. There are various approaches that one can take, but the end result has to be the actionable outcome from the algorithms with minimal noise. This is where AI comes into play.
In April 2016, researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) demonstrated an artificial intelligence platform called AI2 that predicts cyber-attacks significantly better than existing systems by continuously incorporating input from human experts. The premise behind the finding is that it only needs an unsupervised suite of algorithms with feedback from expert security analysts to develop an AI-based algorithm that will detect the threats accurately. This too is a good approach, but these expert security analysts’ services come at a significant cost, both in terms of time and money.
Furthermore, many of the ML algorithms indicate the threats long after they have been introduced and have taken advantage of the vulnerability. For example, a clustering algorithm may detect a threat after analyzing a history of patterns and indicate that the anomaly that occurred has been introduced in the network or a subnet sometime back in history. These threat findings are useful once you deploy an army of security ops staff to then hone in on the root cause for the anomaly and then address it. This sounds well and good, but the anomaly may already have spread by the time the security ops staff identify the root cause, requiring much wider investigation with increasing budget and delayed response time.
Clearly, it is desirable to identify the threat that occurred in real-time as soon as it happens, as well as provide the specificity about where it occurred. Furthermore, the method of arriving at this conclusion should also be provided for the added benefit of understanding and quick action to address the root cause. Such actionable intelligence must reduce the skill set required to address the threat. Moreover, in a highly developed system, it must eliminate the need to engage a human, offering the intelligence just-in-time to prevent any further damage, reducing the time it takes for corrective action or a good combination of all to minimize the operational cost while setting the organization ahead of the attacker’s plans.
Inherently, such an actionable intelligence must instill confidence in the user in preventing future attacks by learning from the attack and the response behavior. The real-time actionable intelligence should not only help in the quick analysis but should also help the organization learn from the intelligence much more rapidly and thoroughly so as to develop a better defense against not-yet-seen attacks as well.
We operate in an era where such systems are now in development with enterprising startups and vendors and are available in its early form. The advent of big-data platforms and related technologies are making this all possible. These systems are expected to dominate the cyber defense efforts of many of the elite organizations around the world and will be writing the next chapter in the forefront of cybersecurity. Genevieve Bell, Senior Fellow Vice President, Corporate Strategy Office, Corporate Sensing and Insights of Intel said in one of her recent presentations, “AI is the next big wave in computing. Like major transformations before it, AI is poised to usher in a better world.” The signs are all around to take us there.
About the Author
Smit Kadakia, Co-founder, Seceon
Smit leads Seceon’s data science and machine learning team, focused on developing a state of the art behavior anomaly detection solution. Smit holds a B.S from VJTI, Mumbai; an MS in Computer Science from Indian Statistical Institute, Kolkata; and an MBA from Southern New Hampshire University, Manchester. Smit and the team at Seceon have built the industry’s first and only fully-automated threat detection and remediation system using a combination of machine learning and artificial intelligence techniques.
Seceon’s approach includes analysis of all traffic, flows and processes in and out of the network and correlates them near-simultaneously with behavioral analytics, recognized and zero-day exploits and policies to surface threats and proposed responses in near-record real-time. To learn more visit http://www.seceon.com.