Artificial Intelligence (AI) in Cybersecurity

A visit to the InfoSec events that are held for the Cybersecurity industries will show you that nearly all exhibitors and vendors are now using Artificial Intelligence (AI) and promoting it in their advertising. Reading through recently published articles on the topic of AI in Cybersecurity, you will probably notice that some experts are talking about a breakthrough idea while others are stoking the hype still further.

The topic is already a hot topic in public discourse, but the fact remains that almost all experts see a great deal of potential for AI to solve issues in the Cybersecurity space. On the other hand, hackers are also taking advantage of new approaches that AI affords and at this point, the key question is how significant the potential and impact of this new technology is. What is needed is a closer look at AI as a fundamental technological innovation in the Cybersecurity space.

This “AI in Cybersecurity” tech blog series is structured into three parts. In this blog, we will focus on the current security model and explain why a new security model is needed from two different perspectives: that of architecture and automation, and secondly in terms of the detection gap. Artificial Intelligence is at the core of this new security model. In the second blog post, we will provide a high-level overview of the theoretical underpinnings of AI in Cybersecurity. This knowledge will ultimately help you to understand some current AI use cases in Cybersecurity, which will be the focus of the third blog post.

Automation: the need to remove technological restrictions and automate processes

When you analyse the security architecture of many companies, you see that most of them have invested a lot to get better value out of their Security Architecture and Security Operations Centres (SOCs). Meanwhile, companies are still struggling to protect their businesses and their data. These problems arise because internal processes and security teams are limited through technological restrictions, which are compounded by the sophistication of the attacks – and the attackers – that they face.

Consequently, we need to overcome technological restrictions and automate processes to enable SOC teams to stay ahead of even the most sophisticated hackers. Disparate tools need to be integrated into a common security architecture and the benefits of AI (performance, accuracy, handling of large datasets, etc.) will enable automated, intelligent investigation and response processes.

Detection Gap – Limited success by using Signatures and Behaviour Analysis with heuristics

Another Artificial Intelligence application can be found in enhanced detection capabilities, due to drastic increases as the amount of new unknown malware each day, the total number of malware actors, and the size of the Darknet. As such, we have reached the limitations of Signatures and Behaviour Analysis with heuristics.

Signatures represent the fingerprint of the malicious code and help to detect and identify malware. One weakness of this approach can be found in the fact that it relies on prior knowledge to predict and identify malicious code or data, meaning that simple changes in the malware’s characteristics – such as the structure and content of a file – often bypasses signatures. This is the case even where security systems can identify variants of the same file. Some experts say that anti-virus signatures now catch no more than 30-40% of malware, though others consider that this level may be as high as 65%.

Another approach to the detection and identification of malware is the use of Behaviour Analytics with heuristics. Implementing this approach requires that the attacking methods, code and functions are known and predefined. Consequently, the effectiveness of these reactive approaches is relatively low in terms of their accuracy and the number of false positives. Additionally, data communications are increasingly encrypted, making it even more difficult and expensive to detect modern threats using Deep Packet Inspection (DPI) based approaches. The main drawbacks of DPI include its reactive nature and the need to analyse each packet header and payload, which in turn requires lots of resources and makes it inefficient and expensive at scale.

Conclusion: AI-based technologies provide a promising approach toward enabling automation and bridging the detection gap. In short, then, a new security model is needed. In our next tech blog “Artificial Intelligence, Machine Learning and Deep Learning?” we will provide a theoretical background to AI in the Cybersecurity space.