Every day, the complexion of cyber attacks increases in sophistication. New malware variants are spawned almost daily, the number of web attacks is up by 56%, and new practices like formjacking, cryptojacking, and Internet of Things (IoT) strikes have joined the ranks of old standbys such as ransomware and phishing. The landscape cries for a herculean assist to stay ahead of the never-ending attack vectors.
Many see a cyber security super hero in the form of machine learning and artificial intelligence capabilities folded into modern-day tools and platforms. Machine learning techniques can help comb through and analyze the vast amounts of data being collected to power real-time threat detection. Industry experts like PcW expect many organizations to get their first real taste of AI and machine learning through cyber security use cases, including distributed denial of service (DDOS) pattern recognition, prioritization of log alerts for escalation and investigation, and risk-based authentication. According to PcW’s 2018 Global State of Information Security Survey, 27% of organizations plan to invest in cyber security defenses that incorporate some form of AI and machine learning.
Enthusiasm is building for the simple reason that AI and machine learning-enabled cyber security tools--whether intrusion prevention systems, endpoint security solutions or anti-virus platforms--have a much better shot at identifying and detecting attack vectors from a collective morass of data points than any individual threat analyst or team of security professionals.
Many see a cyber security super hero in the form of machine learning and artificial intelligence capabilities folded into modern-day tools and platforms.
“Identifying attacks and operations from adversarial groups is pretty hard because of the sheer size of the data set,” said Yun Shen, a senior principal researcher at Symantec, who is part of an effort to explore how to leverage next-generation technologies such as neural networks to solve the continuously-evolving cyber security challenge.
“Machine learning is actually one of best tools for handling information security,” according to Shen. “If you can develop it in a responsible way, it can identify patterns that can be used to design specific defense strategies.”
Vendors across the security landscape already recognize that machine learning and AI, and whatever emanates beyond that, is a game changer for enterprise-class security protections. Most of the leading security platforms now incorporate machine learning and AI capabilities to aid in the detection of anomalies, to help surface new and evolving threats prior to execution, and to facilitate identification and authentication.
In the case of Symantec’s Endpoint Protection offering, for example, advanced machine learning and AI capabilities work in tandem with the Global Intelligence Network (GIN), Symantec’s threat intelligence network that collects telemetry data from millions of attack sensors, to detect possible threats prior to execution as well as to flag potentially questionable files and websites so security organizations can take action before they can do damage.
“Attacks have gotten really sophisticated, and attackers have learned to be quieter and more subtle, hence the more damage they can do,” noted Eliezer Kanal, technical manager, CERT Data Science team, in the CERT Division of the Software Engineering Institute at Carnegie Mellon University. “Any large-scale organization that has 5,000 or more employees is going to have tens of thousands if not hundreds of thousands of incident tickets created on a monthly or daily basis. The chance that one person is going to find two tickets that are related is small, almost zero. Machine learning will find those patterns.”
The ability to predict the exact actions an attacker might take as part of an Intrusion Prevention System, for example, would allow for proactive measures to prevent the attack from happening in the first place
Looking forward, the SEI team is researching how to apply natural language processing technology to train computers in how to find clues in specification documents to discovery cyber security vulnerabilities without the help of human analysts, Kanal says.
Symantec researchers are also taking a leap beyond detecting malicious activity, but rather aiming to predict the specific steps an adversary might take when performing an attack. Unlike other research initiatives that come to a binary conclusion—whether or not an attack will happen—the Symantec effort, dubbed Tiresias, is pushing the boundaries with Recurrent Neural Networks (RNNs) to predict future events based on previous observations. The ability to predict the exact actions an attacker might take as part of an Intrusion Prevention System, for example, would allow for proactive measures to prevent the attack from happening in the first place, Shen explains.
Of course, there’s a flip side to any benefits AI, machine learning, and any of these other advanced technologies can deliver. As much as they provide a stronger defense to detect and potentially prevent cyber events, the technologies can also aid in creating new and more virulent attack vectors.
That’s why efforts like Tiresias are so important to the future of cyber security, Symantec’s researchers maintain.
“So far cyber security has been more about reactive security—this technology enables a shift to go from reactive to proactive and that’s key for the future,” said Pierre-Antoine Vervier, a senior principal research engineer at Symantec and part of the team working on Tiresias.