Application Security

2018: The Year Machine Intelligence Arrived in Cybersecurity

Machine intelligence, in its many forms, began having a significant impact on cybersecurity this year - setting the stage for growing intelligence in security automation for 2019.

Machine intelligence has become a technology player in fields from medical research to financial services. This year it began to make its presence felt in cybersecurity. The initial inroads have been tightly targeted, but some experts say more substantial uses are almost inevitable.

"Intelligence" is a word heavily freighted with meaning in cybersecurity technology because it covers a wide variety of techniques and products. Expert systems, machine learning, deep learning, and artificial intelligence are all represented in the whole, with each being used and promoted by different vendors and service organizations.

Antivirus protection is one of the tasks to which companies are applying intelligence. "Intelligent AV is all about catching more malware, and it really starts with the history of malware detection," says Corey Nachreiner, CTO of WatchGuard Technologies. He describes a series of techniques that look not at code patterns or signatures but at behavioral markers for code that is run in a protected environment. "They can change the way the binary could look, but they can't change what they have to do on your computer to do their bad thing," he says.

In looking for behavioral characteristics and matching them with code and other patterns, machine intelligence can discover patterns involving many more factors than a human could reasonably consider. And in doing so, it also finds related vulnerabilities faster. "What machine learning has really given us is the ability to predict patterns before they actually happen," Nachreiner says.

Intelligence is not only being applied to antivirus products, but it is also finding its way into security services, as well. "The best use of AI is to give security admins the ability to deconflict tasks – to know which, out of scores of possibilities, are critical and will have the greatest impact," says Ann Johnson, corporate vice president in the Microsoft Cybersecurity Solutions Group. She points out the critical requirement for this that comes from the sheer volume of security incidents. "Microsoft sees 6.5 trillion security signals a day. AI helps rationalize them down to a quantity that humans can deal with," she says.

As for the effectiveness of intelligence in dealing with these threats, Johnson points to the emergence of the Smoke Loader credential stealer. "It was blocked on Azure within milliseconds because the AI saw and recognized the pattern," she says.

That effectiveness in recognizing and acting on patterns will be used in more products and services in the future, many experts say. "Machines are really good at looking at vast amounts of data and making sense of it all in a statistical way, and humans are not," says Clarence Chio, CTO and co-founder of Unit21, and author of "Machine Learning & Security."

He points out that the vast majority of intelligence being used in security is "machine learning" rather than "artificial intelligence." That's because a defining characteristic of artificial intelligence is that it can produce an output developers never considered, rather than always creating a conclusion within a known range of responses.

"I think the real challenge in industry is not really the maturity in developing such systems, but to really hone the expectations of people using such things," Chio says.

That expectation will evolve and develop in the coming year, according to many experts. "What it's good at right now is kind of removing all the noise and the grunt work that security analysts or professionals have to deal with," Nachreiner says. "[Still], we're a long away from totally automating out the need for some type of security professional that occasionally has to make a decision."

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/8/2019 | 7:01:24 PM
Re: Probabilistic
@Curt: Yep. When you press even the most gung-ho "We offer AI!" marketers, they will admit that, no, they really don't -- at least, not generalized AI (a.k.a. "true AI", as we tend to think of it).

Unrelatedly, I really dig the drawn portrait that is your avatar. Florida artist?
Curt Franklin
50%
50%
Curt Franklin,
User Rank: Author
1/2/2019 | 10:54:52 AM
Re: Probabilistic
Joe, my understanding is that AI can be deterministic, but it's capable of being deterministic in ways that the developer didn't anticipate. Where machine learning is great at reaching rapid conclusions within a known population of answers, AI should be capable of "thinking outside the box" and finding correlations (and therefore, conclusions) that are outside any previously anticipate answers.

That's a much tougher thing to develop, and why most of the AI researchers I've talked to say that what we're seeing in security (and most of commercia computing) today is correctly classified as ML rather than AI.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2018 | 10:44:24 PM
Re: False positives
@Dr. T: In security studies, security-alert fatigue is routinely identified as the top or near-top obstacle facing security teams.

AI/ML can help, but you can also accomplish a lot by trying some lower-tech techniques (like banning all non-whitelisted bots, for instance).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2018 | 10:42:13 PM
Re: Probabilistic
> AI is probabilistic, not deterministic.

Is it, though? I mean, sure, modern ML programming relies on PPLs, but we have not reached true/generalized AI yet. Perhaps AI models will evolve such that some are more deterministic in nature.

Or maybe I'm overthinking this.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2018 | 10:39:05 PM
Re: Big data
@Dr. T: That's the very definition of big data: data collections that are so big that humans unaided by tech automation cannot possibly contend with them.

The real question, however, is to what extent actual ML and AI are necessary for this. Terrific analytics advances have been made -- but hurdles are still left to be overcome.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/27/2018 | 11:47:16 AM
Humans and AI
we're a long away from totally automating out the need for some type of security professional that occasionally has to make a decision." I would agree. Currently decision of action would still require humans in most scenarios.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/27/2018 | 11:44:55 AM
Big data
Machines are really good at looking at vast amounts of data and making sense of it all in a statistical way, and humans are not That makes sense. Humans are not equipped for big data, we need AI help to deal with it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/27/2018 | 11:43:04 AM
False positives
Microsoft sees 6.5 trillion security signals a day. AI helps rationalize them down to a quantity that humans can deal with Yes. This helps us avoiding false positives.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/27/2018 | 11:41:31 AM
Probabilistic
"The best use of AI is to give security admins the ability to deconflict tasks to know which, out of scores of possibilities, are critical and will have the greatest impact," This makes sense. AI is probabilistic, not deterministic. So someone should intervene at one point.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/27/2018 | 11:39:43 AM
Speed
What machine learning has really given us is the ability to predict patterns before they actually happen I think this is the important aspect of AI in cyber security, the speed.
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6455
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a double-free problem in the function rec_mset_elem_destroy() in the file rec-mset.c.
CVE-2019-6456
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a NULL pointer dereference in the function rec_fex_size() in the file rec-fex.c of librec.a.
CVE-2019-6457
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_aggregate_reg_new in rec-aggregate.c in librec.a.
CVE-2019-6458
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_buf_new in rec-buf.c when called from rec_parse_rset in rec-parser.c in librec.a.
CVE-2019-6459
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_extract_type in rec-utils.c in librec.a.