Artificial Intelligence in Modern Cybersecurity Operations

AI has been around as a sub-field of computer science since the 1950s, but has undergone many "fits and starts." Different factions have over time Balkanized the definition of AI as well as the applications of the concept. This explains the "AI winters" that have at times derailed the field and distracted focus to other computer science fields such as robotics and machine vision. Fortunately, the field has matured enough to cease these arguments and delays in practical use. However ethical debates still rage as AI has a historical backdrop that is rooted in "machines simulating or replacing human thought and actions."

Here's how Wikipedia defines AI:

"Computer science defines AI research as the study of "intelligent agents": any device that perceives its environment and takes actions that maximize its chance of successfully achieving its goals. More specifically, Kaplan and Haenlein define AI as "a system's ability to correctly interpret external data, to learn from such data, and to use those learnings to achieve specific goals and tasks through flexible adaptation." Colloquially, the term "artificial intelligence" is used to describe machines that mimic "cognitive" functions that humans associate with other human minds, such as "learning" and "problem solving.""

The evolution of AI has progressed from Cybernetics, which sought to replicate or simulate the human mind in computational endeavors, then evolved into cognitive as well as symbolic logic and expert systems, then lastly converging into the idea that a "general purpose intelligent machine" capable of performing most all functions and problem solving.

Fast forward to the present, AI is now broken down into a variety of approaches that include everything from ethics to statistical methods. Largely abandoning the historically conflicted evolution of the science.

Modern paradigms
As a rapidly evolving field of science, AI has become flexible to new approaches and tools allowing even cutting-edge technology such as quantum computing under its umbrella of methods.

In the spirit of this article we will explore common modern approaches and how they are applied to helping solve cybersecurity problems. Also, we will discuss how "chaining" of AI concepts and methods are used to solve or assist in security challenges.

AI-powered search
The first of such approaches is search, which is slightly different than traditional "Google" or brute force "match and report" methods. In modern AI the search adds some intelligence in the form of optimization seeking, that is to say the search is not just matching data but comparing the data to a given goal such as optimality, relationship to other data or simply pruning vast amounts of data to sets that meet a specific goal or outcome. More importantly these methods can nest beneath yet more intelligence, such as application of Darwinian like genetic algorithms that iteratively look for better results or mutate to become better at finding a solution to a problem.

Practical use in cybersecurity
An example of this AI approach in cybersecurity is combing through massive data sets in the form of log files. Traditional and legacy security systems simply looked for keywords or things like IP addresses that matched known threat origins. However, using AI in cybersecurity operations can not only find these keywords, it can dynamically mutate the search algorithm to find other data that may also indicate threat events. This presents a much more robust automation capability for many log and security event analysis systems, not to mention increase the confidence of results found or alerted to lessen the human burden of investigation of false positives. In a nutshell AI enabled search has a myriad of known and yet to be discovered uses that are already reducing errors, finding threats and reducing false positives. All of which are desirable in today's oft understaffed security operations departments.

Mathematical logic and rule-based AI
This approach uses a variety of mathematical and rule approaches to mimic reasoning and learning in a computer system using data available or produced by the algorithm. The range of precision may vary from "Fuzzy Logic" to pure "Applied Logic and Set Theory." However, most applications rely on variants of calculus. A simple example of this form of AI may be found in autonomous vehicles, if the camera sees a hexagonal sign, then check to see if it's the color red, if both conditions are met then look for the four ASCII characters (STOP), if all are true then apply brakes until the vehicle comes to a complete stop.

Practical use in cybersecurity
Perhaps the most practical use of this capability today may be found in areas like end user behavioral analytics. This capability enables systems to detect anomalous behavior of users or systems in an organization. For example, a user may on average fail to login accurately five times during the period of a working day. This mathematical set: For each day, expect a class of user to generate approximately (adding Fuzzy Logic concept), { 5 +/- (2) } bad logins, then compare that value to say a moving average of the set of all organizational users but allow a one point variation from the larger group, compare sets and then trigger alarm or lock out the account. All without having to engage an administrator, HR representative or other security professional to detect and stop a brute force login attempt or human issue with the end user. This technology is on the market today under the category of End User Behavioral Analytics (EUBA).

Statistical methods
The application of statistical methods such as probability dates back hundreds of years. The quantitative methods used are in many cases foundational to AI as a whole. The most popular of which is Bayesian statistics, which engages Bayes Theory. This method uses previously known data to reason about a new event, its probability and inferred believability.

Practical use in cybersecurity
An example of this AI approach in cybersecurity is found in anti-spam and phishing filters. By looking at each message a machine running Bayesian algorithms to score the probability of each email message being valid or potentially dangerous. This approach has been used also in security information and event management (SIEM) systems for years. The main value being event correlation and alerting for events that correlate to a set of known attacks, based on signatures and human-defined data. This enables lower false positives and better correlations over time for real events worthy of CISO action.

Neural networks
The use of neural networks in the early days of artificial intelligence was central to the growth of the science as a whole, given the parallel relationship to the human brain, its workings we know of and potential replication in software. Even the term is based on the potential linkage to human "neurons" and the way they work to solve problems. Easily visualized as a mesh of nodes with "one to many connections" that become or "one to one" relationships between nodes as nodes "vote" as to which node in the matrix the path of data should follow. This process can either be hand crafted with humans giving relative "votes" to each node, or it can "learn to vote" and extend the number of nodes artificially such as newer evolutionary approaches to deep learning. In effect there are static and growing varieties of neural networks.

Practical use in cybersecurity
Neural networks can be used for solving problems such as malware origins and related families of malware. A properly trained neural network can evaluate characteristics of malware and "reason" through the voting process and linking across the net to suggest the etiology of a malware strain. Evolutionary approaches would remove most of the human element and allow the net to become larger and more accurate to identification of new malware strains, lessening the chance of "dead ends" where the net runs out of next nodes to vote.

Conclusion
The use of artificial intelligence in cybersecurity is not new. The above major forms of AI that are in use presently demonstrate that it is real and evolved beyond the tipping point for cybersecurity applications. Best yet, we are still in the early stages of this exciting field as new applications are being identified such as IoT and quantum computing based cybersecurity technologies. Adding artificial intelligence to your technology and cybersecurity portfolio is a must for CTOs and CISOs that want to remain up to date on this white-hot growing set of technologies.

— George Wrenn is a research affiliate in management science at the MIT Sloan School of Management. He is the founder and CEO of CyberSaint Security, formerly the vice president of cybersecurity and CSO for Schneider Electric globally. He has more than 25 years of experience in the field of cybersecurity.