Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/1/2018
02:30 PM
Gary Golomb
Gary Golomb
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How AI Could Become the Firewall of 2003

An over-reliance on artificial intelligence and machine learning for the wrong uses will create unnecessary risks.

One of the shortcomings of the cybersecurity industry is a preoccupation with methodologies as solutions, rather than thinking about how they can be most useful. This scenario is happening right now with artificial intelligence (AI) and machine learning (ML) and reminds me of discussions I heard about firewalls back in 2003.

In 2003, pattern matching was the primary methodology for threat detection. As it became possible to perform pattern matching within hardware, the line between hardware-driven solutions (like firewalls) and software-based solutions — such as intrusion-detection systems — eroded.

Lost in this evolution was the fact that intrusion-detection systems went beyond pattern matching and included a combination of methodologies, including anomaly detection and event correlation, that never made it into firewalls. As a result, firewall-based pattern matching became the default solution for threat detection, as opposed to one important part of a whole.

This history is important because AI (really, ML) is simply another methodology in the evolution of tools that address specific aspects of the information security workflow.

Finding the Value of AI and ML in Security
Artificial intelligence is defined as having machines do "smart" or "intelligent" things on their own without human guidance. Machine learning is the practice of machines "learning" from data supplied by humans. Given these definitions, AI doesn't really exist in information security and won't for a long time.

ML solves a subset of well-defined security challenges far more effectively than existing methodologies.

Most of the time when you hear AI/ML referenced in marketing material, what's being described is heuristics, not computational statistics. Heuristics, while much simpler than AI, works very well on a variety of security activities while being far less computationally intensive than data science-based methodologies. 

ML is simply one tool out of the methodology toolbox for identifying undesirable activity and is most successful in tackling well-bounded and understood problems.

Before I'm written off as simply a critic of AI/ML in security, I'll note that as one of the first employees at Cylance, I witnessed firsthand the stunningly successful application of ML to the problem of malware detection. However, that technical success was anchored in the boundedness of the problem being studied and solved. Specifically:

  • Structurally bound: The type of data and structure either don't change or slowly evolve over years. In this case, the structure of data is defined by file format specs.
  • Behaviorally bound: In a good use case for ML, the data being modeled will only appear as the result of a limited set of actions, allowing data points to be predictably mapped to understood behaviors.
  • Subversive-free influence: This is the most important factor and is almost exclusive to the context of information security. We face malicious humans who have an incentive to find and exploit weaknesses in the ML model. With that said, it's incredibly difficult to make enough changes to a file that obscure it from statistical analysis while remaining valid enough to load by an operating system.

Malware analysis and endpoint detection and response is one example of an infosec challenge that meets the three constraints above — which is why machine learning has been incredibly effective in this market.

Applying that same thought process to the network is dangerous because network data is not structurally or behaviorally bound and the attacker can send any sequence of 0s and 1s on the network. So does that mean AI and ML are a dead end for analyzing network data?

Yes and no. If the approach is to just use these powerful technologies to spot deviations from a baseline for every user or device, then we will fail miserably. The false positives and negatives produced by this "intelligent" approach will require a human to analyze the results before acting.

For instance, traffic analysis that alerts based on network anomalies may tell you there is too much traffic from an IP address that has never acted like this in the past. Often, the problem is that a new backup process is being rolled out. That puts us right back at the same skills crisis epidemic that AI was promised to solve.

Instead, what if we used AI and ML to determine good versus bad by comparing across the environment and specifically by comparing entity behaviors to those from entities that are most similar? This allows the system to automatically learn about changes such as the new backup process.

Not all infosec ML use cases are created equal — technically or philosophically. Like the firewall of 2003, machine learning does have some well-matched use cases that are advancing the state of the art in enterprise protection.

However, an over-reliance on machine learning for poorly matched use cases will burden the enterprise with unnecessary additional risk and expense while contributing to other lasting negative impacts such as the atrophying of methodologies that compensate for ML's weaknesses.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info

Gary Golomb has nearly two decades of experience in threat analysis and has led investigations and containment efforts in a number of notable cases. With this experience — and a track record of researching and teaching state-of-the art detection and response ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26788
PUBLISHED: 2021-03-08
Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthentic...
CVE-2021-23351
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.