Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
03:27 PM
Willy Leichter
Willy Leichter
News Analysis-Security Now

Magical Thinking Drives the Myth of AI Solving Security

AI is being called the solution to future security problems, but we shouldn't rely on the technology for too much, too soon.

Touring the Black Hat show recently in Las Vegas, I was struck by how the cybersecurity and Vegas entertainment industries seem to be converging: They both seem to love magic shows. While the IT versions aren't as glitzy, vendors continually pitch the next generation of technology as the magic cure to our growing cybersecurity challenges.

Let's face it -- we've invested billions of dollars over decades to improve security, yet the problems seem to continually get worse. The continual back and forth between clever hackers and reactive security products never seems to end. No doubt that we've gotten faster at identifying attacks and patching vulnerabilities, but the bad guys are upping their game dramatically using sophisticated tools created by well organized crime syndicates and, of course, the NSA. It's hard to watch WannaCry, Petya, Industroyer and the other weekly attacks and say that we're winning.

In this environment, a healthy dose of skepticism is warranted when new vendors claim to have found the cure, especially when it all depends on the "magic" of artificial intelligence (AI). One security vendor laying it on thick in a flowery blog post describes the security advantages of AI as being like "a science fiction story" and "the effects are indeed magical." Seeing their demo at Black Hat I asked for a bit more detail, and apparently, the secret to their success with AI is... (wait for it...) mathematics.

Artificial intelligence and machine learning are indeed powerful and transformative in many fields that require finding patterns in vast quantities of data. For the antivirus industry that has grown up around signatures and pattern matching, this does indeed seem like a breakthrough, and no doubt will reduce analysis time. But automating a flawed model doesn't always yield better results.

The antivirus model is fundamentally flawed because it is always looking backwards -- reacting to malware and creating signatures to capture the same virus when it returns. The underlying assumption is that bad actors fall back to the same old tactics over and over again, but nothing could be further from the truth. Reducing the reaction and signature update time is important with this model, and AI will likely help. But the larger problem is that pattern matching is easily fooled. Sophisticated hackers continually change tactics, modify tools and increasingly use fileless attacks, manipulating native scripts and blocks of memory to trick legitimate applications into doing the wrong thing. And no matter how fast the reaction time is, the largest threats come from vulnerabilities that have not yet been discovered, named and added to the catalog of known patterns. For example, WannaCry exploited the SMBv1 vulnerability that had existing unnoticed for 16 years, and flew under the radar of most security products until massive damage was done.

The other fundamental challenge with AI is that we're not fighting a static threat. We are fighting extremely resourceful humans who know they're battling AI and look for innovative ways to bypass controls, and confuse machine learning models. This challenge is called "adversarial AI," and acknowledges that the "magical" tool is less effective when fighting itself. Steve Grobman, CTO at McAfee describes this problem with a good analogy:

"If you have a motion sensor over your garage hooked up to your alarm system -- say every day I drove by your garage on a bicycle at 11 p.m., intentionally setting off the sensor. After about a month of the alarm going off regularly, you'd get frustrated and make it less sensitive, or just turn it off altogether. Then that gives me the opportunity to break in."

The fundamental problem is that the world of known bad stuff, while growing, is infinitely smaller than the realm of present and future unknown bad. While AI may deliver exponential progress in expanding our catalog of known bad stuff, the unknown continues to grow at an even faster pace.

Get real-world answers to virtualization challenges from industry leaders. Join us for the NFV & Carrier SDN event in Denver. Register now for this exclusive opportunity to learn from and network with industry experts -- communications service providers get in free!

A new school of thought is emerging. Rather than using the past to guess the future, new solutions are looking at the present -- the actual functioning of applications, for indicators of attack. Using deterministic methods, these solutions can map the known good activity of applications and take preventative action if anything goes off the rails.

Related posts:

Willy Leichter is vice president of marketing for Virsec and he has worked with a wide range of global enterprises to help them meet evolving security challenges. With extensive experience in a range of IT domains including network security, global data privacy laws, data loss prevention, access control, email security and cloud applications, he is a frequent speaker at industry events and author on IT security and compliance issues.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file