The speed of development and change in cyberspace in the last 3-5 years has amazed not only inexperienced users, but also experienced IT and information security specialists. There is an exponential development not even of the volume of processed data, the number of devices or applications/services connected to the Internet, but also of the concepts and technologies themselves, and comprehensive digitalization and the transition of most businesses online due to the pandemic have only accelerated this trend.
Accelerating Technological Change
This speed is also due to the development of tools for creating new technologies and new, more advanced tools, which entails further acceleration of the creation of new technologies and tools. The widespread use of high-level and ultra-high-level programming languages, powerful frameworks and development environments, the development of cloud infrastructures, AI app security, and virtualization and containerization technologies allows you to ‘assemble’ a new application in an unprecedentedly short time. Cyber threats are also multiplying at the same rate, since attackers use the same highly effective development tools, including artificial intelligence, but for their own purposes. This takes the level of cyber counteraction to a new level: if earlier the confrontation with attackers could be described as a battle of minds and configured means of information protection, now it can already be called a full-fledged ‘war of machines’ in which artificial cyber intelligences fight.
Artificial Intelligence in Cybersecurity
Discussions about the practical application of artificial intelligence, including in information security, have been going on for a long time, but these tools entered the market when the maturity of such products allowed them to be used in corporate environments, the accuracy of their work began to justify their cost, and the capabilities of attackers became so broad that it became possible to effectively and quickly counter them only with the use of this technology.
Historical Foundations of Artificial Intelligence
If we turn to history, the prerequisites for the creation of the concept of artificial intelligence were scientific research in the field of constructing a mathematical model of an artificial neuron and a neural network based on observations of living organisms and natural neurons. In 1943, American neurophysiologists Warren McCulloch and Walter Pitts in their scientific article “A Logical Calculus of Ideas Relating to Nervous Activity” suggested that a network consisting of artificial neurons similar to natural ones could perform logical and mathematical operations. The outstanding British scientist Alan Turing in 1948 published the article “Intelligent Machinery”, and in 1950 – the work “Computing Machinery and Intelligence”, which describe the concepts of machine learning and artificial intelligence. The term “Artificial Intelligence” itself was introduced by the American computer scientist John McCarthy in 1956. These were some of the first attempts to “digitize” a living organism and to represent a living being as a set of algorithms that can be analyzed and reproduced.
Since then, science has made significant progress in the creation of artificial intelligence: landmark events include the IBM Deep Blue supercomputer’s victory in chess over grandmaster Garry Kasparov in 1997 and the victory in the game of Go of the AlphaGo program developed by Google DeepMind over professional player Lee Sedol in 2016. The first victory was achieved in a well-algorithmic chess game, where to win it is enough to know all possible combinations and moves, and the second – due to machine learning, which AlphaGo used to self-learn how to play Go.
Key Terms and Definitions
So, let’s give modern definitions to several terms related to artificial intelligence (AI):
– Artificial intelligence (AI) involves the implementation of decision-making and learning tasks by information systems, similar to the intelligence of living beings
– Neural network – an interconnected set of artificial neurons that perform simple logical operations, with the ability to machine learn
– Machine learning (ML) is a technique for training an information system based on provided datasets without using predefined rules, is a special case of artificial intelligence. The general task of machine learning is to build an algorithm (program) based on the provided input data and specified correct/expected results – thus, the process of the ML system is divided into initial training on the provided datasets and subsequent decision-making by the already trained system.
There are several ways of machine learning, for example:
– Supervised learning is a machine learning method that uses labeled data sets (classified objects with identified characteristic features) for which a “teacher” (a person or a training sample) specifies the correct question-answer pairs, on the basis of which it is required to build an algorithm for providing answers to further similar questions
– Unsupervised learning is a machine learning method that does not use labeled data sets, does not specify the correct question-answer pairs, and the information system is required to find various relationships between them based on the known properties of objects
– Semi-supervised learning is a machine learning method that combines a small number of labeled data sets and a large number of unlabeled ones. This approach is justified by the fact that obtaining high-quality labeled data sets is a fairly resource-intensive and lengthy process
– Reinforcement learning is a special case of supervised learning, in which the “teacher” is the operating environment, providing feedback to the information system depending on the decisions it makes.
At the same time, other algorithms can be used in machine learning, such as Bayesian networks, Markov chains, and gradient boosting.
– Deep learning is a special case of machine learning that uses a complex multi-layer artificial neural network to emulate the human brain and process speech (natural language processing), sound (speech recognition) and visual images (computer vision). Computer vision is currently widely used in security systems, transport and passenger control. Natural language processing and speech recognition systems help voice assistants Siri or Alice answer users’ questions.
– Big Data is a large amount of structured and unstructured data in digital form, characterized by volume, velocity and variety. Specialized software tools such as Apache Hadoop / Storm / Spark, Kaggle, NoSQL DBMS can be used to process Big Data. It is believed that in order to increase business value when using Big Data, it is necessary to move from heterogeneous data to structured information, and then to knowledge. A processed, structured and labeled dataset obtained from a relevant Big Data array is a necessary (and one of the most valuable) component for machine learning in modern systems.
– Data mining – structuring and extracting useful information from a heterogeneous and unstructured mass of data, including Big Data.
– Fuzzy logic – the use of non-strict rules and fuzzy answers to solve problems in artificial intelligence systems and neural networks. Can be used to model human behavior, for example, to narrow or limit the search conditions for an answer to a question depending on the context.
Practical Application of AI in Cybersecurity
Having considered the basic definitions and principles, let us move on to the issue of practical application of artificial intelligence systems in cybersecurity. The use of AI in information security is justified primarily by two factors: the need for prompt response in the event of a cyber incident and the shortage of qualified cyber defense specialists. Indeed, in modern realities it is quite difficult to fill the staffing table with qualified information security specialists with the necessary experience, and large-scale information security incidents can develop rapidly: often every minute counts. If a company does not have a 24-hour duty shift of information security analysts, then without a system of prompt autonomous response to cyber incidents it will be difficult to ensure high-quality protection outside working hours. In addition, before their attack, intruders can perform a diversionary maneuver – for example, launch a DDoS attack or active network scanning, distracting cyber specialists. In such situations, a cyber incident response system based on artificial intelligence will help, which can simultaneously process a large number of information security events, automate the routine actions of information security analysts and ensure prompt response to incidents without human intervention. For example, our IRP/SOAR solution Security Vision makes extensive use of artificial intelligence and machine learning mechanisms: the platform, trained on previously resolved incidents, will itself offer the analyst the appropriate response action depending on the type of cyber incident and its properties, the optimal response team will be assigned from colleagues with the most relevant knowledge, and in the event of detection of atypical suspicious events, the system itself will create a corresponding incident and notify the information security department employees about it. The IRP/SOAR Security Vision solution uses algorithms for predictive response to cyber incidents: a trained system allows you to predict the attack vector and its subsequent development in the infrastructure, show trends, and then automatically stop malicious actions and give advice to SOC analysts .
Artificial intelligence-based protection systems will be indispensable for identifying anomalies in a large number of information security events, for example, by analyzing information security logs, data from SIEM systems or SOAR solutions . This information, together with data from already processed and closed information security incidents, will represent a high-quality labeled dataset on which the system can easily learn.
Classical deviation analysis systems are usually built on some rules pre-set by operators: for example, exceeding the volume of specific traffic, a certain number of unsuccessful authentication attempts, a certain number of consecutive activations of the information security system. Systems based on artificial intelligence will be able to make a decision independently, “without looking back” at the rules previously created by information security employees, which may have already lost their relevance and do not take into account the changed IT infrastructure.
Anomaly detection can help protect user data – for example, an online banking service can collect and analyze data on patterns (characteristic features, templates) of customer activity in order to quickly identify compromised accounts. For example, if a user has connected to the service from a Russian IP address on weekdays during business hours and used the Internet Explorer browser over the past year, then in the case of connecting from China using the Mozilla Firefox browser at night, the user’s account should probably be temporarily blocked and an alert should be sent to him. Financial organizations can also use machine learning and artificial intelligence systems to assess (score) borrowers, analyze financial risks, and in anti-fraud systems.
Another model for using artificial intelligence systems in cybersecurity is working with internal violators: knowing the typical behavior of the user, the system can send a warning to information security analysts in the event of a significant change in the employee’s work model (visiting suspicious sites, prolonged absence from the work PC, changing the circle of communication when corresponding in a corporate messenger, etc.). Security systems equipped with computer vision and speech processing will be able to promptly notify security about attempts by outsiders or employees to pass through the checkpoint using someone else’s passes, analyze the work activity of employees using web cameras, and assess the correctness of managers’ communication with clients over the phone.
Conclusion
It should not be forgotten that artificial intelligence-based systems are also used by cybercriminals: fraudulent methods of using Deep fake (creating a realistic virtual image of a person) to deceive anti-fraud systems, fake voices for fraudulent calls to relatives of the attacked persons with a request to transfer money, using telephone IVR technologies for phishing and theft of funds are known. Malware also uses elements of artificial intelligence, which allow attackers to increase their privileges much faster, move around the corporate network, and then find and steal the data they are interested in. Thus, technologies that have become available to the general public are used both for good and for harm, which means that it is possible and necessary to fight such trained cybercriminals using the most advanced means and methods of protection.