Outnumbered, yet Strong: Artificial Intelligence as a Force Multiplier in Cyber-Security

Reading time: 5 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

When talking about artificial intelligence, people typically envision a Sci-Fi world where robots dominate. But artificial intelligence is already improving everyday technologies such as ecommerce, surveillance systems and many others.

In cyber-security, artificial intelligence is implemented through machine learning techniques. Machine learning algorithms give computers the ability to learn and make predictions based on previously acknowledged data.

This technology showcases its efficiency especially when it comes to dealing with millions of malicious files daily. Security analysts have to scrutinize more than 400,000 new malicious programs daily, according to AV-Test statistics. Traditional detection methods (signature-based systems) lack the ability to be truly proactive in a lot of cases. What’s more, security vendors also deal with third-party specialized services that offer obfuscation mechanisms to help hide malware from traditional AV systems.

The bad guys outnumber the good guys, but machine learning evens the odds.

Applying AI in cybersecurity

Tech firms and security vendors have started looking for ways to add this technology to their cybersecurity arsenal.

Bitdefender started integrating machine learning technologies in its detection systems seven years ago. A wide number of clustering and classifying algorithms are used to correctly and quickly answer the quintessential question: “Is this file clean or malicious?” For instance, if a million files needs to be analyzed, those samples can be split into smaller groups (called clusters) where each file is similar to the others. Then all a security analyst has to do is to analyze one file from each cluster and apply the findings to all of them.

More importantly, machine learning scores a high detection rate for new malware released in the wild.

An efficient security solution should protect against zero-day malware outbreaks. Any kind of machine learning technique used for malware detection must be adapted to achieve very few (close to 0) false positives, a detection rate that complements the one provided by detection methods already implemented, and a way to be trained with large data sets (either by using GPU or parallelism).

The fundamental principle of machine learning is to recognize patterns that emerge from past experiences and make predictions based on them. This means security solutions can react to new, unseen cyber-threats faster than automated cyber-attack detection systems used today. The technology is also being adapted to fight off sophisticated attacks such as APTs, where threat actors are especially careful to remain undetected for indefinite periods of time.

Man versus machine

Blurring the line between man and machine, artificial intelligence is a great cyber-weapon, but can’t handle the burden of fighting cyber threats alone. Machine learning systems may yield false positives and a human’s decision is needed to retrain those algorithms with proper data.

Machines and cybersecurity experts need to work together. We, researchers, always keep an eye on how our algorithms are performing, which one is better and under what circumstances an algorithm needs to be modified to give better results. However, machine learning algorithms are, overall, more accurate in assessing potential malware threats from large amounts of intelligence data than their human counterparts. They are also better at tracking down intrusions quickly.

A hybrid approach, where machine-learning is supervised by human analysts, has proven to offer the best results so far.

When it comes to the future of AI, it’s almost impossible to predict the evolution of artificial intelligence. But, in the next year, machine learning will most likely focus on creating specific profiles for each user. If an action or user behavior does not match predefined patterns, the user will be notified. For instance, a spike in downloads in a short period of time will be marked as suspicious, and closely analyzed by a human expert.