Changing the Cyber Defense Game With AI

Nariman Mammadli
Jan 3, 2020 · 7 min read
Image for post
Image for post

The high frequency of successful large-scale cyber attacks points to gaps existing in conventional cybersecurity. Though attacks are often blamed on mistakes stemming from human factors, the problems of the current cyber situation go deeper. In this article, I argue that the limitations of the conventional defense lie in its simplistic and generic approach, which enables attackers to bypass them with ease and re-use the same attack strategy on multiple victims. I show how the adoption of Artificial Intelligence can change this scene, by personalizing the defence to the defender, forcing attackers to a different and harder situation.

The increasing spread of technology into all sectors of industry and every aspect of daily life has increased the complexity of our cyber footprint. This phenomenon has brought with it a new challenge to confront: to ensure our safety from cybercrimes. Cyber theft is the fastest-growing category of crime. Nation-state backed cybercriminals are expanding their targets to not only government institutions, but also businesses and industrial facilities.

Cybersecurity is now a determining factor in the success of organizations. Their reputation, return on investment (ROI), and customer satisfaction rates depend on it. In the given circumstances, detecting cyber threats and responding to them on time is a key performance indicator of any realistic cyber defense strategy.

There is a wave of discussions in the cyber defense community regarding the insufficiencies of the signature-based approach, and how attackers have overcome this defense strategy with increased creativity in their techniques. Using AI technologies to upgrade the capabilities of the signature-based method and provide a proactive instead of a reactive defense accompany these discussions.

In this short essay, I am expanding on the contrast between the conventional signature-based or a rule-based defense and the novel AI-based approach. To do so, I am approaching cyber defense from within the framework of anomaly detection. The framework of anomaly detection is a canvas on which the distinction between the conventional and AI-based approaches can be drawn with clarity.

Anomaly Detection

Image for post
Image for post
Figure 1: Anomaly Detection Map

Pragmatic reasons impose a hierarchy of importance on assets, where the importance of an asset is determined by its impact on the end-goals. It is where a threat is differentiated from an anomaly. The higher the affected asset in the hierarchy of importance, the more likely an anomaly can turn into a threat (Figure 2). Although it is easy to quantify how much surprise a given event arises through its anomaly score, it is not always straightforward to determine the importance of assets, especially in a complex and deeply intermingled IT infrastructure. For instance, an account depending on its complex relationship with other accounts, assets, and processes could be crucial, but go unnoticed until a successful attack is launched from that seemingly innocent starting point.

Image for post
Image for post
Figure 2. Relationship between anomaly, priority, and threat. The closer the affected asset to the end-goal, the more likely it is that an anomaly can turn into a threat.

In a given organization, let’s say a bank, the highest level goals are the business goals. The business goals depend on IT goals. The IT goals, in turn, require IT security goals. IT security goals imply standards and norms, whether explicit or implicit, that define the anomaly detection map as in Figure 1. Therefore, every IT security team, generally speaking, establishes standards concerning the IT security goals (which are defined in relation to general IT and business goals), collects the relevant pieces of information (ex. audit logs), detects anomalies, quantifies their severity level (impact on the goals) and responds to them on time with minimal side effects.

Conventional defense

The approach above is an explicit formulation of norms. It means that all the expectations are written down somewhere and are expressed precisely and shortly (e.g., block if more than five failed to log in). However, there are always unwritten rules operating behind the scenes that govern all sorts of processes. These rules are implicit, and it is impossible to define them apriori since they emerge as things happen. For example, society operates based on explicitly defined rules (traffic rules, law system, human rights, and other similar protocols) and implicitly expressed rules (moral codes, social instincts, etc.).

Explicit rules are easy to define and modify on demand. Such rules tend to be generic, meaning they are not unique to the organization in question. They treat cyber events atomically, oblivious to their inter-relationships, which results in a high rate of false alarms. An example policy of ‘block if the transaction occurs outside the country of residence’ prevents some fraudulent transactions. However, it comes at the cost of client dissatisfaction when their cards are blocked during their trips. A credit card transaction event has other nuances to it. Answers to “How often the client travels?”, “How much time has passed since the last transaction in the country of residence?” “At which merchant is the transaction happening?” and other similar questions could have led to a smarter decision, therefore reducing the false alarm rate. Adding these nuances, however, takes us to the domain of unwritten rules where we lose the advantages of explicitness and easy maintenance. What is more, discovering such relevant nuances is a challenging task on its own.

To go under the radar, one needs to know about the radar. The radars, in the form of signatures, rules, and policies, as a result of being explicitly defined, are not complicated. The attacker, therefore, does not have much to learn, and he can bypass them with minimal effort. The barriers in one place are relatively close to barriers in another place, allowing attackers to re-use, and even sell their techniques to be used against different victims.

Novel Defense

Image for post
Image for post
Figure 3. Spider web analogy to collective versus personalized defense. The radial beams are analogous to the collective defense logic, and the webs, comprised of the rays and the peculiar inter-connections, is analogous to the personalized defense logic.

Unwritten rules are holistic, meaning they inter-twine multiple factors spread both in time (patterns emerging in a given duration, for instance, in the form of a seasonality) and space (patterns emerging across events that are coincidental with one another, similar in the credit card transaction case described above). To extract unwritten rules, one needs to analyze event logs. Since such an analysis is an immense undertaking to be done manually, it needs to be automated.

The recent success of AI algorithms, especially in image and audio tasks, is due to their ability to extract patterns from the empirical training data and use the extracted patterns to classify or predict the test data. The same technique can be applied to extract unwritten rules from cyber event logs. These unwritten rules can then be used to enrich the conventional rules, policies, and signatures and build defense barriers unique to the organization. The AI-based approach solves the false alarm problem since rules are more nuanced, and anomalies that would arise in the conventional case are accounted for by referring to the relevant context. The AI-based approach takes away the burden of manual maintenance since an AI algorithm will pick up the changes and reconfigure itself to the new situation automatically. An AI erected radar, analogous to fingerprint-based security systems, is built upon unwritten rules specific and personal to the defender, forcing the attacker to play a more challenging game. The attacker now needs more detailed, in-depth intelligence about the victim, his metaphorical fingerprint, for a successful attack.

The Achilles’ heel of using AI is that extracted patterns are usually not expressible for humans to understand. AI analyzes and correlates more data points than a human operator can handle (AI black box problem). To understand what an AI tool is trying to convey, the operator must know the environment very well. It is harder to take action on the findings generated by an AI tool than policy-based ones. Contrary to policy-based tools where it is precisely clear what rule is broken when the alarm goes off, with an AI detection tool, the root cause of alarm might be tricky to understand since there is a multitude of data points that contribute to the alarm. These inherent constraints make it crucial that these AI tools are operated by human specialists, who have an in-depth understanding of the organization they are working for.

Conclusion

The Startup

Medium's largest active publication, followed by +773K people. Follow to join our community.

Nariman Mammadli

Written by

Exploring the boundaries of artificial intelligence with a special interest in its applications on cybersecurity. linkedin.com/in/mammadlinariman

The Startup

Medium's largest active publication, followed by +773K people. Follow to join our community.

Nariman Mammadli

Written by

Exploring the boundaries of artificial intelligence with a special interest in its applications on cybersecurity. linkedin.com/in/mammadlinariman

The Startup

Medium's largest active publication, followed by +773K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store