AI is being increasingly used for threat detection, malware analysis, insider threat identification and analyst support. However, on the flip side, AI is also being used for attack-driven purposes like advanced password cracking and defender-aware malware. |
Artificial intelligence is the new technological frontier. The more you look at new technologies the more widely you will hear it being mentioned. Not just with regard to the solutions it will provide in the near future but solutions it already provides today. AI is here and it’s here to stay, we see it already in the algorithms that operate search engines and social media platforms and in other areas as diverse as computers that can beat human masters in chess tournaments.
Table of Contents
What does artificial intelligence have to offer when it come to the already fast evolving cybersecurity space? Just as with all other areas of technology, the more you think about it the more applications you can imagine being addressed using AI.
Before moving on, a quick dive into what AI is and why it is actually needed.
What is Artificial Intelligence?
Machine Learning is a branch of AI defined as “The use and development of computer systems that are able to learn and adapt without following explicit instructions, by using algorithms and statistical models to analyse and draw inferences from patterns in data.”
At a very high level, AI is technology that performs actions that until recently were limited to humans. In order to achieve this the AI is trained on large data sets which can be considered experience. Humans then program algorithms which instruct the AI on the objectives it should aim for using the data and any caveats in the methods available.
It it important to be aware that that no technology has yet passed the Turing test effectively. As a result AI has the same limitations that all computers have. They can perform tasks they are programmed with but they are not creative. As such, they don’t do what you want them to do, they only do what you tell them to do. Any miscalculation in the program or algorithm, in the case of AI will skew the results.
AI in cybersecurity Defence
There are 4 main use cases for AI in defensive cybersecurity.
1. Network threat analysis
By placing a module on a network which is able to record all network activity an administrator is able to establish baselines in activity over a period of time. The AI can raise alerts when anomalous activity is detected and either the administrator can take action (possibly locking user accounts or issuing password re-set instructions) or pre-defined protocols can be actioned by the AI.
2. Malware detection
All different strains of malware behave in defined ways. By collecting as many different malware signatures as possible an AI can be trained to detect them when they appear on a users computer or network. Defensive action can then be taken based on the known behaviour of that particular malware.
3. Security analyst augmentation
The cybersecurity threat landscape is constantly evolving and because of this AI isn’t able to fully replace human engineers and analysts. Nonetheless it is of great use in processing large sets of data quickly and efficiently. What has changed is that now, instead of manually processing data, humans spend their time working out how to tune the algorithm to produce exactly the right results. After the algorithm is correctly tuned the AI can be turned on and the results monitored for inconsistencies and anomalies. By only doing the work once and then letting the AI take over great efficiencies in time are achieved.
4. Insider threat detection and mitigation
Insider threats can be some of the most impactful and whether they result from intentional action, negligence or as the result of an external attack they all take place within the network boundary. As the internal network is a controlled environment they are ideal candidates for AI defence. Through a combination of live monitoring and dynamic log analysis AI can establish baselines in activity and then alert when something out of the ordinary occurs. How well the AI performs its function depends on the quality of the data used to train it and the configuration of the algorithm it operates under.
One might imagine from what’s been said so far that AI is working well in cybersecurity, threats are being detected as they develop and the road to security is clear and unimpeded. In short, technology will save the day.
However, things may not be so straight forward, anyone involved in cybersecurity will know there isn’t a level playing field between attackers and defenders. The relationship can only be described as an arms race. Unlike the arms races of history, only the attackers keep their capabilities secret.
Cyber attackers are able to read the same research papers as the defenders and then, especially if they’re working at a nation state level, they may have access to further private research provided by their sponsors. As such, attackers are able to understand the methods being employed by defenders and work out how to circumvent them in real time.
Malicious Uses for AI in Cybersecurity
Password cracking and list generation
One area in which AI has played a role for some time is that of password list generation and hash cracking. When generating lists of passwords the typical approach would be to scrape social media profiles for relevant words like pets names and residential locations. This is combined with other available information such as previously breached passwords. The items in the list are then mutated in a way that mimics how people create passwords such as character replacement. The final list can then be used to mount brute-forcing attacks against known usernames.
This process can be completed much more comprehensively and quickly using AI. The reason for this is that methods of mutating passwords follow standard lines and AI can be trained to include the popular methods and ignore less likely options. This results in a shorter list containing likely password mutations. It is possible this approach in part accounts for the rise in Business Email Compromise attacks over recent years. A similar approach is taken to the process of cracking password hashes when they have been recovered from a breached system. These password lists are then converted and compared to the password hash in the hope of finding collisions which would reveal a user’s password.
Defender aware malware
Just as networks can be made to detect malware and take evasive action, malware can also be configured to detect network defences and to take its own evasive or defensive action. An attacker might buy a defensive technology and deploy it on a network they control just to reverse engineer how it detects malware signatures and what actions it can take to prevent it from spreading. The attackers could then create their own signatures for defensive technologies. When their malware detects these signatures it could then be trained to hide itself or take other action.
Data poisoning and bots
Coming back to the idea that attackers have access to all public information about defensive technologies, and given the fact that AI has the ability to learn, it must be expected that attackers will attack not just the implementation of defensive technologies but the very foundations on which they work. For example, an attacker could poison the data that is used to train a defensive AI so that it doesn’t detect specific activity as malicious when it should. The attacker could then exploit that fact for a significant period of time before it was discovered. These attacks are already occurring in the wild and will continue to become more common.
The New Frontier
Generative Adversarial Networks – This is the term used when an AI enabled attacker is targeting an AI protected network. Each of the technologies is able to gather data on the behaviour of the other and each is able to learn from that data without direct human interaction. This must truly be the new frontier for cybersecurity. The point at which attacking and defending technologies stop relying directly on humans for their inputs. We are at the very beginning of this branch of the arms race. We can speculate on what the outcome will be but beyond speculation no one knows for sure where this education of AI will lead to.
Conclusion
AI brings both opportunities and challenges, as more data can be processed faster than ever before. However, as with all technologies, AI is only as good as the data used to program it. It presents us with incredible solutions combined with wide ranging challenges as we try and steer how the technology develops. Within these challenges are deep ethical questions that defensive developers must try and answer while still competing with the innovations produced by their malicious counterparts.