Myths and Realities About AI’s Cybersecurity Potential

While an increasingly valuable ally to security pros, AI still has some maturing to do before it can alleviate the need for human talent.

By Paul Gillin

By Paul Gillin September 4, 2019

The world is facing a shortage of nearly 3 million cybersecurity professionals. Breaches that expose millions of customer records have become practically a weekly event. Research firm Gartner expects global cybersecurity spending to increase at nearly four times the rate (12.4%) of overall IT spending this year (3.2%). Can artificial intelligence (AI) be the solution to this intractable situation?

Not yet, said Nicolas Kseib, lead data scientist at TruSTAR, maker of a management platform that helps enterprises operationalize security data. While AI is proving to be a strong ally to human security researchers, the technology is still too immature to rely on for the complex decision-making that would alleviate the pressing need for human security professionals.

“Be aware that what is called AI today does not even match the cognitive capabilities of a two-year-old,” Kseib said.

What appears to be intelligent behavior or human-like thinking in AI software or robots is actually “a bunch of models trained on large datasets to perform specific brute-force tasks,” he added.

AI’s Derivatives and Potential

Not that there’s anything wrong with that. AI and its two most common applications, machine learning (ML) and deep learning (DL), are already providing assistance to beleaguered security pros. ML and DL algorithms can process more information and spot more patterns than their human counterparts. 

While AI is any activity related to making machines smart, ML is a subset of AI that involves training algorithms so that they can learn and dynamically modify themselves when exposed to more data, without human intervention. DL is a subset of ML that imitates the workings of the human brain. It can process large volumes of unstructured or unlabeled data, unsupervised, using multiple levels of “thought.”

[Related: Nutanix Enterprise Cloud for AI]

By way of example, a strong use case for ML is discovering that certain combinations of prescription drugs are more likely to cause negative interactions in patients with diabetes. DL excels at tasks like voice and face recognition.

Making Sense from Huge Volumes of Security Data

In the security realm, ML and DL are useful at cutting down on the volume of false alerts – events that look like breaches but are in fact benign – that plague intrusion detection systems.

“It’s especially promising in areas where you have a lot of complex data to sort through,” said Sven Krasser, chief scientist at CrowdStrike, a maker of endpoint protection software. “We can see events more clearly and statistically dissect files to decide if they’re good or bad.”

Makers of anti-malware software see potential in ML for moving beyond signature detection to find rogue programs based upon behavior.

It’s especially promising in areas where you have a lot of complex data to sort through...We can see events more clearly and statistically dissect files to decide if they’re good or bad.

Sven Krasser

“Malware makers are going to have a much more difficult time when they start dealing with the technology our industry is developing,” said Adam Kujawa, director of Malwarebytes Labs.

Malwarebytes is training ML algorithms about the behavior of known malware threats and then letting the software figure out how to spot new ones. About five percent of the nearly 94 million detections logged in the first five months of this year were attributed to ML.

That hasn’t eliminated the need for humans, but “AI takes care of a lot of the grunt work,” Kujawa said.

Researchers also see potential in DL to spot phishing attacks, which trick recipients into clicking malicious links by disguising them in seemingly legitimate email or social media messages.

Deployment Levels

AI capabilities are rapidly making their way into commercial products: 73% of respondents to a survey of more than 400 enterprise security analysts conducted by Osterman Research and commissioned by ProtectWise said they’re already using security products that incorporate at least some AI.

However, the immaturity of current technology has taken its toll. Forty-six percent of respondents to the same survey said rules creation and implementation are burdensome, and one-quarter said that they don’t plan to implement additional AI-enabled security solutions in the future.

John Omernik feels their pain. The former senior vice president of security innovations at Bank of America said inflated claims by security vendors are confusing customers and may even lull them into a false sense of complacency about how much the products can actually do.

“Most AI solutions are solving a problem better than humans, but …we haven’t found ways to solve problems humans can’t solve,” he said.

Achilles Heel: Prone to Bias

While ML can appear to be a black-box remedy, it has some underlying frailties. ML algorithms can constantly test new correlations based upon known patterns in hopes of finding new ones. While the results may appear to be intelligent, the programs are only as good as the data used to train them.

Sloppy, incomplete or inaccurate training data can bias results, as happened in the 2016 case of risk assessment algorithms widely used by U.S. law enforcement agencies that were found to be biased against African-American defendants, even though race wasn’t a factor in the equation.

Similarly, it was reported last fall that Amazon had been training its computer models to vet job applications based on a 10-year history of successful hires. But most applications from that 10-year period came from men, a reflection of the long-standing gender gap in the tech industry. The data scientists on the project had simply overlooked this aspect of their data, and, as a result, Amazon’s computer models were effectively learning to filter out women, which wasn’t the intent.

In financial markets, ML-based models have shown a tendency to cause “flash crashes,” or sudden and steep drops in prices in response to an unusually rapid series of sell orders. Flash crashes occur because of shortcomings in the training models that cause the algorithms to overreact to short-term events and magnify their impact. Building complete and impartial training databases is difficult, said TruSTAR’s Kseib.

“If you create threat models based on a series of opaque scoring systems, you have the risk of obscuring the context behind a chain of automated actions,” he said.  There’s also the risk that cybercriminals will introduce patterns into the algorithm intended to deliberately skew the results or confuse the ML model, which can lead to “erratic or catastrophic behaviors of systems relying on these models,” Kseib said.

If you create threat models based on a series of opaque scoring systems, you have the risk of obscuring the context behind a chain of automated actions.

Nicolas Kseib

Ally to Cybercriminals?

Scenarios like that are what make cybersecurity professionals shudder. For all the potential AI has to blunt attacks, its value may prove even greater to the perpetrators. ML could be used, for example, to scramble the digital tracks attackers leave upon breaching a network to make their activities harder to detect. Deepfake technology, which uses DL to manipulate digital images and sound to make it appear that events and actions occurred that never happened, has progressed so rapidly that computers can now produce realistic-looking images of people who don’t exist.

Researchers have demonstrated how voice assistants can be compromised by secret commands hidden in speech, music or even silence. In February the nonprofit OpenAI group said that it had developed a content creation engine that mimicked human writing so effectively that it wouldn’t release the code to developers out of fears of malicious use.

Game-Changing Technology – But Which Game?

“AI is a game-changer, but what it really does is escalate the level of sophistication and velocity of cyber engagements, on both the offensive and defensive side,” said Robert Ackerman Jr., managing director of Allegis Cyber, a venture capital firm that invests in cybersecurity startups.

So far, there have been no documented uses of AI by cybercriminals, but most of the tools and frameworks are freely available under open-source licenses.

“It’s the overall opinion of most security pros that cybercriminals are lazy,” said Kujawa. “They go after the low-hanging fruit.”

That means that for now, the good guys have the edge. The long-term prospects are considerably less clear.  

Paul Gillian is a contributing writer and author of five books on social media. Find him on Twitter @pgillin. 

© 2019 Nutanix, Inc. All rights reserved. For additional legal information, please go here.