Email Security

    AI in Cybersecurity: 6 Use Cases

    Learn the many applications for AI in cybersecurity, from detecting malware to predicting attacks to triaging alerts.

    by Stephanie Overby
    1207054655.jpg

    Key Points

    • The number of use cases for AI in cybersecurity is growing.
    • AI capabilities like machine learning, deep learning and natural language processing can complement security professionals’ work to increase cybersecurity effectiveness.
    • Understanding where AI provides value can help company leaders determine how to deploy it against phishing, zero-day exploits and more.

    Cyber bad guys are exploiting artificial intelligence (AI) to plot shrewder and more successful attacks. It’s evident that cybersecurity organizations, too, should incorporate AI cybersecurity into their arsenals to protect themselves. “Organizations can no longer afford to bring knives to gunfights,” says Dr. Herbert Roitblat, Principal Data Scientist for Mimecast.

    AI in cybersecurity can also be a welcome ally for overtaxed and understaffed cyber functions, helping them decipher the incessant torrent of threats coming at their organizations so they can focus on higher-order tasks. Indeed, cyber leaders are expected to spend more on AI-enabled tools in the coming years. The global market for AI cybersecurity technologies is predicted to grow at a compound growth rate of 23.6% through 2027, when it will reach $46.3 billion, according to Meticulous Research.[1]

    Using AI in Cybersecurity

    How are leading cybersecurity organizations incorporating AI capabilities like machine learning and computer vision into their cyber defenses? Six key applications include:

    • Social engineering and spam detection
    • Anomaly detection
    • Prevention of DNS data exfiltration
    • Advanced malware detection
    • Reduction of alert fatigue
    • Identification of zero-day exploits

    Exploring these examples of AI in cybersecurity can help leaders envision applications in their own organizations to aid in identifying and fending off a growing variety, volume and velocity of cyber risks.

    Detecting Social Engineering and Spam

    Deep learning, a subset of machine learning, is a statistical technique that enables computers to solve more complex problems than ever before. As the name suggests, it is more powerful than “shallower,” supervised machine learning, where the computer learns by example from labeled data. Instead, deep learning ingests large quantities of data to train a deep neural network that then learns on its own over time how to identify images or perform other tasks.

    Deep learning models can achieve high accuracy rates even for attack activities that are only vaguely defined. They are used to identify not-safe-for-work and other images (such as logos) or to better detect spam email and phishing attempts. Google has used deep learning to block hard-to-detect image-based emails, emails with hidden content and messages from newly created domains.[2]

    Detecting Anomalies

    Sophisticated pattern detection is one of the best uses of machine learning for cybersecurity. Cyber attackers often hide within networks and evade detection by encrypting their communications, using stolen credentials and deleting or modifying logs. But a machine learning algorithm designed to flag unusual behaviors can still catch them in the act.

    Because machine learning excels at identifying patterns in data — much faster than a human security analyst — it can spot activity that traditional approaches miss. By continuously monitoring network traffic for variances, for example,[3] a machine learning model can detect risky patterns in email sending frequency that may point to the use of email for an outbound attack. Models can also be programmed to watch for insider threats.[4] What’s more, machine learning can adjust to changes by ingesting new data and adapting to dynamic environments.

    Preventing DNS Data Exfiltration

    Bad actors are determined to find their way around existing cyber defenses such as firewalls and intrusion detection and prevention systems. Those bent on stealing valuable customer or business information are increasingly using the domain name system (DNS), the internet’s directory of addresses, which can be “a weak link in cybersecurity practices,” according to Black Hat, an event and publishing organization.[5]

    DNS data is generally allowed to pass through firewalls, and attackers hijack it to carry their malware, take control of devices and steal customer records, emails and other sensitive data.[6]

    Machine learning can detect and prevent so-called “DNS tunneling” for data exfiltration, Black Hat says, with models continuously training on trillions of DNS queries generated and collected daily around the world.

    Detecting Advanced Malware

    Malware detection has traditionally involved monitoring and searching network traffic for signature matches — that is, similarities to known indicators of compromise [7] Deep learning, however, offers an opportunity to analyze massive amounts of data to make inferences about malware before it is ever opened. As malware rapidly evolves, deep learning models have the capacity to keep up. In fact, SearchSecurity says, “The availability of tens of millions of labeled samples from both malware and benign applications have rendered this one of the most successful applications of deep learning and AI in cybersecurity.”[8]

    Combatting Alert Fatigue

    AI in cybersecurity can help keep the team in the security operations center (SOC) from becoming overwhelmed by non-stop incident alerts. Machine learning can step in to triage low-risk alerts, take on repetitive tasks and raise the baseline levels of threat intelligence requiring human intervention.[9] Security professionals and analysts remain in charge, but their machine counterparts can free them up to focus on higher-level tasks and decision-making.

    An MIT startup recently developed a closed loop approach: Machine learning models flag possible attacks, human analysts review them, and that feedback is incorporated back into the model. Security analysts can be more productive, and the algorithm can optimize its performance over time.[10]

    Hunting Zero-Day Exploits

    Defending against zero-day exploits is one of the biggest challenges for the modern cybersecurity function. In a zero-day attack, perpetrators introduce malware by exploiting a software vulnerability that is unknown to (or yet to be patched by) a vendor. Traditional endpoint security methods such as antivirus software or patch management solutions can’t detect or prevent a zero-day exploit — it’s too new for signature-based tools to catch. AI, however, may help.

    Deep learning architectures may be used to uncover hidden or latent patterns and become more context-aware over time — both of which are useful in identifying zero-day vulnerabilities or activities. Natural language processing can comb through source code to flag malicious files. “Generative adversarial networks,” which can learn to mimic any distribution of data, may also prove helpful in pinpointing complex vulnerabilities.

    Coming at this from a different angle, a team at Arizona State University used machine learning to monitor traffic on the dark web to identify data relating to zero-day exploits. They’ve since launched a startup that uses advanced machine learning algorithms, powered by data collected from thousands of malicious actors’ posts and discussions, to predict which software weaknesses they are likely target next.[11],[12]

    The Bottom Line

    AI is improving cybersecurity in key areas, such as protecting against zero-day exploits and combating alert fatigue. Organizations should study current and emerging use cases for AI in cybersecurity as they continue to advance their defense strategies.

    [1]Artificial Intelligence (AI) in Cybersecurity Market Worth $46.3 Billion by 2027,” Meticulous Research

    [2]Gmail is now blocking 100 million extra spam messages every day with AI,” The Verge

    [3]Anomaly detection in cybersecurity attacks on networks using MLP deep learning,” IEEE.org

    [4]Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams,” AAAI-17 Workshop on Artificial Intelligence for Cybersecurity

    [5]DNS as a Pathway for Infiltration and Exfiltration,” Black Hat

    [6]Cyber Security – Introduction to DNS Tunneling,” GeeksforGeeks

    [7]Cybersecurity Spotlight – Signature-Based vs Anomaly-Based Detection,” Center for Information Security

    [8]Understand the top 4 use cases for AI in cybersecurity,” SearchSecurity

    [9]Employ AI for cybersecurity, reap strong defenses faster,” SearchSecurity

    [10]A human-machine collaboration to defend against cyberattacks,” MIT News

    [11]Machine Learning Goes Dark And Deep To Find Zero-Day Exploits Before Day Zero,” Forbes

    [12]Startup provides recon for the cybersecurity battlefield,” Arizona State University

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top