How AI is protecting businesses from cyber-threats
23 July 2018
We are currently amid another technological revolution. This one with the potential for change on a scale greater than that of the industrial and electrical revolutions of the past. Artificial Intelligence (or AI) is next big thing in almost every industry and has even been called “the new electricity” by Professor Andrew Ng in reference to its capability to revolutionise the way we work. Amidst this rapid change, the sphere of cyber-security has not gone untouched by the new power of AI.
Advantages of AI
Most approaches to cyber-security such as firewalls or antiviruses rely on signatures to work. For instance, a firewall will drop incoming traffic from a specific IP known to send malicious files. And an antivirus will prevent files with known pieces of virus code from running.
Because these systems rely on signatures it means that if a new threat arrives it can cause untold damage before it’s noticed and dealt with. What’s worse is that large amounts of malware now bypasses these peripheral defence systems by using emails as a carrier. Additionally, these approaches to cyber-security leave the issue of insider threats completely unguarded.
AI offers a solution to these problems. By using machine learning to build up a view of what ‘normal’ looks like in the network, it can identify when something out of the ordinary is happening. Because malware doesn’t act like a human does this ability to identify unusual activity is particularly useful. A human doesn’t normally access thousands of files per second because they simply can’t click that fast. However, a piece of malware is easily capable of doing such a thing.
For example, a normal employee accesses 25 files a day on the company database. One evening, after office hours, an account begins accessing and encrypting hundreds of files per second. The AI detects this as unusual behaviour and locks the account, preventing it from accessing any more files.
In this scenario, the machine had been infected with a piece of ransomware. It intended to encrypt and ransom back company files. By using the machine learning data about what typical activity looked like, the AI could determine that suspicious activity was occurring. Performing a rapid response, it contained the malware which limited the damage to the company’s files.
AI-based security systems aren’t only capable of dealing with strange behaviour based on what people do. They can also detect when hardware or software is acting in suspicious ways and react accordingly.
For example, networked security cameras are placed in various places in the office, including the meeting room where major corporate decisions are made. The AI detects that the meeting room security camera has made a repeat connection to an unknown IP address outside the business and flags it.
A follow-up investigation learns that spyware had been installed on the device which allowed someone to watch private meetings and learn company secrets. Although damage had already occurred, the issue could be patched and was prevented from happening again.
In addition to detecting typical threats in the form of malware, an AI-based security system is also able to detect unusual activity from employees who have malicious intent.
For example, a disgruntled employee who has access to the company database containing client information is fired. As revenge, they attempt to steal company files using the cloud storage system that employees can access from home. Total downloads of 1GB of data from the company cloud every month are typical so the AI detects the file download of several gigabytes as something unusual and locks the account, preventing the theft of company records.
Because the AI defence system can see any type of unusual activity, dealing with insider threats becomes as easy as outside attacks. Current cyber-security solutions don’t have a good way of detecting an insider threat. And it’s only been through new applications of AI and machine learning that the prospect of reliably detecting insider attacks has arisen.
Disadvantages of AI
Unfortunately, AI-based cyber-security is not yet a perfect system and does have its shortcomings. The main issue is its inability to differentiate harmless unusual behaviour from dangerous unusual behaviour. This can create a significant management overhead.
For example, a typical employee who works in the marketing department acquires an album of stock images to use in marketing materials. They decide to download them from the company cloud system so they can work from home. The AI sees the unusually large file download and locks the account.
Although the actions of the AI are reversible and the account can be unlocked, the disruption resulted in lost productivity. Because unusual things are sometimes done on purpose and without bad intentions, an AI can be overreactive. Due to this, along with the technology being relatively new, an AI security system is generally used as a supporting tool to a typical security system instead of being the single line of defence.
The evolving use of AI in IT security is already invaluable and it’s going to develop quickly – it has to as the threat-landscape is just so large. It should also be noted that on the other side of the fence AI has begun to be used to breach security defences. The battle has begun…