Nowadays, enterprises acknowledge the importance of cyber-security for their business operations. However, despite increased investments in cyber-security technologies and measures, there is still a steady rise of security incidents against IT infrastructures, such as phishing, ransomware and DDoS (Distributed Denial of Service) attacks. This is clearly reflected in the increase in notorious attacks that have taken place during the last couple of years, such as the fraudulent attacks against the SWIFT network in the financial sector and the famous “Wannacry” ransomware attack, which affected thousands of organizations around the global.
Cyber-security attacks have significant financial implications. For example, the SWIFT network attack resulted in $81 million being stolen from the Bangladesh Central Bank. Moreover, these attacks also have adverse societal implications, as they reduce citizens’ and businesses trust in the IT systems that underpin our society. Therefore, it’s important to understand why and how IT systems are still vulnerable, whilst exploring new security solutions for alleviating these vulnerabilities.
Coping with cyber-security threats is nowadays more challenging than ever before. The reasons for this are manifold and include:
- The Evolving Technological and Organizational Complexity of IT based systems: The evolution of IT technology introduces new cyber-security challenges. For example, the deployment of cloud and edge computing systems requires multi-level security measures which span the field, edge and cloud layers. Likewise, modern IT systems tend to be distributed and interconnected, which introduces not only first-level security challenges, but also cascading effects across the different modules and components that they comprise. Furthermore, the organizational complexity of IT-based systems is also increasing, which asks for more sophisticated security measures and policies that involve multiple systems and stakeholders within an organization.
- Internet-of-Things (IoT) and Smart Objects: Nowadays we are witnessing an ever-increasing deployment of connected devices, as part of the IoT revolution. In several cases these devices involve smart objects with semi-autonomous behaviours, such as industrial robots, connected cars, self-driving vehicles, drones, smart pumps, smart wearables and more. This is, for example, the case with some of the advanced apps of our time, such as autonomous driving. The deployment of objects with their own application logic increases the volatility and unpredictability of the respective IT systems’ behaviours, which makes it much more difficult to configure, enforce and track security policies.
- Interlinking of Cyber and Physical Assets: Many classes of IT-based systems comprise of a mix of both cyber and physical assets. This is a direct result of the fact that all systems are connected to the Internet and this is gradually becoming the norm for most of the critical infrastructures in sectors such as energy, transport, finance and more. Thus, cyber-security must be increasingly planned in conjunction with physical security, which increases the complexity and sophistication of security policies.
- The Limited Capacity of Small Medium Businesses (SMBs): SMBs play a significant role in the IT ecosystem, given their number and their expanded use of IT technologies. Nevertheless, most SMBs lack the knowledge, skills and capital needed to deploy advanced cyber-security solutions, which makes them vulnerable to adversaries’ attacks. At the same time, SMBs infrastructures are in several cases the perfect backdoor for attacking larger scale infrastructures, given that SMBs are often connected to larger organizations such as banks, utility companies, public sector organizations and more.
The above factors make implementation of effective cyber-security challenging and provide opportunities for adversaries to launch large scale, sophisticated and sometimes asymmetric attacks, which can be hardly predicted or mitigated for based on conventional measures. Therefore, security experts are looking for intelligent and new approaches to confront and tackle these attacks. In this context, emerging Artificial Intelligence (AI) systems provide the right tools for building effective security solutions.
Introducing AI for Cyber-Security
Recent advances in AI systems enable the identification of complex patterns based on human-like reasoning. These capabilities have their roots in deep learning which involves the use of advanced neural networks. These networks are able to reason over large amount of information about the problem at hand. Hence, the use of AI for cyber-security leads to the following benefits:
- Detection of Complex Security Patterns: AI can enable the detection of patterns associated with complex security attacks through the examination and correlation of vulnerabilities across different assets at the same time. AI is not confined to monitoring a single threat, but can be used to combine multiple threat indicators in order to produce security-related recommendations.
- Predictive Security: AI can be used to predict and anticipate security attacks which is a prerequisite for early preparedness. Early detection of attacks could essentially reduce both security risks and security costs: The later an attack is detected, the higher the costs for confronting and alleviating it.
- Security Automation: AI replaces human intelligence with machine intelligence, which can increase security automation. In practice, AI will never replace entirely the work of security experts. However, it will be used in conjunction with human intelligence in order to increase automation, detect patterns that humans could hardly identify and ultimately provide timely warnings and notifications.
The implementation of AI for cyber-security involves the collection of security-related datasets from appropriate security monitoring probes that have been developed and deployed for the same. The availability of large amounts of relevant data is a prerequisite for training and deploying AI-based deep learning algorithms. In the future, we might also see even more intelligent systems that will require limited or virtually no prior training. These systems are conveniently called “strong AI systems” and are differentiated from the “weak AI systems” that require extensive training using ground truth about security incidents.
Tips for Successful AI-based Security Implementations
Most AI-based security implementations are in their infancy. Enterprises wishing to deploy AI for cyber-security should consider the following recommendations:
- Importance of Domain Knowledge: In order to build AI systems that are able to detect security patterns based on past data, it’s important to have knowledge in the security domain, notably knowledge that would enable one to identify which types of data may be indicative of abnormal situations. This knowledge should be used in conjunction with security datasets for training the AI system.
- Managing security related datasets: As already outlined, AI systems operate over appropriate datasets. It’s therefore important that enterprises create a proper security monitoring infrastructure for collecting and consolidating datasets, including datasets associated with cyber-security threats. In several cases, the consolidation and use of datasets from security services providers (e.g., anti-virus services providers, firewall vendors) might be required as well.
- Leverage readily available infrastructures and toolkits: A host of BigData and AI analytics infrastructures (e.g., Hadoop tools and the H2O-AI toolkit) are already available and in some cases part of the corporate data management infrastructure. These infrastructures can be reused for security data management and AI-based security also.
- Business objectives first: The deployment of an AI-based system for cyber-security should be driven by tangible business objectives like cost-savings, greater automation, early preparedness and more. Any AI system that is not associated with some business goal, is bound to be unsustainable and ultimately fail.
- Gradual adoption: Newcomers in AI-based security should plan for gradual adoption. In particular, some early pilots can be deployed in order to validate that AI can add automation and business value. Following this validation, pilot deployments can be scaled up as needed.
In the coming years, companies will be faced with unprecedented cyber-security pressures. Therefore, they have to consider novel and more automated approaches to respond to these pressures. AI provides exciting opportunities for deploying security systems and is certainly a technology that deserves to be explored. We hope that our above listed tips provide a sound starting point in this exploration journey.