Artificial intelligence and cybersecurity

The eternal game of cat and mouse between attackers and defenders in the world of cybersecurity has historically involved a constant improvement of the methodologies carried out by both parties. The rapid and innovative development of Artificial Intelligence (AI) is very attractive for the development of new methodologies for both attackers and defenders.

Broadly speaking, AI refers to the learning done by machines or computers, to carry out actions considered as “intelligent”. One of the great challenges of this discipline is to provide them with “human” capabilities so that they can have behaviors similar to ours. One of the branches with the greatest potential today in artificial intelligence is the so-called ‘Machine Learning’. The basic objective of this branch is to “train” the machine so that it is capable of giving an adequate response based on input parameters.

MACHINE LEARNING

Within this branch there are two types of techniques: supervised learning and unsupervised learning. Supervised learning is responsible for training a type of model based on known inputs and outputs, in order to predict future outputs. For its part, unsupervised learning is responsible for estimating patterns from certain inputs.

Another concept to take into account is neural networks. This data model, used in both supervised and unsupervised training techniques, attempts to emulate the functioning of the human brain. They are usually organized in three parts: the first is the input layer, the second is made up of several intermediate layers, and the third is the output layer, with one or more target units. The peculiarity of this technique lies in the fact that each ‘neuron’ has a variable weighting that is trained and improved until it achieves high precision.

It is also worth mentioning in this report one of the most recent techniques in AI. This technique called ‘GAN‘ [Spanish] (Generative Adversarial Networks), uses two neural networks, one devoted to create what is supposed to create (for example: images of human faces), and the other to discriminate (for example: determine whether an image corresponds to a human face or not). Over time, both neural networks test each other and improve until it is impossible for the discriminating network to determine whether the image it is visualizing is real or not. Thanks to this technique, it has been possible to create, among other things, hyper-realistic images and sounds.

CYBERSECURITY

Many companies in the cybersecurity industry are using ‘Machine Learning’ to detect possible threats, using for that the record of threats resolved by analysts. Given the high number of resolved threats registered, this type of IA training can be very effective and useful.

To give an example that reinforces the potential of the use of ‘Machine Learning’, we can expect the cybersecurity industry to have terabytes of information containing records of  malicious events detected. Given the increasing trend of attacks, it is logical to think that an analyst may become overwhelmed. This is where Machine Learning-based AI has its role.

This branch of AI might be able to learn from the record of malicious events, choosing as input parameters the main factors chosen by the analyst to classify the event as malicious (e.g. file size, file content, source IP address, behavior, connection type…), therefore being able to determine with high precision the probability that an event is malicious or not.

We should also considering the application of neural networks in order for our AI learn from new unknown patterns and identify potential threats in an effective way, through the GAN technique mentioned above.

THREATS

While AI is providing an advantage for cybersecurity analysts, different attack proposals are also beginning to emerge, that combine IA with existing classical methodologies. At this very moment, there are few or no records of its use in the wild, as there are still techniques very limited and experimental. However, there is some research done by companies and universities that warn of its likely near use by cybercriminals.

  • Evasive malware: IBM researchers have created a type of evasive malware called ‘DeepLocker‘, which uses artificial intelligence to keep its malicious payload hidden (for example in videoconferencing software), waiting to find a specific victim through facial recognition. The use of this technique makes its reverse-engineered unlocking virtually impossible today. The case of application that uses this IA is the model of ‘Deep Neural Network’ or DNN.
  • Against AI itself: Cyber-criminals could make use of the knowledge of an AI system trained in a specific environment to deceive it. For example, if AI is used in the cybersecurity industry to detect new threats and the cybercriminal identifies its modus operandi for classifying a potential threat, he could camouflage his attack  in order to go unnoticed. Obvious countermeasures are to prevent unauthorized personnel from accessing the training model of the AI and never entrust IA with the absolute task of determining whether or not the different events pose a threat. The AI has to be established as a support base for the analyst and in no case should it replace the analyst.
  • Identity impersonation and social engineering: One of the areas in which AI is advancing most through the use of ‘Deep Neural Networks’ is in the recreation of human characteristics. For example, we find AI almost capable of recreating speech with a human voice. Imagine the consequences if physical access control is done by voice or the AI can  make a call with the voice of some senior manager. ‘Deep Neural Networks’ can also be used to bypass biometric controls by fingerprint, as developed by experts from the New York University School of Engineering in what they have called ‘DeepMasterPrints‘. This tool takes advantage of the fact that there are areas of the fingerprints that have many common characteristics (see https://arxiv.org/pdf/1705.07386.pdf) and that most scanners do not read the entire fingerprint, which makes it easier for cybercriminals. In addition, to achieve a higher success rate, researchers have created realistic fingerprints by training the AI with real fingerprints using a ‘GAN’.

In short, we can conclude that the fast development of AI, coupled with its high potential, can change the way we understand cybersecurity. Because much of this technology is publicly available on the Internet and its integration with different attack techniques is feasible, it can be estimated that there will be an inevitable upward trend in its use by cybercriminals. On the other hand, the cybersecurity industry will have to adapt introducing AI in the short/medium term so as not to be defenceless against cyber-criminals using this technology.

One thing seems clear: the side that first introduces AI in cybersecurity will take a relevant lead in the upcoming years.

See also in: