Cybersecurity: Is AI Ready for Primetime In Cyber Defense?

Is AI ready for primetime? Not according to Admiral Michael S. Rogers, Commander U.S. CYBER COMMAND. In a recent interview with Charlie Rose, he stated that machine learning showed great promise for cybersecurity, but that the necessary technology was probably five years out.

If machine learning is currently so successful in other areas of society, why isn’t it ready for cybersecurity? Or is it?

A Brief History of Machine Learning

Machine learning is a subset of Artificial Intelligence, a field of computer science that started in 1958 when Marvin Minsky founded the Artificial Intelligence lab. Everyone, including DARPA, was pouring money into it. Their goal was to build a fully artificial intelligence capable of passing the Turing test in fifteen years. However, their plans were overly ambitious, for two reasons. They underestimated the technical difficulty and simply didn’t have enough compute power. When it became clear they weren’t going to meet their goal, funding suddenly dried up and the lab closed. AI became a dirty word. However, AI research continued and went in and out of favor for years. In the 1980s, the Japanese became enamored with AI and started applying it to everything from rice cookers to automated subway trains. But until recently nobody called it AI. Instead, it was referred to as Fuzzy Logic and Expert Systems.

Types of Machine Learning

Today, there are four types machine of learning: supervised, unsupervised, semi-supervised and reinforcement learning. For each type, specific algorithms are used. The chart below shows the most common algorithms and for which type of learning each one is used.

ai-Picture1

Any sufficiently advanced technology is indistinguishable from magic -- Authur C Clark

The important thing to remember is that machine learning uses statistical algorithms and computer science to solve business problems. Most of these algorithms were developed in the 1900s, with a flood of new algorithms created in the 1960s. Now there are new algorithms like Decision Tree®. Today people are revisiting Marvin Minksy’s work on neural networks, and the NSA is big on Bayesian networks, which are based on Bayes’ algorithm.

If machine learning began so long ago, why is it suddenly so popular? Simple. Today, Big Data and an abundance of cheap compute power have made machine learning feasible on an unprecedented scale. And it’s already happening.

Machine Learning Has Already Transformed Our World

Last year, Amazon, Google, Microsoft and IBM began offering machine learning tools in the cloud, allowing developers easy access to an array of tools previously available only to data scientists. Three of the major areas for which people are using ML are predictive analysis for retail, fraud detection, and medical imaging analysis. Let’s take a quick look at these.

Aerosolve – Solving New Problems

AirBnB has taken a different approach to machine learning. Rather than take standard algorithms to solve specific problems, they have built an entire platform. AirBnB’s Dan Hill wrote Aerosolve to handle their pricing. Rather than just work with static prices, they built a model that weights many factors and learns to create pricing that is specific to people and locations. What’s amazing about this project is that AirBnB has released it as open source to the community so that anyone can use it. Check out this site (http://airbnb.io/aerosolve/)to see how people are using Aerosolve in novel and fascinating ways.

Neflix – What Do You Want to Watch Next?

Netflix is one of the leading online retailers embracing machine learning. Every time you rent a video or write a review, Netflix turns your actions into recommendations—what movie should you watch next. Netflix is committed to open source, and has a very sophisticated real time workflow. They start by putting all their customer data in a large Hadoop cluster and then use everything from Apache Spark, to Python, R, and Docker. All of this is orchestrated by Apace Mesos.

PayPal –taking a bite out crime

Detecting fraud is important to PayPal. It’s easy to understand why. Dr. Hui Wang, data scientist, says using linear algorithms and statistics is nothing new. However, to deal with new volumes of data and the new velocity of fraud, she has turned to big data and machine learning. Now Dr. Wang works with Neural Nets and Deep Learning to take a “bite out of crime” She emphasizes that machines are not replacing analysts. Machine learning combs through mountains of data faster than any human can. However, machines don’t think. By statistically predicting, what actions may be fraudulent, human analysts can do their job better.

Machine Learning – Saving Lives

In medical imaging, if you can detect it early you can treat it sooner and increase the odds of success. The Inner Eye project is located at the Microsoft Research Center (MSRC), where machines are being taught to learn the difference between healthy tissue and tumors. With machine learning, doctors can scan images to accurately identify the healthy region and pinpoint the actively proliferating tumor region. Physicians can then determine how large the diseased area is and how fast it is growing. To make this assessment, data scientists are using an advanced class of machine learning algorithms called Decision Forests.

ai-Picture2

 

The key here is that machine learning is aiding doctors, NOT replacing them. Machine learning teaches a computer how to tell the difference between one thing and another. It doesn’t actually know what that thing is, it simply give you a probability. Machines cannot think (at least at present). A expert still needs to analyze the results.

Winning the War on Cybercrime with Machine Learning

Machine learning can identify cancerous tumors in medical imaging scans. It can recommend your next vacation rental and a movie to see while you’re there, and reduce online fraud. Shouldn’t it be able to help us win the war on cybercrime?

For medical imaging, the key is finding the tumor early. With early detection comes increased likelihood of successful treatment. With cybercrime, it’s the same. Analysts believe that most malware goes undetected from 100-250+ days. When a threat actor penetrates a perimeter, he has plenty of time to plan his attack before being discovered. Cybercrime is not a “smash and grab” attack.

Today, threat actors have the advantage. What if machines could detect malware early in the kill chain? This advantage would turn the tables on cyberattackers. Humans could then quickly hunt down the intruder. The sooner we detect intruders, the greater advantage we have.

Analysts estimate up to 40% of machines on our networks are infected with malware. Malware is a big problem for analysts. It gums up the works, making machines run slowly, and is difficult to remove. However, the big problem with malware is that provides an entry point for cybercriminals. The 2016 GAO Information Security Report(x) stated quite emphatically that signature based intrusion doesn’t work. The GAO wants vendors to develop systems that can identify novel malware without signatures. Machine learning can accomplish this goal.

A Recipe for Teaching Computers to Identify Malware

So how does this work? With machine learning, you start with a training set, a sample of good code, and a sample of bad or malicious code. You apply machine learning statistical algorithms to the training sets. Through multiple iterations you slowly teach the computer to recognize the differences. With each pass, the computer gets better and better at recognizing differences between good and bad until finally it can predict with a high degree of probability, “This sample is malware.” One of the results of machine learning is the creation of classifiers. Classifiers can then be used to help other computers recognize good code from malware—without signatures!

BluVector

ai-Picture3

Five years ago, the team at Acuity Solutions Corporation started to teach computers to recognize malware. They developed their own-patented algorithms, and once they perfected their techniques, they productized their knowledge. BluVector is now available as a compact security appliance with 48 virtual cores and FPGAs to accelerate packet collection. The appliance is placed inside the firewall and can scan network traffic in near real-time.

BluVector can integrate with SIEMS, Post Analyzers, Threat Intel Data Feeds and Security Orchestration & Automation as well as other 3rd party technologies.  For example BluVector works with Cisco AMP ThreatGrid and Cisco AMP for Endpoints which will be on display in the Security Partner Village at the CiscoLive!2016 Conference on Las Vegas, NV July 10th – 14th.

BluVector, strictly speaking, is not artificial intelligence. It cannot think. It can, however, determine if packets contain good code or malicious code with a probability of 98%+. A human still needs to make the decision about what to do next.

Turning the Tables on Cybercriminals

Ginni Rometty has said that cybercrime is the greatest threat currently facing our nation. Independent analysts have placed the cost of US cyber crime in 2015 at $430 billion; a figure that Lloyds of London believes is an underestimate, due to underreporting bias.The GAO has been very vocal about the threat that malware poses. It is increasing and morphing at such a rate that signature-based detection is no longer effective.

Cybersecurity is complex and there is no silver bullet. But with the tools that are available today, it is possible to use advanced machine learning to recognize malware early in the kill chain and turn the tables on cybercriminals. We need to start using these tools now, and not wait another five years.

 

Nathaniel Crocker

CIO and Co-founder at Crocker Institute
Nathaniel (Rushfinn) Crocker is the CIO and co-founder of the Crocker Institute, a benefit corporation in South Carolina dedicated to helping organizations meet their mission through Enterprise Architecture and Program Evaluation. He is passionate about cybersecurity and protecting our online identities. You can reach him at Nathaniel@CrockerInstitute.org
About Nathaniel Crocker

Nathaniel (Rushfinn) Crocker is the CIO and co-founder of the Crocker Institute, a benefit corporation in South Carolina dedicated to helping organizations meet their mission through Enterprise Architecture and Program Evaluation. He is passionate about cybersecurity and protecting our online identities. You can reach him at Nathaniel@CrockerInstitute.org

Leave a Reply