Artificial Intelligence in IT Security - Status Quo and Perspectives
by Svenja Koch
The use of artificial intelligence (AI) is also playing an increasingly important role in cyber security. Artificial intelligence shows its strengths above all in the early detection of cyber threats or in the real-time monitoring of IT infrastructures. However, uncontrolled use of AI is definitely dangerous! In this article, you will learn what artificial intelligence can do in the area of cyber security and how AI can support cyber threat hunting and threat intelligence.
What is Artificial Intelligence?
Artificial intelligence refers to the simulation of human intelligence with computer systems. Artificial intelligence encompasses learning, i.e. the acquisition and processing of information, reasoning and self-correction. The term AI was coined in 1956 by the American computer scientist John McCarthy. In modern use, AI refers to a whole range of measures, from RPA (Robotic Process Automation) to actual robotics.
What are the different types of AI?
AI is categorised in different ways. One way of classifying AI is to divide it into weak and strong AI. Weak AI is a system that has been developed specifically for a certain task and trained accordingly. A well-known example of weak AI is virtual assistants such as Alexa or Siri.
Strong AI, on the other hand, describes a system that has generalised human cognitive abilities. Strong AI can find a solution to a problem when confronted with an unknown task through sufficient "intelligence". As early as 1950, the mathematician Alan Turin developed a test to find out whether a corresponding computer can think like a human. However, the Turing test is controversial as a method.
Another approach to categorising AI comes from Arend Hintze, assistant professor of integrative biology and computer science at Michigan State University. Hintze sorts AI into four type classes:
Type 1: Reactive machines. This form of AI can recognise known events and make predictions based on them - however, Reactive Machines have no memory and cannot use past experience to inform future experience. Reactive machines are developed for limited purposes and cannot be applied to other situations without effort.
Type 2: Limited memory. This form of AI can use past experience to inform decisions in the future. Limited memory AI is currently being tested in autonomous vehicles. Here, the AI can anticipate events in the not-too-distant future - for example, whether a vehicle ahead will change lanes. The observations made are not permanently stored.
Type 3: Native theory. This type of AI does not (yet) exist. The psychological term native theory describes the understanding that others have their own intentions, beliefs and desires that influence one's own decisions.
Type 4: Self-awareness. AI systems from this category have awareness, understand their current state and use the information to infer what others are feeling. This form of AI also exists only in theory to date.
Forms of AI technology in cyber security
Artificial intelligence is predestined for use in IT security. Here, AI primarily serves to optimise threat detection, i.e. threat detection or threat intelligence. AI methods used in cyber security are primarily machine learning (ML), supervised learning, unsupervised learning, decision trees or deep learning.
Machine learning: Machine learning is the science of making a computer perform an action without prior programming. There are currently three forms of machine learning. In supervised learning, data sets are labelled so that the AI can recognise patterns and use them to label new data sets. In unsupervised learning, records are not labelled but sorted by differences or similarities. The third form is reinforcement learning. Here, too, data sets are not labelled, but the AI receives feedback after one or more actions.
Deep learning: Deep learning is a subarea of machine learning. Deep learning uses artificial neural networks with various intermediate layers between the input and output layers. This results in an extensive inner structure that can have a complexity of up to one hundred million individual parameters and ten billion arithmetic operations per input data.
Decision Tree: Translated into German, Decision Tree means "decision tree". Decision Tree is a mathematical model and diagram that is used for decision-making. The diagram has a tree-like structure and represents a directed decision path. Typical applications of the decision tree are the classification of data objects or the clear visualisation of rules based on existing knowledge.
The relevance of artificial intelligence in cyber security
In the fight against ever better prepared cyber criminals and new forms of cyber threats, an enormous, multi-layered amount of data must be taken into account. The data that accumulates is extremely heterogeneous - starting with the IT in the office to the OT (operational technology) of machines and systems to networked devices (Internet of Things - IoT). The amount of data to be processed is impressively demonstrated by the example of developments in autonomous driving. A networked car alone generates almost 25 gigabytes of data per driving hour (!) - a volume that would be impossible to handle without AI.
Modern companies now have Security Operations Centres (SOC) to ensure long-term and sustainable cyber security. SOCs impressively demonstrate that cyber security can no longer do without the support of artificial intelligence. Because AI is the basis for detailed analyses and real-time monitoring of data traffic, especially in the SOC. Artificial intelligence can detect anomalies in the data stream much faster and more precisely - and thus alert the company to security-relevant vulnerabilities - than a human could ever do. Modern AI in the SOC relies on machine learning and can thus not only distinguish between harmful and harmless files, but also offers a high degree of early detection potential - and thus enables the use of targeted, preventive measures.
Currently, supervised learning still dominates the use of AI. Here, the algorithm is "taught" by an analyst which conclusions should be drawn for which event. Increasingly, however, the much more efficient unsupervised learning is being used, especially in the area of cyber security. Here, human guidance is unnecessary; the AI detects threats on its own.
Regardless of the method used, however, it can be stated that AI always leads to a reduction in the workload of the cyber security teams - which can thus concentrate on other, higher-value tasks.
AI in the Security Operations Centre - Success depends on the concept
AI is capable of many things - but only if it has been designed appropriately. The quality of any algorithm always depends on how well it has been trained and what data and data sets have been provided for training. A SOC that wants to rely on AI as a weapon in the fight against cyber threats must rely on high data quality and proper training of the AI. This is the only way to ensure the high level of protection of the IT infrastructure that AI can provide. As an additional layer for SOC, AI is certainly a useful and powerful instrument. However, artificial intelligence cannot completely replace human intelligence. Rather, the two must comprehensively complement each other.
AI as a counterpart to cyber security
Cyber attacks completely controlled by AI are currently still threats from the future. What can already be seen, however, are smart malware programmes. Up to a certain point, this malware is able to imitate typical system and user behaviour. The malware is thus able to infect devices or infiltrate entire networks - simply by the malware waiting for the right time to strike. Nevertheless, this is not a cyberthreat that only comes from an AI. Because the control of the malware here is taken over quite "classically" by a hacker.
AI and its use in cyber threat hunting and threat intelligence
Artificial intelligence offers clear advantages over traditional methods in the proactive hunting of cyber criminals (cyber threat hunting) and the gathering of information on the threat situation of cyber security (threat intelligence). AI not only helps to detect anomalies more quickly, but can also predict areas of risk, ensuring a robust cyber security plan. AI can effortlessly monitor millions of events - every day. This reveals patterns and uncovers malicious activity that humans could not manually process simply due to the sheer size of the data sets. AI thus supports active cyber threat hunting by identifying and filtering out false alarms, allowing security professionals to focus on the truly relevant incidents.
Artificial intelligence can also be used for advanced threat intelligence. AI can process and use large amounts of data in parallel. In this way, breaches can be immediately flagged and categorised as a threat. AI in one's own SOC is expensive - does my company really need to rely on such measures?
In short, cyber threats are increasing every year and the attackers' methods are becoming more sophisticated. A SOC, active cyber threat hunting and the use of threat intelligence are already almost indispensable if a company wants to guarantee the security of its data in the long term. However, the supply of appropriately trained security experts is scarce - and the integration of powerful AI is a significant financial burden, especially for small and medium-sized enterprises. Specialised cyber security service providers are suitable as an alternative to an in-house SOC and their own AI. Services such as Active Cyber Defense monitor and secure IT infrastructures around the clock, 365 days a year. Threat intelligence and cyber threat hunting are standard for security experts - just like the use of AI in the hunt for cyber criminals. The great advantage of external service providers: they make the establishment of their own SOC superfluous - and integrate AI as a security layer into their concepts. In this way, companies benefit from comprehensive cyber security - while at the same time minimising expenses.
Conclusion
Artificial intelligence is no longer a dream of the future. The learning computers are used worldwide - by IT security teams as well as hacker groups. Due to the enormous capacities in data analysis and processing, AI offers unbeatable advantages, especially in the area of security. However, at the moment, any AI is only as good as its "trainer" - because it still doesn't work entirely without human training. But teams from the fields of cyber threat hunting and threat intelligence are already relying on learning systems - and it is to be expected that the share of AI in the fight against cyber threats will be significantly expanded in the future.