Artificial Intelligence is being successfully integrated across leading industries and Information Security domain is not an exception. We asked Satnam Singh, Chief Data Scientist at Acalvio Technologies and a Speaker at nullcon Goa 2018, about the role AI plays in Cyber Security and its best practices used by the companies:

Let’s start with defining the place of AI in Information Security at the moment.

Satnam Singh (SS): AI in InfoSec is far away from AlphaGo that’s beaten the world’s best players in Go game. AI is certainly moving in a direction where it will help the security analysts to play a game with the adversary and threats. When an adversary is within the enterprise network, he needs to figure, where he is. He needs to move towards his targets, and carry out his attack. During these reconnaissance queries and movements, he would certainly leave some traces or signals. These signals are in the data that helps AI to detect the adversary presence and raise alerts.

Earlier, we used to bring all the data to a security data lake so-called SIEM, but now with AI, the correlations across multiple events can be done in real-time. Using algorithms, we can connect the dots and find the patterns, which were hard to find manually because we didn’t have enough security analysts.

One of the key advantages of AI-based systems is that they learn from the decisions taken by the security analysts and after some time they can also start taking the similar preventive actions as the security analysts. However, it has to happen for each InfoSec use case one-by- one.

Which types of AI applications are being used in cyber security solutions?

SS: AI is certainly making a big value proposition in the InfoSec. It is helping security analysts to detect unknown malware, detect network intrusions, and find users, hosts, and mobiles that may have been compromised.

AI is helping the analysts to free up their time from repetitive tasks such as threat intelligence and spend time on more strategic analysis of threats. AI is sort of adding multiple cameras/sensors in addition to existing tools to detect the threats in the enterprise network.

In your opinion, what are the biggest challenges in implementing AI in Information Security?

SS: We need to detect attacker’s presence by mining Petabyte’s of logs. This is a complex and difficult problem because the signal to noise ratio is very low. Also, connecting the attack sequence among isolated and rare signal events is, even harder problem.

Most of the security data has no labels that makes it difficult to apply the latest AI and ML techniques to a large number of InfoSec use cases. However, the industry is tackling this problem by generating class labels taking a few use cases at a time. Currently, AI in InfoSec is primarily based on finding rare/abnormal behavior and many of these anomalies cannot account for the complexities of the real world and a large number of them end up being false positives.

There is certainly no silver bullet in Security!! I think that we need to combine AI with other technologies such as deception to improve our defense.

Are companies that develop cybersecurity solutions starting to implement more of AI?

SS: Yes, Certainly!! There are a lot of new startups coming in AI and infoSec. InfoSec companies are also changing their existing products to include more AI. There is a need for everyone to embrace AI and automate the repetitive tasks because there is a big shortage of security analysts.

Can you give some examples of the machine learning algorithms which are being used to develop cybersecurity applications?

SS: At high-level the ML algorithms fall into two buckets in InfoSec. Supervised ML algorithms such as Deep Learning Networks (ANN, RNN, CNN), Random Forest, XGBoost are used to classify malicious scripts vs benign scripts, detect DNS tunnels, detect C&C servers, detect malware, detect known network scans, application attacks, and many more known threats that have labels available for the training.

Another set of algorithms fall into unsupervised ML specifically anomaly detection algorithms such as Clustering, Robust-PCA, SVD, One-Class SVM, DB Scan, KDE to detect anomalous events. Anomaly-based algorithms are used in networks to flag anomalous ports, unusual traffic from a host, excessive DNS failures, endpoints having unusual processes/applications/registry changes, users/hosts having unusual behaviors.

And last but not least: Why do you think people should attend events like Nullcon?

SS: I attended Nullcon 2017 and I learned a lot!! It is one of the biggest Security conferences in India and that too in Goa - A fantastic place :-) It is like “the Blackhat of India” and topics are selected from a large pool to give the best knowledge about the recent attacks and threats to the participants.

In addition, I like the panel discussions, capture the flag competition, night party, etc. Plenty of opportunity to network with the InfoSec community. Looking forward to meet the guys at Nullcon 2018 in Goa :-)

To learn more about AI, visit Satnam’s talk “A Game between Adversary and AI Scientist” at nullcon Goa 2018.