by Haythem Ben Rhouma, Mounia Hadhoud, Idles Mamou et Houda Hanzouli

How Artificial Intelligence matters in Cybersecurity

Introduction

Technology is more important in today's world than it has ever been. With the widespread use of rising technologies such as the Internet of Things (IoT) and cloud computing, a massive quantity of data is created and collected. Although data may be leveraged to better address the corresponding business demands, hacks frequently pose significant hurdles. A cyber-attack is often a deliberate and coordinated attempt by an individual or organization to infiltrate another individual's or organization's information system. These sorts of security events or cybercrime can have a negative impact on companies and individuals, causing interruptions as well as severe financial losses.

Artificial intelligence is defined as artificial decision making. AI can be used to mine data, identify patterns, and predict future events. It can also be used to detect cyber-attacks and prevent them from happening. In the future, AI systems will be able to detect patterns that are not readily apparent to humans, like a possible cyber-attack, by analyzing network traffic and determining if different strings of data are accessed in the same unusual pattern. AI can do many things, and it will continue to evolve and grow to be used in more everyday aspects of our lives.

Like artificial intelligence, cybersecurity has become a significant concern in today's digital age due to the increasing number of attacks affecting millions of people and organizations. Cybersecurity is about protecting critical systems and sensitive information from digital attacks. Cyber attacks are also becoming increasingly complex. Artificial intelligence in cybersecurity helps companies safeguard their defense mechanisms. It also helps them better analyze cybercrimes.

In this article we will address  some common types of attacks today and how effective the AI techniques are against these ever-increasing threats of malware that plagues our online community.

Identifying the need for AI in CyberSecurity

AI has made an impact on security by helping professionals identify irregularities on the network by analyzing user actions and studying patterns. With AI, security professionals can now study network data and detect vulnerabilities to prevent harmful attacks. Machine learning, a subset of artificial intelligence, is also being used by companies today to improve their security systems. AI helps improve the traditional approach to security in the following ways:

• Advanced AI-powered security tools will be used to monitor and respond to security events
• Modern firewalls will have built-in machine learning technology that will easily detect a usual pattern in the network traffic and remove it if considered malicious
• Using the natural language processing feature in AI, security professionals can detect the origin of a cyber-attack. Natural language processing also helps in analyzing vulnerabilities
• Scanning internet data and using predictive analysis will identify malicious threats beforehand
• Higher security of conditional access and authentication

Companies using Artificial Intelligence in Cyber Security

Google:

• They are using the Deep Learning AI system on their Cloud Video Intelligence platform. Videos stored on their cloud server are analyzed by AI algorithms based on their content and context. If an anomaly is found that might be a threat, the AI algorithms send an alert.
• Gmail uses machine learning to filter out spams from your mail to provide a hassle-free environment. More than 100 million spams are blocked every day.

IBM:

• IBM Watson uses machine learning in its cognitive training to detect threats and create cybersecurity solutions.
• AI also reduces time-consuming threat research tasks and assists in determining security risks.

Facebook:

• They use artificial intelligence to detect most fake accounts and disable them before they can post on the platform.

Cybersecurity threats can come in many forms. In Figure 1 we present some common types of cyberattacks.

               Figure 1. The most common cyber threats and attacks in cybersecurity

AI’s contribution to CyberSecurity

AI and machine learning are now becoming essential to information security, as these technologies are capable of quickly analyzing millions of pieces of data and identifying a wide variety of cyber threats, from malware threats to shady behavior that could result in a phishing attack.

These technologies are constantly learning and improving, drawing data from past and present experiences to identify new varieties of attacks that may occur today or tomorrow. Here are a few advantages and applications of using AI in cybersecurity.

Faster discovery of threat

One of the first uses of cyber AI was threat detection. It may be used to supplement existing attack surface management strategies, reducing noise and allowing precious security experts to focus on the most important signals and signs of penetration. It can also make judgments and act more quickly, as well as focus on more strategic operations. In order to make that happen, historical labeled data is essential and supervised learning is the most used approach for this task. The most common supervised learning approaches are classification and regression algorithms. These techniques are often used to categorize or forecast the target variable for a specific security concern. For instance, classification techniques in cybersecurity can be used to determine if a denial-of-service (DoS) attack has occurred or to pinpoint certain types of network hazards, including scanning and spoofing. The general framework for detecting cyber threats is presented in Figure 2.

Figure 2. General framework for detecting cyber threats

Naive Bayes for example, is widely used In cybersecurity. For training and testing, the researchers in [1] employed the Weka package's naive Bayes classifier with KDD'99 data. Data were classified into four types of attacks (probe and scan, DoS, U2R, and R2L), and their classifier obtained 96%, 99%, 90%, and 90% testing accuracy, respectively. The overall false positive rate was 3%. In [2], one of the strategies used to handle a DoS problem was Naive Bayes, which sought to resolve botnet activity in filtered Internet Relay Chat (IRC) and detect the botnet's presence and origin. TCP-level statistics were obtained from 18 distinct sites on the Dartmouth University campus' wireless network for the experiment. This data was collected during a four-month period. Because labeling was difficult, the studies were conducted using simulated data. The Bayesian network performed well, with a precision of 93% and a false positive rate of 1.39%.

The operating system of an autonomous car might be compromised, revealing personal information on other linked devices. The authors of [3] used decision trees to build detection algorithms for denial-of-service and command injection attacks against autonomous vehicles. The results revealed that different assaults had varying effects on robotic behavior. In [4], researchers built a decision tree-based intrusion detection system that may modify its parameters after an attack by assessing behavior data provided by the numerous APIs contained in the intrusion detection system. The final decision tree model is illustrated in Figure 3  below.

                                          Figure 3. The final decision tree model

The approach was used to prevent advanced persistent threat (APT) attacks, which utilize social engineering to launch various types of intrusion attacks. In their studies, the detection accuracy was 84.7%, which is quite high for this experiment.

Proactive security posture

An AI that has been properly trained can enable a more proactive security posture and enhance cyber resilience, allowing enterprises to continue operating even when under attack and lowering the amount of time an adversary is in the environment.

An attacker may employ strategies such as a social engineering operation during the reconnaissance or planning phase of the attack (phishing, malicious call, etc.). Machine learning algorithms can search for email signatures, detect dangerous or phishing emails, and prevent them. In certain circumstances, an attacker will phone the target company and imitate a third party in order to gain important information (this is called "voice phishing" or "vishing"). Such calls can be identified and blocked using call source analysis methods. Scanning any external devices linked to the organization's property, such as a USB device, is another example of machine learning application. A scan of this type stops harmful software from spreading through such devices.

The researchers in [5] used DBNs (deep belief networks) to detect malware with an accuracy of 96.1%. The DBNs used unsupervised learning to discover layers of features and then used a feed-forward neural network to optimize discrimination. DBNs can learn from unlabeled data, so, in the experiments, DBNs provided a better classification result than SVM, KNN and decision tree.

Figure 4. The architecture of DeepFlow

In Figure 4  above, we show the architecture of a deep learning approach called DeepFlow that was proposed in [6] to directly detect malware in Android applications. The system is deep-learning based and uses RBMs (restricted boltzmann machines) to  mark the malware. The architecture consisted of three components for feature extraction, feature coarse granularity and classification. Two modules were used to assess malware sources from the Google Play Store. Experiments showed that DeepFlow outperformed SVM, ML-based algorithms and multi-layer perceptron (MLP).

In Figure 4  above, we show the architecture of a deep learning approach called DeepFlow that was proposed in [6] to directly detect malware in Android applications. The system is deep-learning based and uses RBMs (restricted boltzmann machines) to  mark the malware. The architecture consisted of three components for feature extraction, feature coarse granularity and classification. Two modules were used to assess malware sources from the Google Play Store. Experiments showed that DeepFlow outperformed SVM, ML-based algorithms and multi-layer perceptron (MLP).

              Figure 5. ADMIT intrusion detection system architecture

The Figure 5  above shows the architecture of an intrusion detection system named ADMIT. Its developers, as they have shown in [8], preferred to use a different data mining method. Instead of using labeled data, this approach creates user profiles progressively using a dynamic clustering technique. To create a profile, it employs sequences, which are a series of attributes derived from user data. Using a modified form of K-means clustering, these sequences are classed as normal or anomalous. They chose a maximum sequence length of 20 to achieve 80% performance accuracy with a 15% false positive rate.

The above contributions, the approaches used and their purpose are summurazied in the table below.

Conclusion

In conclusion, the role of artificial intelligence in cybersecurity cannot be overstated. As the digital landscape continues to expand and evolve, new threats and vulnerabilities arise, demanding more robust and dynamic security measures. The introduction of AI in cybersecurity has proven to be a game-changer, addressing the pressing need for adaptive and proactive security solutions.

In our upcoming article, we will look at  a specific type of cyber attack - the battle of fake profiles - further highlighting the importance of AI in tackling such sophisticated threats and ensuring a safer digital environment. Stay tuned to explore this intriguing topic and gain deeper insights into the challenges and solutions in the realm of cybersecurity.

References

[1] Network intrusion detection using naive bayes, Mrutyunjaya Panda, Manas Ranjan Patra, IJCSNS International Journal of Computer Science and Network Security, VOL.7 No.12, December 2007.

[2] Using Machine Learning Techniques to Identify Botnet Traffic, Carl Livadas; Robert Walsh; David Lapsley; W. Timothy Strayer,  Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[3] Decision Tree-based Detection of Denial of Service and Command Injection attacks on Robotic Vehicles, Tuan Vuong, George Loukas, 10.1109/WIFS.2015.7368559.

[4] DTB-IDS: an intrusion detection system based on decision tree using behavior analysis for preventing APT attack, Daesung Moon, Hyungjin Im, J. Park, 1 July 2017, 10.1007/s11227-015-1604-8.

[5] Y. Ding, S. Chen and J. Xu, "Application of Deep Belief Networks for opcode based malware detection," 2016 International Joint Conference on Neural Networks (IJCNN), 2016, pp. 3901-3908, doi: 10.1109/IJCNN.2016.7727705.

[6] Dali Zhu, Hao Jin, Ying Yang, D. Wu and Weiyi Chen, "DeepFlow: Deep learning-based malware detection by mining Android application for abnormal usage of sensitive data," 2017 IEEE Symposium on Computers and Communications (ISCC), 2017, pp. 438-443, doi: 10.1109/ISCC.2017.8024568.

[7] L. Wang, A. Zhang, Z. Li and J. Lei, "Real-Time Correlation of Network Security Alerts," in 2007 IEEE International Conference on e-Business Engineering, Hong Kong, 2007 pp. 73-80. doi: 10.1109/ICEBE.2007.69

[8] Sequeira, Karlton & Zaki, Mohammed. (2002). ADMIT: Anomaly-based data mining for intrusions. Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 386-395. 10.1145/775047.775103.