The arms race of AI in cybersecurity

CCTV Handbook 2020 Cyber Security

With any advancement in technology, you can bet that the criminal fraternity will be quickly examining its potential in supporting their nefarious goals. Whether cyber-criminals planning ransomware attacks or the theft of data and financial information, or nation states looking to disrupt the critical infrastructure of adversaries (if not worse), new technology has the potential to add to their armoury.

As well-funded as any legitimate business, these organisations can innovate in their use of new technologies – artificial intelligence (AI), machine learning (ML) and deep learning (DL) among them – unencumbered by any national or international regulations or laws, morals or ethical norms. They will simply look at the opportunity these technologies give them to achieve their criminal objectives.

But while new technology will find its way into the hands of criminals and bad actors, it is also available to be used as defence by those organisations being targeted.

Hidden in plain sight

There’s an overwhelming amount of evidence that bad actors are using artificial intelligence (AI), machine learning (ML) and deep learning (DL) to improve the sophistication of their attacks. While large-scale Distributed Denial of Service (DDoS) attacks often grab the headlines – disabling as they do high-profile websites and online services – remaining undetected for as long as possible is the primary aim of most cyber-criminals. In exactly the same way as a house burglar will aim to spend as long as possible undetected – moving from room to room in search of valuables and if possible, leaving as stealthily as they entered – a cyber-criminal will want to penetrate, move around and exit a network without being detected.

To do this, they aim to look as much as possible like a legitimate user of the network, whether human or a device. And this is where AI machine learning becomes an invaluable new weapon, allowing cyber-criminals to learn the network behaviours of people and devices, rapidly develop new malware and phishing strategies and deploy these at huge scale. The simplest way to access any network is still to somehow compel a legitimate user to click on a link and open the door. And a fake email from the boss which is virtually indistinguishable from the real thing – including in tone and style of language used – can often be the most effective key.

Darktrace is recognised as one of the leading companies globally focused on AI in cybersecurity and, as you’d expect, is also expert in understanding the increasing use of AI by the criminal fraternity. This excellent blog post (, details the benefits to cyber-criminals in using AI through the attack lifecycle, from chatbots engaging employees through fake social media profiles to the use of neural networks to identify the most valuable data for extraction.

The increasing – and dangerous – link between IT and OT

The Darktrace blog post also highlights the objective of lateral movement in the network once access has been gained. This is essential in meeting the cyber-criminals’ aims, as the network entry point – which may be an unsecured device in a remote location – is rarely the desired final location. Ultimately, the bad actor will be looking to move towards far more sensitive areas of the network, harvesting user credentials along the way and particularly those of privileged users such as network administrators which will give them a primary key to network access.

With the world of connected devices and the so-called Internet of Things (IoT), the risks are exploding as the information technology (IT) network becomes more tightly integrated with the operational technology (OT) environment. Put simply, the IT network manages the flow of digital information, the OT manages the operation of physical processes, machinery and physical assets of the business or specific location. For those bad actors whose aim is disruption and destruction rather than theft, access to the OT is essential. It takes no imagination at all to understand the potential damage that could be created through access to the machinery within a power station, oil refinery or hospital.

AI as a tool for defence as well as attack

We’ve looked at the potential application of AI and ML by bad actors and cyber-criminals and it paints a fairly chilling picture. However, these same technologies are, of course, available to those aiming to protect networks from penetration and in many ways the advantage is in the hands of the defenders over the attackers.

I caught up with Jeff Cornelius, executive vice president at Darktrace, to hear more about the ways that the company is innovating in AI and ML to keep one head ahead of the criminals.

“First things first,” says Cornelius, “despite the impression you may get from the media, developing artificial intelligence and machine learning isn’t easy. And while we have a powerful adversary in the criminal fraternity and nation states looking to perpetrate cyberattacks, there are a number of aspects in our favour.

“Primary amongst these is that – given the access provided by our customers – we can see the entirety of the network activity which we use to create an understanding of the behaviour of every device and user. In contrast, bad actors will only ever be able to rely on a limited view of activity. Every action they take from an initial foothold is a partially blind step into an environment that we understand and they do not. Ultimately their goals are activities that the business does not normally perform. Our primary objective is to identify and address anomalies in network behaviour, a necessarily wide scope since we do not know when or where an adversary might appear or what their specific new methods or goals may be.

“To draw an analogy, someone who studies my daily movements from outside my house will build up a fairly detailed view of my habits: the time I generally leave the house each day, which route I take to work, where I grab my lunch and so on. They could probably do a decent job of mimicking those parts of my life. But without having a view inside my house, if they tried to mimic my tastes at breakfast, they’d almost certainly make a mistake that would easily be spotted as an anomaly by a close family member. There is usually decent information available on the Internet to target an individual with a clever spear-phishing email, but once inside they are sitting at our table.”

Supervised vs unsupervised machine learning

“There’s an important distinction to be made between supervised and unsupervised machine learning. In the former, computers are trained against a set of known data and constantly refer back to this data to check if the outcome recorded is the expected one. From a cybersecurity perspective, the models for learning are based on known malware. And this is where the real race between criminals and cybersecurity lies: bad actors are using ML to create new versions of malware – we’re seeing an exponential growth in these – and cybersecurity companies are trying to keep pace by writing new models for supervised ML defences. It’s a bit like a spellcheck trying to keep pace with a world where new words and even languages are being created daily. And it’s becoming increasingly difficult, if not impossible, to keep pace.

“By contrast, instead of relying on knowledge of past threats, unsupervised machine learning algorithms independently classify data and detect compelling patterns. In this context they analyse network data at scale and make billions of probability-based calculations based only on the evidence that they see. From this, they form an understanding of ‘normal’ behaviours across the specific network, pertaining to devices, users, or groups of either entity. They can then detect deviations from this evolving ‘pattern of life’ that may point to a developing threat. This early warning system will allow us to stay a step ahead of the cyber-criminals and bad actors.”

The subject of AI and machine learning in cybersecurity is fascinating and one which this article cannot do justice to. It’s also one that may seem much broader in relevance than simply related to security and surveillance. But of course, network video and audio are as likely to be targeted as much as any network-connected device, so it’s one we take an acute interest in.

For more information contact Axis Communications, +27 11 548 6780,,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Retail solutions beyond security
Issue 8 2020, Axis Communications SA, Technews Publishing, Hikvision South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring
The need for security technology to deliver more than videos of people falling or stealing from retail stores is greater than ever.

Five ransomware predictions for 2021
Issue 9 2020 , Cyber Security
How to stay ahead of cyber criminals and protect your data

Striking the balance between customer privacy and intimacy
Issue 9 2020 , Cyber Security
While secure IT infrastructure is a key component to keeping customer data secure, customers expect more than adherence to regulations and the latest technologies to help protect their data from falling into the wrong hands.

A good future for tech in 2021 and beyond
Issue 9 2020 , Cyber Security
The pandemic drove technology adoption in amazing ways; networking, cloud, security, collaboration, and other digital technologies all played a huge role in keeping the world running.

Cyber-industry collaboration through AI
Issue 9 2020 , Cyber Security
SophosAI advances the practices and language that will transform the cybersecurity industry with much-needed transparency and openness.

Shifting security to the edge
Issue 9 2020 , Cyber Security
As applications move to the cloud and networks become increasingly complex, organisations require a comprehensive security solution designed to protect the WAN edge.

Why security integration is important
Issue 9 2020 , Cyber Security
Adrienne Campbell says the integration of physical and network security is important and offers eight reasons why.

Ensure cybersecurity at the edge
Issue 9 2020 , Cyber Security
Organisations must be aware of the increased need to protect the edge of the network and prioritise cybersecurity before an attack happens.

Protecting ICS and SCADA systems
Issue 9 2020 , Cyber Security
Check Point Software´s new rugged gateway secures industrial control systems and critical infrastructures against the most advanced cyber-threats.

Cyber defence in an era of digital dependency
Issue 9 2020 , Cyber Security
Businesses across the globe have typically taken an immature approach to cybersecurity, believing that a firewall is an adequate fortress to defend their intellectual property.