printer friendly version

The battle of AI and ML in the cybersecurity world

Whether we realise it or not, artificial intelligence (AI) and machine learning (ML) play a part in every second of our lives. From the moment we wake, smart devices decide what time to turn on our heaters and our lights, social media uses complex algorithms to select what news to promote to us and Google Maps navigates us through our day. Even while we sleep, AI monitors our sleeping patterns (with the proliferation of smart devices like Google Home and Apple Watches) identifying when we have had a good night’s sleep and even monitoring our health.

ML and AI in our daily lives have slowly changed how we interact with technology. We use this technology for good by helping the elderly with virtual chatbots, preventing poaching and providing real-time translation for migrants.

The cybersecurity world has been at the forefront of this technology in the last decade, using ML/AI in various applications such as tackling huge volumes of malware, detecting spam and business email compromises, analysing network traffic, using facial recognition and more. It’s hard to get away from a vendor’s presentation without hearing about their ML and AI nowadays. This article will demystify and hopefully bring some new angles to our readers in the decision-making around ‘ML-enabled’ security solutions.

What are ML and AI?

Let’s start with simple definitions of machine learning and AI. Machine learning involves enabling computers to learn how to do something. This requires input such as training data and knowledge, while AI is the goal of applying the knowledge learned. AI attempts to solve data-based business or technical problems, assisting users in the decision-making process or making judgment itself (if we programmed it in such a way). When it needs to, it can be used to rapidly analyse large sets of data that no human brain could possibly process and can come up with AI-assisted decisions and conclusions on an issue.

Is AI perfect? Not always. Any computer program is only as good as its writer and any ML or AI is only as good as the information it has been fed. There are well-known examples of programmatic biases in some AI algorithms and examples where chatbots have gone rogue after being trained with the wrong data. So, while there is still work to be done, these algorithms can deliver significant benefits over even more fallible humans.

AI-driven malware: myth or reality?

Despite a large amount of hype and clickbait, there is little evidence to support the belief that criminal cybergangs are already using AI to help generate new strains of malware, however, there is evidence that AI/ML is being used in other areas to circumvent protective security measures:

• Generating deep fake videos and images to phish users and bypass security measures. This is particularly prevalent on social media sites to create fake identities.

• Solving CAPTCHAs to bypass authentication protections.

• To gather open source intelligence on organisations in order to target attackers.

AI in defensive security: Use case is king

When considering investment priorities among security solutions, evaluate the use cases you’re trying to achieve. Understand how threats are evolving and what tactics and techniques black-hats use. Then ask why you couldn’t stop these attacks with the investment you have so far. It’s fairly easy to get caught up with the AI/ML hype. But customers are starting to move cleverly to consider practical use cases, whether this is detection, forensics, hunting or mitigation.

How does Fortinet use AI?

The big change in the malware industry that triggered the need for AI was heuristics and adaptive malware. Fortinet went almost overnight from a volume of malware that could be handled manually to a situation with exponential growth in the number of samples. It had to adapt and take advantage of AI and ML to support its malware analysts.

Fortinet has been in the AI business for more than a decade. At a high level, Fortinet uses AI and ML in multiple areas:

• Scale: One of the first use cases 10 years ago was the advent of the virtual FortiGuard threat analyst. The huge growth in samples meant that analysts could no longer handle the volumes of samples they were receiving, so they created an artificial neural network (ANN) for sub-second sample classification. Over six generations of this solution, this grew into FortiAI, which analyses millions of samples per day with near-perfect accuracy - a task that would normally require thousands of human analysts.

• Enhance: An ML use case is a great way to enhance traditional security solutions. Some examples are:

◦ Adding ML analysis of malicious vectors in FortiSandbox.

◦ ML-enabled AV engine in FortiOS.

◦ ML in other solutions such as FortiWeb, FortiGuard Security Services and many more. This enables better and more accurate detections of malicious activities or anomalies for our customers. In this area, innovation is key.

• Predict: ML/AI is particularly good at drawing relationships and making predictions. An example is comparing two infections’ ‘DNA’ and tracing the source of a problem. This is a more advanced application of AI, as prediction has a time element, meaning you can tell ahead of time what will happen. Based on the historical data points, trending, etc., it is possible to predict what might happen to your network.

• Reduce time to detect: Fortinet pushes the physical limit to ‘sub-second’ detection of malicious code, enabling SecOps solutions to integrate with its flagship NGFW FortiGate for inline blocking, stopping patient zero. While reducing time to detect from minutes to sub-second might not sound significant, it’s crucial when a major, widespread outbreak occurs. Customers should have the ability to react quickly to threat actors.

Share this article:

Further reading: