New weapons to counter cybersecurity threats

CERT-LatestNews Malware Security News SymantecNews ThreatsCybercrime Uncategorized

WITHIN the lifetime of many of us, the idea that machines could learn things that humans didn’t specifically teach them was the stuff of science fiction.

One look through Netflix will uncover movies of evil computers plotting to take over the world. Isn’t it interesting that now when we have actual artificial intelligence (AI) and machine learning as part of daily life, one of its key purposes is protecting people and property?

At Symantec, the largest cybersecurity company in the world, we see over 10 trillion security events per year and more than one million pieces of malware a day; this is an unrivalled amount of data and it is impossible for humans and traditional systems to understand it, process it and turn it into actionable intelligence. This led us to develop and experiment new technologies to tackle the scale problem, with machine learning and AI being the key focus.

While machine learning and AI are closely related, there are also distinct differences. Machine learning allows systems to learn from their inputs and experience without being specifically programed. AI, on the other hand, requires a machine to perceive and imitate human behaviour. Consider a self-driving car: the system that identifies pedestrians is machine learning, while the whole car dealing with all aspects of driving to and from a destination is AI.

Although we may be a long way from Star Trek’s conversational computer, there is no doubt that machines are learning and systems are getting smarter. Take for example the case of self-driving cars: despite many high-profile errors, more than 10 million cars with some self-driving features will be on the road by 2020.

Singapore has recently kicked off the world’s first driverless taxi trial, pioneering a technology that is set to revolutionise the way we travel. These IoT-connected (Internet of Things) and automated vehicle systems can free up travelling time for commuters, allowing them to relax or work on-the-go, among other benefits.

While today’s applications in digital assistants, such as Siri and friends, data mining, machine vision and industrial applications might seem amazing, the reality is that we are at the infancy of machine learning and AI. Though these concepts have existed for more than 60 years, it is only in the last 10 years that science fiction-like advances have been made.

In terms of cybersecurity, machine learning and AI can act as a force amplifier. The sheer scale of the threats, devices and networks that are operated today makes it impossible for humans and traditional systems to understand, to correlate and to connect. As discussed earlier, Symantec collects more information than any single system or human could understand and this problem is only expected to get worse, as huge new networks of devices and systems – IoT – roll out, each acting as both a source of attack, a target of attack and generator of information and logs.

Consider the volume of new connected devices in the IoT that will come online in the next few years. All of these are potential vectors of attack. In fact, Gartner forecasts that by 2020, more than 25 per cent of identified attacks in enterprises will involve IoT.

This is where we must turn to machine learning and AI. We need these systems to act as our force multiplier, as the systems that ingest all that data and then tell only about the things we should care about and act on, making our security analysts more productive.

To date, the cybersecurity application of these technologies has really been limited. Machine learning focuses on three things: threat detection, anomaly detection and user behaviour analysis. AI has yet to make a big impact on cybersecurity but this is likely to change over the next few years, as the technology matures.

Let’s take threat detection as an example. In this scenario, we use machine learning to examine a new unknown file and determine if the file poses a threat. To do this, it must learn by being shown previously known bad files (convicted files). The more samples it sees and the features (attributes, components, behaviours) of those samples it sees, the more likely it will be able to detect and convict unknown files. This is a continuous process of self-improvement. New results when validated feed the machine and continue to improve it. The machine and the data it is trained on are completely intertwined.

If we look at anomaly detection, this problem starts to become even more complicated. It requires the system to examine patterns of behaviour and automatically build profiles from what it sees. This could be in a closed system such as a self-driving car, where the system observes all of the components inside a vehicle and how they talk to each other and builds a baseline model for what is normal. When something outside of that model occurs, it’s flagged as an anomaly.

On the other hand, the ability for anomaly detection on open systems such as the Internet becomes extremely difficult due to the availability of data, as it can only be truly effective if a large amount of data is sampled. At Symantec, we take advantage of our telemetry that comes from hundreds of millions of systems to achieve this.

These two things allow us to build tools that let us stay ahead of the cyber criminals. Threat detection lets us discover new unknown malware, while anomaly detection allows us to see if a network or system has been compromised and if it warrants further investigation. Our security solutions imbued with machine learning can detect anomalies and outsmart intelligent threats, protecting us in instances where we are more susceptible but where do we go from here?

As more businesses embrace digitisation, the way we protect ourselves must also evolve and there is a critical need to stay proactive against threats, instead of reacting to them. With the emergence of AI, we may just be able to stay one step ahead of cyber criminals.

Eventually we will need to be able to build intelligence security systems that can not only learn faster than threats can present themselves but also be predictive of new attacks. It is forseeable that a cybersecurity AI could observe all the outputs from machine learning models, looking at threats, anomalies and even current affairs news, and detect that an attack is about to happen. This would be an amazing force multiplier for our cybersecurity centres, making analysts even more productive.

While the idea of machine intelligence is ancient, its real implementation is recent. With compute power and quantity of data increased dramatically, AI and machine learning are growing exponentially. Every time we buy something online, make a deposit or take out money from an ATM, glance at an ad, or turn on the faucet, intelligent machines are protecting us. It may not be as great a story as machines ruling the world, but it helps us all sleep better at night.

  • The writer is a security evangelist, Symantec Asia Pacific