A considerable number of articles cover machine learning and its ability to protect us from cyberattacks. Still, it's important to separate the hype from the reality and see what exactly machine learning (ML), deep learning (DL) and artificial intelligence (AI) algorithms can do right now in cybersecurity.
First of all, I have to disappoint you. Unfortunately, machine learning will never be a silver bullet for cybersecurity compared to image recognition or natural language processing, two areas where machine learning is thriving. There will always be a person who tries to find issues in our systems and bypass them. Therefore, if we detect 90% attacks today, new methods will be invented tomorrow. To make things worse, hackers could also use machine learning to carry out their nefarious endeavors.
Nevertheless, machine learning can help us with typical ML tasks, including regression (prediction), classification, clusterization, recommendation and reinforcement. ML can solve all of them with different levels of efficiency for various needs. Now, we will address the typical cybersecurity tasks.
According to Gartner's PPDR model, all security tasks can be put into five categories: prediction, prevention detection, response and monitoring. To be more precise, they can be used for technology layers such as network (network traffic analysis and intrusion detection), endpoint (anti-malware), application (WAF or database firewalls) or user (UBAs, anti-fraud).
Now, let's see the examples of how current machine learning methods can be applied to cybersecurity tasks.
Regression, or in other words prediction, is a simple task. We want to utilize our knowledge about existing data to make opinions on new data. A traditional example is house prices prediction. In cybersecurity, it can be implemented for tasks such as user behavior analytics as well as fraud detection. Network traffic analysis is another good choice to use machine learning. As for technical aspects of regression, various types of recurrent neural networks work best.
Classification is also straightforward. If you have two piles of pictures -- let's say dogs and cats -- you will easily put new pictures to the matching ones. This is usually known as supervised learning. We know exactly what we are searching for and bear in mind the examples of certain groups. Undoubtedly there can be countless classes, but we define them in the beginning. So let's say we want to detect a malicious activity on different layers. For the network layer, we are able to apply it to the intrusion detection system (IDS) and identify different classes of network attacks such as scanning, spoofing, etc. On the application layer, we can apply it to WAF and detect OWASP top 10 attacks. On the end-point layer, we can divide programs into such categories as malware, spyware and ransomware. Finally, on the user level, it can be applied to anti-phishing solutions to tell us if a particular email is legitimate or not. Technically, algorithms (SVM or random forests), as well as better options (simple artificial neural networks or convolutional neural networks), can resolve these tasks.
Clustering is similar to classification with only one major difference: We donā??t know any information about the classes of our data. Moreover, we have no idea whether this data can be classified. This is called unsupervised learning. It is a curious topic and actually be employed in cybersecurity tasks, at least in all those where we can introduce classification.
I feel that one of the best tasks for clustering is forensic analysis -- when we are unaware what happened and classify all activities in order to find outliers. Solutions for malware analysis (i.e., malware protection or secure email gateways) may implement it to separate legal files from outliers. Another interesting area where clustering can be applied is user behavior analytics. In this instance, application users cluster together and it is possible to see if they should belong to a particular group.
Recommendation systems are well-known. For example, we all use Netflix and SoundCloud and see how they work. Based on your movies or music preferences, they can recommend films or songs they think you'd like. It also can be applied to cybersecurity. It can be used primarily in incident response. If a company faces a wave of incidents and offers various types of responses, a system can learn what type of response it should recommend for a particular incident. Risk management solutions can also benefit in that they automatically assign risk values for new vulnerabilities or misconfigurations built on their description. There are algorithms that are used to solve recommendation tasks. The latest ones are based on restricted Boltzmann machines and their updated versions, such as deep belief networks.
There are many areas where machine learning can be applied in addition to those I mentioned. If you want to protect your systems, machine learning is definitely not a silver-bullet solution, but at the same time, it will be mandatory in near future. It is better to start now since hackers can utilize machine learning as well. How exactly ML can be used by attackers will be revealed in my next article.