|
Artificial Intelligence in Cybersecurity Nadine Wirkuttis and Hadas Klein Cybersecurity
arguably is the discipline that could benefit most from the introduction of
artificial intelligence (AI). Where conventional security systems might be
slow and insufficient, artificial intelligence techniques can improve their
overall security performance and provide better protection from an increasing
number of sophisticated cyber threats. Beside the great opportunities
attributed to AI within cybersecurity, its use has justified risks and
concerns. To further increase the maturity of cybersecurity, a holistic view
of organizations' cyber environment is required in which AI is combined with
human insight, since neither people nor AI alone has proven overall success
in this sphere. Thus, socially responsible use of AI techniques will be
essential to further mitigate related risks and concerns. Keywords:
cybersecurity, artificial intelligence (AI), security intelligence,
Integrated Security Approach (ISA), cyber kill chain |
|
Since
1988, when the first denial-of-service (DoS) attack was launched,1 the
sophistication, number, and impact of cyberattacks have increased
significantly. As cyberattacks have become more targeted and powerful so have
cybersecurity countermeasures. While the first security tool was limited to
spotting signatures of viruses and preventing their execution, today we find
solutions that are designed to provide holistic protection against a wide
range Nadine Wirkuttis is a PhD candidate at the
Okinawa Institute of Science and Technology Graduate University and former
research intern in the Cyber Security Program at the Institute for National
Security Studies. Hadas Klein is the Cyber Security Program Manager at the
Institute for National Security Studies. |
|
Cyber,
Intelligence, and Security | Volume
1 | No. 1 | January 2017 |
|
103 |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
of
attack types and a variety of target systems; nevertheless, it has become
increasingly challenging to protect information assets in the virtual world. To
implement resilient and continuous protection, security systems need to
constantly adjust to changing environments, threats, and actors involved in
the cyber play. Cyber reality, however, appears somewhat different. Security
approaches are regularly tailored to known attacks, and due to a lack of
flexibility and robustness, security systems typically are unable to adapt
automatically to changes in their surroundings. Even with human interaction,
adaption processes are likely to be slow and insufficient.2 Due
to their flexible and adaptable system behavior, artificial intelligence (Al)
techniques can help overcome various shortcomings of today’s cybersecurity
tools.3 Although Al has already greatly improved cybersecurity,4
there are also serious concerns. Some view Al as an emerging
existential risk for humanity.5 Accordingly, scientists and legal
experts have expressed alarm at the increasing role that autonomous Al
entities are playing in cyberspace and have raised concerns about their
ethicaljustifiability.6 The
purpose of this work is to highlight the shortcomings of traditional security
measures as well as the progress that has been made so far by applying Al
techniques to cybersecurity. In addition, this work summarizes the risks and
concerns linked to this development, by exploring Al’s status quo, addressing
present concerns, and outlining directions for the future. Challenges
of Today's Cybersecurity Although
awareness of cyber threats has increased; large amounts of money has been
invested; and efforts are being made to fight cybercrimes, the ability of
organizations to sufficiently protect their own virtual assets is not yet
known.7 The involved parties in cyberspace range from single
individuals, private organizations, non-state actors to governmental
organizations, all aiming to protect their cyber assets, attack those of
others, or both. In addition, the sources of cyber threats are manifold:
cyber threats basically arise from potential malicious acts due to financial,
political, or military reasons.8 However
heterogeneous and dynamic the nature of cyberspace might be, certain similarities
of attacks and their countermeasures can be used to describe and allow for a
holistic security framework. Most cyberattacks follow certain attack phases
that can be described as a cyber kill chain.9 This
framework assumes that every attack sequence starts with a reconnaissance phase,
in |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
105 which an attacker tries to locate gaps and
vulnerabilities of a target system. The integrated security approach10
(ISA) provides key ideas for a holistic |
|
|
|
Figure 1: Cyber kill chain phases
encapsulated in countermeasures of the integrated security approach |
|
Figure
1 above depicts the interconnection of cyberattacks, described by the cyber
kill chain, with their countermeasures, covered by the ISA. The diagram
depicts the cyber kill chain, here visualized as the gray arrow in the
center, encapsulated by the ISA. The cyber kill chain includes the seven |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
phases
of a cyberattack, whereas the ISA consists of four counteraction phases. For
detecting and blocking attacks as early as possible, all attack phases of the
cyber kill chain need to be considered within the comprehensive ISA
framework.11 As stated above, the emphasis is on preventing attack
and detecting malicious activities during the first three phases of an intrusion,
here visualized as recon, weaponize, and deliver on the left side of the
diagram within the gray arrow. After the attack—depicted as exploit in the
center of the arrow—the ISA measures detection, reaction, and response
necessary to interfere with the compromising malicious activities. The
complex and dynamic nature of cyberspace leads to various strategic and
technological challenges that hinder and complicate an organization’s ability
to protect itself sufficiently in this virtual environment. These challenges
comprise data acquisition, technology driven matters, as well as shortcomings
in regulation and process management. Challenges in Gathering Cyber Intelligence The
fact that perpetrators leave tracks when attempting to attack a potential
target system is the key to better understanding an attacker. Consequently,
an ISA with its holistic view of an organization’s security requires
gathering and analysis of a range of information for gaining cyber
intelligence.12 There are challenges, however, in acquiring
relevant data as well as in processing, analyzing, and using it. Therefore,
related efforts to effectively prevent, detect, and respond to malicious
intrusions are regularly aided by security tools that aim to automate
supporting security processes. The main challenges in acquiring relevant
datatracks are:13 a. Amount
of data: The amount of data has increased exponentially since electronic
devices and their use has become ubiquitous in our work and daily lives. For
the implementation of an ISA, data from all systems across entire
organizations may need to be considered. b. Heterogeneity
of data and their sources: The variance in data and its sources makes it
difficult to identify and collect those data; moreover, both are spread
across organizational and national borders. Even if the relevant
heterogeneity within the cyber environment is identified, topology and
behavior of systems and networks may change and, thus, require constant
adaption. |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
Intelligent Techniques to Facilitate Security Measures In
tackling intelligence-gathering issues for cybersecurity, intelligent
machines The development of intelligent systems,
either software or hardware, In the realm of Al, cybersecurity arguably
is the industry that could The field of Al has developed and is still
developing numerous techniques |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
Interacting
Intelligent Cyber Police Agents to Monitor Entire Networks The
paradigm of intelligent agents is a branch of Al that arose from the
idea that knowledge in general and, especially, knowledge to solve problems
ought to be shared between different entities. A single agent is an
autonomous cognitive entity,29 with its own internal
decision-making system and an individual goal. To achieve its goal, an agent
acts proactively within its environment and with other agents. In addition,
agents have a reactive behavior; they understand and respond to changes in
their environment and interact with it and other decentralized agents. Over
time, agents self-adapt to dynamic changes in their environments, given their
own accumulated experiences.30 Due
to their decentralized and interacting nature, intelligent agents are
predestined to gather information on entire networks and surrounding systems.
It appears that this favorable characteristic has been used not only in terms
of defense measures, but also for reconnaissance and exploitation (see the
cyber kill chain discussed above) of potential target systems.31 Since
the behavior of every agent is formed by its experiences within its own
personal environment, it is quite challenging to protect against such
individualized threats. |
|
|
|
Figure
2: Intelligent Cyber Police Agents for Early Warnings in an Integrated
Security Approach |
|
A
powerful way to utilize agents against distributed cyberattacks is by
building up an intelligent agent’s cyber police. This approach pursues the
idea of artificial police agents in a defined cyber environment to
detect malicious activities in a decentralized way.32 As
visualized in Figure 2 above, such police agents can facilitate protection
already in the earliest stages of a cyberattack. |
|
Intelligent
agents can also be found in human-inspired artificial immune systems (AISs).
By using two different types of agents, detection and counterattack agents,
the beneficial characteristics of the human immune system is imitated.
Detection agents monitor cyber environments and try to detect abnormal
activities. When these agents spot malicious activities, they proactively
send out decentralized instructions to counterattack agents, which are then
activated to prevent, mitigate or even counterattack network intruders.33 |
|
Artificial
Neural Networks to Prevent Malicious Intrusions Another technique that emerged from the
field of Al is the artificial neural network (ANN). ANNs are
statistical learning models imitating the structure and the function of the human
brain. They can help to learn and solve problems, especially in environments
where algorithms or rules for solving a problem are difficult to express or
are unknown. Since ANNs’ system behavior is kind of elusive, they are
considered undefined black-box models.34 In
cybersecurity, ANNs have been used successfully within all stages of ISAs
and, hence, can encapsulate all phases of the cyber kill chain. Integrated in
cybersecurity, ANNs can be used for monitoring network traffic. As depicted
in Figure 3 below, malicious intrusions can be detected already during the
delivery phase and before an actual attack occurs.35 This is a
desired goal of cybersecurity, and it is a great achievement when
cyberattacks can be hindered before they take place, thus, elaborating upon
the main idea of perimeter defense.36 ANNs can be successfully
used to learn from past network activities and attacks in order to prevent
future attacks from actually transpiring. |
|
|
|
Figure
3: Artificial Neural Networks to Prevent Attacks within an Integrated
Security Approach |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
Compared
to conventional techniques used for cyber defense, the great advantage of
using ANNs is their learning ability. As mentioned above, patterns that
describe normal and abnormal network activities are traditionally defined
manually by security professionals based on their expert knowledge. ANNs,
however, can be trained to identify such patterns automatically by using
previous data that has been transferred over the network. Within
an anomaly-based IDPS approach, it was shown that ANNs can be successfully
utilized to evaluate header information37 of network data packages
to learn patterns for normal network behavior.38 In a first
preparatory step, the ANN was trained to identify and learn patterns of
header attributes that belonged to normal network traffic. Every future data
packet that was transferred over the monitored network was compared
afterwards with these pre-leamed patterns. When attributes of packet headers
matched the normal pattern, they were transferred as usual.
Irregularities in a data packet’s header information that mismatched the
learned pattern were classified as malicious and rejected by the IDPS. This
dedicated approach has shown that the overall detection rate of attempted
intrusions has improved without generating any false positive or false
negative alarms. While traditional IDPSs, both signature-based and
anomaly-based, work mostly against known intrusions, this ANN approach has
successfully protected against instances of intrusions that were previously
unknown. In summary, ANNs are said to support a viable approach to building
robust, adaptable, and accurate IDPS.39 ANN
monitoring is not limited to the use within IDPSs; it canbe established in
every system that monitors network activities. Firewalls, intrusion detection
systems, or network hubs use ANNs to scan incoming as well as outgoing
network traffic. In malware detection, an ANN-based experimental simulation
demonstrated that even with quite a small computational effort, 90 percent of
malware could be detected in advance.40 Deep
neural networks (DNN), a more elaborate and computationally expensive form of
ANNs,41 have been used recently not only to protect organizations
from cyberattacks, but also to predict these attacks. Improvements in
hardware have led to advancements in data processing within network
infrastructures and have enhanced storage capacities; thus, DNN technologies
have become more popular and applicable. A dedicated AI-based security
platform that used a DNN approach successfully demonstrated that it could
predict cyberattacks 85 percent of the time.42 With this
development, we |
|
see
traditional approaches of cybersecurity shifting from attack detection to
attack prevention. DNN techniques can now possibly lead in a new phase of
cybersecurity—namely cyberattack prediction. Expert
Systems to Provide Decision Support for Security Professionals Expert systems are computer programs
designed to provide decision support for complex problems in a domain; these
are the most widely used Al application. Conceptually, an expert system
consists of a knowledge base, which stores the expert knowledge, and an
inference engine, which is used for reasoning about predefined knowledge as
well as finding answers to given problems.43 Depending
on the way of reasoning, expert systems apply to different problem classes. A
case-based reasoning (CBR) approach allows solving problems by recalling
previous similar cases, assuming the solution of a past case can be adapted
and applied to a new problem case. Subsequently, newly proposed solutions are
evaluated and, if necessary, revised, thus leading to continual improvements
of accuracy and ability to learn new problems over time. Rule-based systems
(RBS) solve problems using rules defined by experts. Rules consist of two
parts: a condition and an action. Problems are analyzed stepwise: first, the
condition is evaluated and then the action that should be taken next is
determined. Unlike CBR systems, RBSs are not able to learn new rules or
automatically modify existing rules. This fact refers to the “knowledge
acquisition problem,” which is crucial in adapting to dynamic environments.44 Security
professionals widely use expert systems for decision support in cyber
environments. In general, evaluating security systems’ audit data can
determine whether a network or system activity is malicious or not. Due to
the large amount of data, security experts regularly use statistical reports
to scan and analyze the whole audit information in a reasonable time span.
AI- based expert systems have successfully demonstrated that they could
support these efforts by performing real-time monitoring in cyber
environments, even on numerous or heterogeneous systems.45 In
cases where a malicious intrusion was spotted, a warning message was
generated. It provided relevant information, upon which security
professionals could select appropriate security measures more efficiently
(cf. react & respond in Figure 4 below). |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
At
this point, it is crucial to recall that expert systems so far solely assist
decision makers, but are not able to substitute for them.46 |
|
|
|
Figure 4: Expert Systems to Support
React & Response Measures in an Integrated Security Approach |
|
Drawbacks
of Artificial Intelligence within Cybersecurity The previous section discussed the benefits
of Al as well as the various techniques that can address significant
technological issues in today’s cybersecurity domain. Despite these positive
aspects, the concerns and risks from using Al within cybersecurity are as
follows: a. Inability
to maintain cybersecurity autonomously: Although there have been huge
advances in adapting Al techniques to cybersecurity, security systems are not
yet fully autonomous. Since they are not yet able to completely replace human
decisions, there are still tasks that require human intervention.47 b. Data
privacy: Al techniques, like ANNs and DNNs, are becoming more advanced and
new techniques emerge regularly—thanks to advances in hardware. The growing
need, however, for big data can have a negative side when it comes to data
privacy. The analysis of huge amounts of data may cause private as well as
public organizations to be concerned about the privacy of their personal
data, and some are even unwilling to share this data at all.48
What personal data is used, why it is used, and how conclusions are reached
within AI-based solutions may remain unanswered and may not be transparent
for affected organizations. c. Lack
of regulation: Although there are various legal concerns about Al, the one
concern that is most prevalent is the loss of human control over the
consequences of Al’s autonomy. Due to the unique and unforeseeable nature of
Al, existing legal frameworks do not necessarily apply to this discipline.49 |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
strong
interdependence between Al systems and human factors is necessary for
augmenting cybersecurity’s maturity. Moreover, a holistic view on the cyber
environment of organizations is required. Cybersecurity is not only a
technological issue; it is also about regulation and the way that security
risks are dealt with. It is necessary to integrate any technical solutions,
relevant processes, and people into an ISA framework to achieve optimal
security performance. In the end, it is still the human factor that
matters—not (only) the tools. 1
In
1988, Robert Tappen Morris, a graduate student in computer science, wrote the
first computer program, which was distributed via the internet: the Morris
Worm. The program was not designed to cause damage, but rather to gauge the
size of the internet; a critical error, however, transformed the program,
causing it to launch the first denial-of-service attack. 2
About
the IDPS weaknesses, see Amjad Rehman and Tanzila Saba, “Evaluation of
Artificial Intelligent Techniques to Secure Information in Enterprises,” Artificial
Intelligence Review 42, no. 4 (2014): 1029-1044, especially the section
“Performance issues: IDS.” 3
Selma
Dilek, Huseyin Ọakir, and Mustafa Aydin, “Applications of Artificial
Intelligence Techniques to Combating Cyber Crimes: A Review,” International
Journal of Artificial Intelligence & Applications 6, no. 1 (2015):
21-39. 4
Enn
Tyugu, “Artificial Intelligence in Cyber Defense,” in Proceedings of 3rd
International Conference on Cyber Conflict [ICCC], 7—10June, 2011 Tallinn
Estonia, eds. c. Czosseck, E. Tyugu, and T. Wingfield (Tallinn, Estonia:
CCD COE, 2011), pp. 95-105; Xiao-bin Wang, Guang-yuan Yang, Yi-chao Li, and
Dan Liu, “Review on the Application of Artificial Intelligence in Antivirus
Detection System,” Cybernetics and Intelligent Systems (2008):
506-509. 5
The
Global Challenges Foundation states Al as one of two emerging risks that
might threaten mankind in the future. For more, see Dennis Pamlin and Stuart
Armstrong, “Global Challenges—Twelve risks that threaten human civilisation,”
(Global Challenges Foundation: 2015), http://globalchallenges.org/wp-content/
uploads/12-Risks-with-infinite-impact.pdf. 6
Stuart
Russell, Tom Dietterich, Eric Horvitz, Bart Selman, Francesca Rossi, Demis
Hassabis, Shane Legg, Mustafa Suleyman, Dileep George, and Scott Phoenix,
“Research Priorities for Robust and Beneficial Artificial Intelligence: An
Open Letter,”AI Magazine 36, no. 4 (2015): 105-114. 7
My
Digital Shield, “A History of Cybersecurity: How Cybersecurity Has Changed in
the Last 5 Years,” October 5, 2015, http://www.mydigitalshield.com/history-
cyber-security-cyber-security-changed-last-5-years/. 8 Rehman and Saba, “Evaluation of
Artificial Intelligent Techniques.” |
|
9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
|
There are various approaches to
describe the different stages of a cyberattack. Cyber intelligence is more than the
availability of raw data; rather, it provides Siboni, “An Integrated Security
Approach.” Ahmed Patel, Mona Taghavi, Kaveh
Bakhtiyari, and Joaquim Celestino Junior, Susan M. Bridges and Rayford B.
Vaughn, “Fuzzy Data Mining and Genetic Patel, Taghavi, Bakhtiyari, and
Celestino Junior, “An Intrusion Detection and The Federal Financial Institutions
Examination Council developed the Rehman and Saba, “Evaluation of
Artificial Intelligent Techniques.” |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
23
Yoshua
Bengio, “Learning Deep Architectures for Al,” Foundations and Trends® in
Machine Learning 2,no. 1 (2009): 1-127. 24 Tyugu, “Artificial Intelligence in
Cyber Defense.” 25
“Fixed”
algorithms use hard wired logic, on decision level, for reasoning about data.
See Ibid. 26
Olin
Hyde, “Machine Learning for Cybersecurity at Network Speed & Scale,” an
Invitation to Collaborate on the Use of Artificial Intelligence against
Adaptive Adversaries, ai-one (2011), www.ai-one.com/. 27 “Noise” refers to inaccurate or
irrelevant information in the collected data. 28
INFOSEC
Institute, “Cybersecurity and Artificial Intelligence: A Dangerous Mix,”
February 24,2015, http://resources.infosecinstitute.com/cybersecurity-artificial-
intelligence-dangerous-mix. 29
A
cognitive cyber entity can be understood as a single program, either software
or hardware, that has human-like cognitive capabilities. In the realm of Al,
the cognitive abilities of an intelligent agent would include perception of
the cyber environment, acquisition, analysis of data gathered across
cyberspace, and reasoning about that data. 30
Stan
Franklin and Art Graesser, “Is It an Agent, or Just a Program? A Taxonomy for
Autonomous Agents,” Third International Workshop on Agent Theories,
Architectures, and Languages (London: Springer-Verlag, 1997): 21-35. 31
Alessandro
Guarino, “Autonomous Intelligent Agents in Cyber Offence,” in 5th
International Conference on Cyber Conflict, eds. K. Podins, J. Stinissen,
and M. Maybaum (Tallinn, Estonia: NATO CCD COE, 2013): 377-388. 32 Tyugu, “Artificial Intelligence in
Cyber Defense.” 33
Xia
Ye and Junshan Li, “A Security Architecture Based on Immune Agents for
MANET,” International Conference on Wireless Communication and Sensor
Computing (2010): 1-5. 34
Christian
Bitter, David A. Elizondo, and Tim Watson, “Application of Artificial Neural
Networks and Related Techniques to Intrusion Detection,” World Congress on
Computational Intelligence (2010): 949-954. 36 Tyugu, “Artificial Intelligence in
Cyber Defense.” 37
Packet
headers contain attributes like the length of the transferred data, the
network protocol type, or the source and destination addresses of a data
packet. Therefore, the packet header carries information that can be
sufficiently used to dilferentiate normal network behavior from intrusion
attempts. 38
Ondrej,
Vollmer, and Manic, “Neural Network Based Intrusion Detection System.” 39
Bitter
and others, “Application of Artificial Neural Networks and Related Techniques
to Intrusion Detection.” 40
The
experimental simulations of malware detection emphasized worm and spam
detection. For more, see Dima stopel, Robert Moskovitch, Zvi Boger, Yuval
Shahar, and Yuval Elovici, “Using Artificial Neural Networks to Detect
Unknown |
|
Cyber, Intelligence, and
Security | Volume 1 | No. 1 | January 2017 |
|
119 Computer Worms,” Neural Computing
and Applications 18, no. 7 (2009): 41
Geoffrey
E. Hinton, Simon Osindero, and Yee-Whye Teh, “A Fast Learning 42
Victor
Thomson, “Cyber Attacks Could Be Predicted With Artificial Intelligence,” 43 Tyugu, “Artificial Intelligence in
Cyber Defense.” 44
Serena
H. Chen, Anthony J. Jakeman, and John p. Norton, “Artificial Intelligence 46
Debra
Anderson, Thane Frivold, and Alfonso Valdes, “Next-Generation Intrusion 47
Katherine
Noyes, “A.I. + Humans = Serious Cybersecurity,” Computerworld, 48
Tom
Simonit, “Microsoft and Google Want to Let Artificial Intelligence Loose on 49
Bernd
Stahl, David Elizondo, Moira Carroll-Mayer, Yingqin Zheng, and 50
Nick
Bostrom, “Ethical Issues in Advanced Artificial Intelligence,” in Cognitive, |
Không có nhận xét nào:
Đăng nhận xét