We had the chance to attend the latest BootstrapLabs Applied AI Insider event held at the Google Launchpad Space. It was a very compact event with a focus on AI usage in Cybersecurity, as the name suggests. The event was held in 3 sections, the first being the Cisco on Network-Based Security, which explored the possibility of Network Segmentation as a security measure. Then we moved on to the Department of Homeland Security’s presentation on AI and Cybersecurity and how does the government approach the issue. Finally, we closed the event with Respond Software’s very valuable work on utilization of Probability Theory and Applied Statistics on Cyber Security. Lets briefly talk about each section and why it is essential as the AI steadily makes its way deeper into our everyday lives.
There was a malware released in Ukraine on June 27th, 2017. It has many names but the most common name for it was “Petya” or “NotPetya”, it was spreading fast to neighboring countries like Poland. It originated from an accounting firm in Ukraine as a malicious update on the company’s software. This malware scans the file system and encrypts files with selected extensions (mainly very common extensions like .zip, .rar, .docx, .xlsx, .pdf, .pptx, etc). After the encryption, it drops a ransom note stating that the files are now encrypted, and the user needs to transfer a certain amount of Bitcoins to an address to retrieve a decryption key. Standard ransomware, right? There are, however, two main differences between NotPetya and standard ransomware (and NotPetya’s previous versions): first on top of the files it also reboots the computer with a malicious kernel locking the filesystem, and second, it spreads itself to other machines in the LAN using NSA’s Eternal exploits.
Now, Cisco approaches this new type of ransomware with the motto “Network can be your best protector.” The NotPetya virus has cost establishments an overall $10 billion. And when analyzed, it doesn’t go out of the standard roadmap of any attack. The attackers usually a) come in through the network, b) spread to the other devices in the network, and c) gain command and control by going over to the internet. Cisco, after analyzing this pattern came up with a series of precautions starting with the segmentation of the network and ending up with the network as an enforcer.
Network segmentation can limit the spread of malware dramatically. After the segmentation, the IoT devices already present in the segmented network (including laptops and smartphones) can be our eyes and ears by answering a few straightforward questions: what Things are in the network, who are they talking to and how (data activity, rate, burstiness, idleness, etc.). By answering these questions, IoT can identify security threats. Identification of threats is great and all but the critical point is that with real-time visibility, remediation and strict rules on how IoT devices should behave in a network, you can utilize your “Network as an Enforcer.”
The exponentially increasing pattern of technology evolution has a few downsides. For example, and maybe the main point when it comes to security, the legal controls on technology and data are on a more linear path. There is no way it can keep up with the technology and innovation. This eventually creates a gap in between, an uncontrolled “risk zone” where the law doesn’t really cover the next big thing in technology, and malicious activity happens. In this risk zone, our right to free speech may conflict with someone else’s right to security.
Department of Homeland Security identifies better management of this risk zone as the primary concern. When it comes to AI and Cybersecurity, it’s mostly a cat-and-mouse game. As the government tries to defuse security threats, new and more advanced threats appear. On top of that, it’s not well-defined, and there is a low-risk understanding that causes unintended consequences.
Homeland Security created a resolution path to combat these issues.
- Understanding: This is the first step. We need to understand how AI makes decisions in order to determine whether there is a security threat or not. Explainable AI is our best bet in this instance as it improves our understanding of the decision making process in the AI.
- Augmented Control: After understanding what goes on where we will need to identify critical points where a “Human-in-the-loop” can be introduced to maximize control over the AI and its openings.
- Governance: There need to be standards in AI development, promoting safe and responsible AI.
- Generalizability: The standards need to apply to all AI, no matter the technology stack or development patterns.
These principles are aimed at making AI a more controlled environment. That will reduce the size of the aforementioned “risk zone” while allowing for development to continue. AI is a very important next step in our world, and Homeland Security is aware of this. They are trying to limit the casualties of bad actors in a vast technology space.
Security analysts, spend most of their times staring at a console on a monitor, looking for anything out of the ordinary. Now, this doesn’t work because the job definition is not suitable for humans. We are bad at repetitive tasks, we can’t handle too large or too small numbers naturally, and we can’t focus for hours on end. This is a needle in a haystack problem and we are not equipped to handle these problems manually.
In security analysis, there are more than 130 rules that fish out known-suspicious data. This is great, but the bad guys also know this, they invented the known-suspicious. That’s why looking at only these 130-something points in data is not enough, malicious people know how to hide their activity. At first, attacks were mostly happening on Friday at 2:00 PM, because the attackers knew the security admin was out having lunch and he wasn’t going to be back until Monday. They had the entire weekend to hide their activity. Later on, when we caught on to this attack schedule, the attacks shifted from Friday to Wednesday midday, where there is so much network traffic going on that the attackers can hide inside the white-noise of activity. We have to look everywhere and analyze everything if we want to catch these attempts. But this is not easy to manage since humans can’t be expected to detect these while staring at a monitor.
So, Respond Software came up with the idea of “Teaching Math to do analytics.” The computer is capable of handling vast amounts of data very fast, but it lacks what we humans do best: intuition and imagination. When we apply our knowledge in statistics and how to read these statistics, computers become able to understand the context and act according to the situation. Bayesian probability helps with the prediction, conditional probability contextualizes the issue, graphical modeling relates causality and finally, machine learning learns and informs action. This approach essentially slices the world in millions of possible states and segments, while the machines analyze all of these to smoke out malicious activity.
When we apply probabilistic math as a “Single Mathematical Framework for Decisions” we get a very consistent set of rules, which can be applied in very high accuracy. Measurability is also achieved as the machine now can analyze the information for value, risk and possible points of improvement.
Overall, this event shows that the struggle between cybersecurity and malicious activity will become even more advanced as the technology evolves. Our capability to defend ourselves grow, but so do the ways to attack. We need the advancements in AI technology to help fill in the gaps in our defense, as this is becoming to be more than what humans are naturally able to handle. Everyone from giant companies to startups, even governments have concerns on how to create a secure environment to help promote advancement in this field but the laws and regulations need more time to catch up. In the meantime, the best we can do is to invest in our security measures and be proactive.