(Source: TippaPatt/Shutterstock.com)
Deploying artificial intelligence (AI) in the war against cybercrime is an essential strategy. More than 60 percent of enterprises say they lean on AI to sniff out breaches. The sheer volume of data to be inspected combined with the many platforms—drone technology, and deep-fakes are two of the new techniques cybercriminals are expected to adopt in the near future —that are vulnerable necessitate automation of cybersecurity at scale. This is exactly AI’s value proposition: It attends to a lot of the grunt work involved in cyber policing so analysts can focus on threat intelligence and more proactive responses, instead of simply putting out fires. Here’s how implementing AI as part of a security plan automates cybersecurity on a vast scale and allows analysts to be more proactive in responding to threats.
Typically, deploying artificial intelligence (AI) for cybersecurity involves combing through content using natural language processing (NLP) technologies and behavioral analysis. Looking for pattern anomalies in content and comparing them against what is expected behavior, is AI’s core capability.
But strict laws such as the General Data Protection Regulation (GDPR) and other consumer privacy regulations are leading to a rise in encrypted traffic. Companies are relying on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to create an encryption sheath around data (Figure 1). If the content in web traffic is encrypted, how does AI analyze it to find patterns? When the content is encrypted, malware can lurk inside, flying under the radar undetected, and create havoc.
The work of cybersecurity with such safeguards in place becomes significantly more challenging. Evaluating malware with the additional layers slows performance and makes cybersecurity even more complicated.
Figure 1: Browser window shows lock icon during SSL connection. (Source: Marc Bruxelle/Shutterstock.com)
The good news is that AI can detect patterns in traffic parameters that are independent of content. For example, a rise in traffic from a certain country or at unusual hours can raise alarms and help analysts preempt an attack. The volume of traffic, either the number of bytes or the number of packets sent and received, becomes a key parameter when combined with the time of day or week.
Similarly, the Internet Protocol (IP) used, i.e., Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP), can be a key parameter. The source and destination IP address indicate where the traffic is coming from and going to, and can be used to look up the Internet Service Provider (ISP) and/or country of origin or destination of the two ends. The source and destination port for protocols such as TCP indicates some characteristics of how the user’s application is sending and receiving content. All of these parameters are visible in the packets even if the content is encrypted. Thus, content-agnostic policing can use these parameters to analyze traffic and find out whether it is anomalous.
Most servers register standard peaks and dips in web traffic. Algorithms can be programmed to study historical patterns of such traffic and detect outliers that go against predicted behaviors. Analysts can evaluate such flagged data and confirm whether or not it’s suspicious activity.
AI, therefore, need not always depend on content-driven abilities to execute robust cybersecurity strategies. In an age when attacks might bypass the content of web traffic altogether, such strategies remain especially relevant.
Finally, an old technique called homomorphic encryption (HE) is getting more time in the spotlight as enterprises are leveraging it to analyze sensitive data. The purpose of HE encryption is to outsource the analysis of data, such as medical data and retail information, without making the data available to the analysis provider. Certain kinds of data analysis can be performed on the HE–encrypted data without decrypting it. This enables the client to keep their data confidential. The HE method ensures high security of sensitive data and is expected to curry favor in the coming years, because it might offer a way for the security analyst to perform some kinds of computation on the internet traffic if it is encrypted using HE.
The rise in cyberattacks and web traffic necessitate cybersecurity at scale, a task that AI is well-equipped to accomplish. By focusing on content-agnostic ways of detecting attacks, AI continues to be a vital strategy that enterprises must increasingly rely on as both the scale of encrypted traffic and associated cyberattacks grow.
Poornima Apte is an engineer turned writer with B2B specialties in robotics, AI, cybersecurity, smart technologies and digital transformation. Find her on Twitter @booksnfreshair.