[DSC Europe 23][AI:CSI] Aleksa Stojanovic - Applying AI for Threat Detection in the World of Cybersecurity
1. Applying AI for Threat
Detection in the World of
Cybersecurity
Aleksa Stojanovic
Application Security Engineer
2. AGENDA /
CONTENT
Introduction
Artificial Intelligence and Cybersecurity
AI/ML/DL
AI approach and Traditional security
approach
The Importance of AI
Advantages of applying AI
Use-cases
Conclusion
3. Traditional security methods are no longer sufficient
AI approaches have been proven to be a better solution
An undefended attack can not only cause direct harm to business
operations, but they can also lead to the loss of user trust and the
reputation of the affected entities
AI provides us with tools for a fast and proactive response to diverse
threats emerging from the digital environment
Information security – comprehensive concept
Introduction
4. AI and Cybersecurity
Artificial Intelligence vs Data Analytics:
AI systems are dynamic – they get smarter with the more data they
analyse, they “learn” from experience.
Data analytics (DA), is a static process that examines large data sets to
draw conclusions about the information they contain with the aid of
specialized systems and software. DA is not self-learning.
Market value
Usage of AI-driven solutions
5. Artificial Intelligence/Machine Learning/Deep Learning
AI is designed to give computers the full responsive ability of the human
mind.
ML uses existing behaviour patterns, forming decision-making based on
past data and conclusions. Human intervention is still needed for some
changes.
DL works similarly to machine learning by making decisions from past
patterns but adjusts on its own.
6. AI approach and Traditional approach
Pre-AI era – signature-based detection systems compared incoming network traffic to a predefined database of
known threat signatures
Manual analysis was central to traditional cybersecurity operations
Rule-based systems operate by establishing strict rules and policies that define acceptable network behaviour
Traditional approach demonstrated effectiveness in specific scenarios, it often proved inflexible and struggled to
adapt to emerging cyber threats
Additionally, the ubiquity of connected devices on the Internet of Things (IoT) further expands the attack surface
The distinction between AI from traditional cybersecurity approaches lies in its ability to continuously learn and
adapt.
7. The importance of AI
AI-driven automation leads to cost reductions.
Automated routine tasks minimize the need for manual
intervention, saving valuable time and human resources.
Cost Reduction
AI algorithms can effectively analyse a vast amounts of data.
AI can detect subtle indicators of cyber threats that may
escape human analysts, ensuring a proactive defence
posture.
Improved Scalability
As organizations confront an overwhelming volume of data requiring analysis for potential risks, strengthening cybersecurity becomes
crucial.
8. Advantages of applying AI
Advanced Threat Detection
Real-time Analysis
Automation of Routine Tasks
Behavioural Analysis
Reduced False Positives
Improved Incident Response
9. Use-cases
Threat detection and prevention
Malware and Phishing
Security log analysis
Endpoint security
Encryption
User behaviour analytics
Advanced threat response and mitigation
Vulnerability assessment and management
Threat intelligence and predictive analytics
10. Threat Detection and Prevention
AI can analyse large amounts of data from different sources and identify unusual patterns in users' behaviour
Malware and phishing detection – analysing email content and
detecting spear phishing
Security log analysis – analysing a vast amounts of log data in real
time
Endpoint security – dynamic approach, establishing baselines of
normal endpoint behaviour and detecting deviations in real time
Captcha, face recognition, fingerprint..
Encryption – still a big challenge
11. User behaviour analytics /
Advanced threat response and mitigation
User behavior analytics (UBA/UEBA) solutions use
AI to analyse large datasets with the goal of
identifying patterns that indicate:
Security breaches
Data exfiltration
Malicious activities
Creating deployed application profiles and
analysing vast user and device data
Automatic responses to various cyber threats
from different vectors
AI autonomously generates detailed cyber
threat responses
12. Vulnerability Assessment and management /
Threat Intelligence and predictive analytics
Using UEBA (User and Entity Behaviour Analytics)
for analysing
By proactively protecting against undisclosed
vulnerabilities, AI enables a real-time defence
against high-risk threats
AI can predict the areas most susceptible to cyber
breaches
Holistic view of the organization's security posture
PayPal transactions
13. When not to use AI in Cybersecurity
Small or outdated dataset – try with traditional rule-based systems
No expertiese
Old infrastructure
No hardware or cloud resources
14. AI gives the much-needed analysis and threat identification that can be used by security professionals to minimize
breach risk and enhance security posture
Achieving a balance between the advantages and disadvantages of AI is the goal for the upcoming years
Conclusion
15. Applying AI for Threat Detection in the World of Cybersecurity
astojanovic@mds.rs
Thank you for your attention and time
Email: astojanovic@mds.rs
Editor's Notes
Hello, everyone. Thank you for joining me today. My name is Aleksa Stojanovic, and today I'm excited to talk to you about 'Applying AI for Threat Detection in the World of Cybersecurity.'
I am working as Application Security Engineer at MDS Informaticki Inzenjering company which is recognized as one of the leaders in the cybersecurity area with more than 30 years of experience.
Beside the Application Security Department MDS has also Network, Data Center and Software Department.
Over the next 15-20 minutes, we'll explore the landscape of cybersecurity and the pivotal role that Artificial Intelligence plays.
The Agenda of this presentation contains an Introduction, AI in Cybersecurity (where I will mention Machine Learning, Deep Learning, the main difference between AI cybersecurity and traditional cybersecurity, what is the importance of AI and the advantages of applying it).
I will cover also the most popular use cases.
The conclusion is at the end.
With the surge of digitalization, the complexity of threats facing information systems is also increasing.
Traditional security methods are no longer sufficient, and the role of AI becomes crucial in preserving data security.
AI approaches the analysis of large amounts of data in a way that the human mind cannot.
Modern information systems face sophisticated threats and attacks such as malware, phishing, ransomware, and DDoS are becoming more frequent and more serious.
These threats can not only harm business operations, but they can also lead to the loss of user trust and the reputation of the affected entities.
This is where AI comes into play, providing us with tools for a fast and proactive response to threats.
Information security includes a set of measures and practices with the role of protecting information from unauthorized access, manipulation, theft, or destruction.
This concept spans from technological systems to procedures and human resources, making it a key element in preserving the integrity of information in today's digital world.
According to research, the market size of AI in cybersecurity was around $15 billion in 2022 and is projected to reach an over $100 billion by 2032.
AI in cybersecurity establishes secure applications by default, eliminating vulnerabilities for users.
AI-driven solutions, such as user verification through behavioural biometrics, foster secure application development and promote a safe data ecosystem.
AI can identify potentially malicious activities and threat actors, allowing organizations to predict and prevent cyber-attacks before they become real.
Artificial Intelligence vs. Data Analytics
Unfortunately, AI is a very popular, often misused buzzword now.
Not unlike big data, the cloud, IoT, and every other “next big thing”, an increasing number of companies are looking for ways to jump into the AI world.
They use technologies that analyse data and let results drive certain outcomes, but that isn’t AI
Pure AI is about reproducing cognitive abilities to automate tasks.
The crucial difference between AI and DA:
[SLAJD]
AI in cybersecurity, with the support of machine learning, is set to be a powerful tool in the future.
As with other industries, human interaction has long been essential and irreplaceable in security.
While cybersecurity currently relies heavily on human input, we are seeing that technology becomes better at specific tasks than we are.
An AI technology development covers a few areas of research that are at the core of it all:
AI is designed to give computers the full responsive ability of the human mind.
AI is the umbrella discipline under which many others fall, including machine learning and deep learning.
ML uses existing behaviour patterns, forming decision-making based on past data and conclusions. Human intervention is still needed for some changes.
ML is likely the most relevant AI cybersecurity discipline to date.
DL works similarly to machine learning by making decisions from past patterns but adjusts on its own.
In the period before AI, cybersecurity was heavily relied on signature-based detection systems as its primary defence against threats.
These systems compared incoming network traffic to a predefined database of known threat signatures.
When a match was found, the system would raise an alert and take measures to block or contain the identified threat.
Manual analysis was central to traditional cybersecurity operations. Security analysts carefully investigated security alerts and log data, searching for patterns or indicators of potential security violations.
This systematic process was highly time-consuming and heavily reliant on the expertise of individual security analysts to identify threats.
Rule-based systems, another component of the traditional approach, operate by establishing strict rules and policies that define acceptable network behaviour. Any deviation from these rules would trigger an alert.
While the traditional approach demonstrated effectiveness in specific scenarios, particularly with well-known threats, it often proved inflexible and struggled to adapt to new cyber threats.
Additionally, the ubiquity of connected devices on the Internet of Things (IoT) further expands the attack surface.
The distinction in AI from traditional cybersecurity approaches lies in its ability to continuously learn and adapt.
The escalating complexity of cyber threats, including social engineering and ransomware, presents challenges for traditional defences.
[SLAJD]
Adopting innovative solutions represents an imperative to effectively combat these threats.
Cost Reduction
By automating routine tasks such as log analysis, vulnerability assessments, and patch management, AI minimizes the need for manual intervention, saving valuable time and human resources.
AI's ability to improve threat detection accuracy also contributes to cost reduction.
Traditional security models may generate false positives or miss certain threats, leading to wasted time and resources investigating non-existent issues or overlooking actual security incidents.
Improved Scalability
Traditional cybersecurity approaches often struggle to handle the vast volumes of data generated in complex and interconnected environments.
AI excels in scalability, processing and analysing massive amounts of data from various sources at the same time.
AI algorithms can effectively analyse network traffic logs, system logs, user behaviours, and threat intelligence feeds.
This scalability allows AI to detect indicators of cyber threats that may escape human analysts, ensuring a proactive defence posture.
1) AI algorithms can continuously learn and adapt to new threats, enhancing the overall threat detection capabilities.
2) AI enables real-time analysis of network traffic, user behaviour, and system logs. This capability allows for swift identification and response to potential security incidents, reducing the time it takes to detect and mitigate threats.
3) AI can automate routine cybersecurity tasks, such as monitoring logs, analysing network traffic, and validating security events.
This automation not only improves efficiency but also frees up human resources to focus on more complex and strategic aspects of cybersecurity.
4) AI excels in behavioural analysis, allowing for the identification of abnormal user activities or deviations from established patterns.
5) AI can help reduce the number of false positives by fine-tuning detection mechanisms based on learning from historical data.
6) AI can enhance incident response by automating the analysis of security incidents, providing valuable insights into the nature of the threat, and a faster and more effective response to mitigate potential damage.
I have covered some of the most popular use-cases: Threat detection, UBA, Vulnerability assessment..
AI can analyse large amounts of data from different sources and identify unusual patterns in users' behaviour, which could indicate a cyber-attack.
For example, if an employee clicks on a phishing email, AI can quickly notice the change in their behaviour and alert to a potential security attack.
By automating incident response actions, such as blocking malicious activities, AI limits the potential impact of a security breach.
Malware and Phishing Detection - AI analyses email content and context to differentiate between spam, phishing attempts, and legitimate messages. Machine learning algorithms enable AI to evolve and adapt to new threats, recognizing signs of sophisticated attacks like spear phishing. Intercepting suspicious activities before they harm corporate networks is crucial. AI systems excel at detecting phishing traps.
Security Log Analysis - AI transforms security log analysis by utilizing machine learning algorithms to analyse vast amounts of real-time log data. AI excels at detecting potential insider threats through a comprehensive analysis of user behaviour across multiple systems and applications.
Endpoint Security - As remote work becomes more popular, securing endpoints becomes crucial in maintaining cybersecurity. Traditional antivirus solutions and VPNs rely on signature-based detection, which may lag new threats, leaving endpoints vulnerable. AI-driven endpoint protection takes a dynamic approach, detecting deviations in real time. By continuously learning from network behaviour, AI can identify potential threats, including zero-day attacks, without needing signature updates. With AI, organizations can enhance password protection and user account security through advanced authentication methods. AI-driven solutions like CAPTCHA, face recognition, and fingerprint scanners automatically detect legitimate login attempts.
Encryption - Breaking encryption is tough because it relies on complex math that even AI struggles with. The good news is that encryption algorithms, like AES and SHA, are designed to be tough to crack. So, even though AI can do amazing things, breaking strong encryption is still a big challenge.
Use Case 2: User Behaviour Analytics
AI models utilize deep and machine learning techniques to analyse network behaviour and detect deviations from the norm continuously.
These models self-correct and adapt, improving their accuracy in identifying anomalies and potential threats.
AI-driven behavioural analytics enhances threat-hunting processes by creating deployed application profiles and analysing vast user and device data.
This proactive approach enables organizations to identify evolving threats and vulnerabilities effectively.
Use Case 3: Advanced Threat Response and Mitigation
AI's automatization capabilities extend beyond detection, enabling automatic responses to different cyber threats.
Organizations can utilize AI-enhanced cybersecurity solutions to rebalance the workload on security teams and optimize incident response times.
By mining vast amounts of security data and correlating information, AI generates detailed cyber threat responses aligned with technical logs, network traffic patterns, and global threat intelligence.
Use Case 4: Vulnerability Assessment and Management
As cybercriminals continuously deploy sophisticated methods, organizations struggle to manage the influx of new vulnerabilities.
AI-driven solutions, such as User and Entity Behaviour Analytics (UEBA), analyse device, server, and user activities to detect anomalies and zero-day attacks.
By proactively protecting against undisclosed vulnerabilities, AI enables real-time defence against high-risk threats.
Use Case 5: Threat Intelligence and Predictive Analytics
AI can predict the area’s most susceptible to cyber breaches. With AI's ability to collect and process diverse data sources, security teams gain a holistic view of the organization's security posture.
This enhanced situational awareness enables proactive threat hunting, accurate risk assessments, and timely incident response.
Threat Intelligence and Predictive Analytics in PayPal
One of the key applications of AI in PayPal's cybersecurity strategy is transaction analysis.
With the large volume of daily transactions occurring on the platform, manual review for signs of fraud would be a monumental task.
AI's rapid processing capacities efficiently examine each transaction for potential red flags.
While artificial intelligence (AI) has become a powerful tool in cybersecurity, there are situations where it may not be the best choice.
Here are some situations when it might be wise to avoid using AI in cybersecurity:
If you have a small or outdated dataset, AI may not perform effectively. In such cases, traditional rule-based systems or expert analysis might be more appropriate.
If your organization lacks the necessary skills or resources, AI adoption can be challenging.
If your company relies heavily on legacy infrastructure, transitioning to AI-based cybersecurity solutions can be challenging and costly.
If your organization lacks the necessary hardware or cloud resources, AI deployment may be impractical.
Beside disadvantages mentioned above, there is also a risk of using AI technology for malicious purposes.
Cybercriminals now offer subscription services and starter kits. The utilization of large language models like ChatGPT for writing malicious code further underscores the potential risks in the digital landscape.
Humans can no longer sufficiently secure an enterprise-level attack surface, and AI gives the much-needed analysis and threat identification that can be used by security professionals to minimize breach risk and enhance security posture.
Achieving a balance between the advantages and disadvantages of AI (and ML data-protection systems) is the goal for the upcoming years.
Together, with a focus on innovation and security, you can navigate the future of AI in cybersecurity.
I would like to thank you for your attention and time.
The purpose of this presentation was to show on a high level how AI could help in the world of cybersecurity.
If you want to contact me for a “deeper” discussion on this topic, or if you have any questions, you can do so via email.
My email address is astojanovic@mds.rs.