Machine Learning in Cyber Security - Goals and Different Types

The Goals of AI in Cybersecurity

Cybersecurity revolves around visibility – and with ballooning endpoint numbers and network sizes, enterprise security is more difficult than ever.

This is made harder by the old-fashioned tool siloes, which often take individual responsibility for each area of the cyber attack surface. The two key goals of artificial intelligence in security are:

• The discovery of an enterprise’s attack surface
• The cross-implementation of data between tools

1. Asset and Protocol Discovery

Maintaining an accurate inventory of digital assets is critical, and is one field in which machine learning is already playing a pivotal role.

Traditional asset management tools rely on manual input or rigid scanning schedules, often leaving gaps in coverage. In contrast, ML algorithms can continuously analyze vast streams of network traffic, endpoint telemetry, and configuration data to identify devices, services, and users.

(often surfacing shadow IT assets or unauthorized deployments that evade traditional controls.)

While assets are key to find, one of AI’s advantages is in its ability to lend immediate visibility into the APIs connecting to your attack surface, and the respective schemas they use. AI models can dynamically interpret API schemas and network behaviors by analyzing their traffic’s content and structure in real time. Through schema extraction and generation, AI examines HTTP payloads – whether JSON, XML, or proprietary formats – to infer data types, identify field relationships, and estimate valid value ranges.

These insights are automatically synthesized into machine-readable representations like JSON Schema.

As a result, analysts are provided streamlined documentation, and further AI analysis can take place on open API connections.

In a similar fashion, ML security applications can use fingerprinting, which leverages AI’s capacity to:

• Assess packet structure
• Byte sequences
• Entropy patterns

…using all of this data to classify underlying communication protocols within a network. Whether distinguishing between REST, SOAP, GraphQL, or detecting custom or binary formats, AI models use pattern recognition and behavioral baselining to map unknown flows or inconsistencies  – or flag them for further inspection when anomalies arise.

This approach dramatically enhances visibility, even across complex or dynamic networks, and allows for consistent coverage of APIs, third-party services, or non-standard data exchanges.

2. Machine Learning Threat Detection

Beyond discovery, ML also helps classify and rank assets based on risk, behavioral baselines, exposure levels, and business function. For instance, if a previously unknown server begins communicating with critical systems over suspicious protocols, an ML model automatically flags it for investigation.

Threat detection is one area where ML models excel: static file analysis is one category of this.

By implementing a classifier engine (a form of supervised model), an ML is able to scan an unopened file for signs of malicious activity. This can detect tiny components of otherwise inactive files, such as a single communication module that instructs the victim’s device to connect to an attacker-controlled server.

In networks specifically, AI-powered Network Detection and Response (NDR) tools automate the monitoring of:

• Network packets
• Flow logs
• Connections

This monitoring helps to spot lateral movement, command-and-control communications, and data exfiltration attempts, including those involving previously unseen attack techniques

Cross-Tool Integration

Most security tools have been created over decades’ worth of development into specific capabilities – as a result, today’s tools operate overwhelmingly independently. While each offers an immense depth of view into their specialized field, a security analyst is often left struggling.

For instance, an Endpoint Detection and Response tool may flag suspicious file behavior on a device, while a firewall may alert on malware’s attempt to communicate to a suspicious server. ML provides a way to automatically connect the information gained from both tools.

Its ability to rapidly incorporate hundreds of data sources allows it to close the gap between tools that modern adversaries regularly exploit.

Machine Learning Drawbacks and Considerations

While machine learning is an immensely powerful tool in the right contexts, it’s not a silver bullet.

There are several considerations to keep in mind when comparing different approaches. Cybersecurity ML challenges include precise application, and careful consideration of which models are deployed – which should form the foundation of your ML deployment best practices.

1. Precise contextual requirements

ML offers powerful detection capabilities for cybersecurity analysts, but its effectiveness hinges on applying the right model to the right context.

For example, unsupervised learning models excel at identifying unusual behavior in real time by modeling “normal” activity across networks. But, when used in isolation, it may misclassify legitimate users as threats. This is because an ML algorithm has no inherent awareness of legitimate users or attackers.

• A new device accessing an established server could be a sign of an attack
• Or it could be a new employee connecting from their PC

Established unsupervised MLs may also fall foul of inflexibility: if an employee has always logged in from one location, a change in this can see the ML trigger an alert. The end result of this is what some analysts are already familiar with: piles of useless security alerts that more often than not go ignored.

Taken to the extreme, these can actively hinder threat detection and remediation processes.

Without the balance of supervised learning or contextual awareness, ML systems can struggle to distinguish between benign deviations and true malicious intent.

2. An Overreliance on Signatures

Signatures refer to an attack’s specific ‘tells’ – the tactics, techniques, and procedures that specific malware strains or attack groups commonly rely on.

Since today’s cybersecurity is so heavily interconnected, it’s possible to build large databases of global TTPs – leading to better widespread visibility than ever before. But, attackers are aware of their scrutinized status, and while some may attempt to leverage old code and TTPs, many others are happy to invest the time and resources into novel attack techniques.

TTPs used to be manually incorporated into security, usually in the field of forensics, to discover who may have orchestrated an attack. However, this process was hampered due cybercriminal behaviors evolving

Supervised machine learning models are able to ingest these updates at the same pace they’re uploaded, allowing for near-real-time attack identification. But, supervised models rely on this underlying support, making them fairly resource-intensive to maintain.

Plus, they provide far less protection against attacks that are willing to obfuscate or build new vectors.

As a result, different ML models succeed best in different contexts:

• Behavioral analysis can allow for new attack vectors to be discovered
• Supervised models excel at quickly and efficiently discovering known attacks

3. The Black Box Issue

Alongside the correct context, Machine Learning also falls foul of the ‘black box‘ problem. The inputs and outputs of a system are made visible to the administrator, while its inner workings are not.

This is partly a result of the sheer quantity of parameters an AI model has to contend with:

• Individual device status
• Protocol legitimacy
• Connection history

Every datapoint pushes a device closer or further away from a suspicious verdict, and most AI models are not built for transparency. Adding a decision-explaining process for every single step could make a model infinitely more complex, while also being cost-prohibitive to build and run.

As a result, analysts are left having to blindly trust the output of a model. Furthermore, while excellent at high-speed data analysis, ML models aren’t infallible – training data bias could result in skewed or outright missed alerts. With no way to see its step-by-step working out, analysts are left having to use the model’s outputs alone as the ML effectiveness metrics.

While continuous improvement systems can help mitigate this by defining an expected outcome, this lack of visibility can represent too big of a risk for some security teams.

Modern security platforms are able to manage this risk by implementing stringent AI-first controls.