What is AI Security?

Understanding AI’s Role in Modern Cybersecurity

Traditional cybersecurity systems concentrated on preserving a network’s or device’s operational state.

Modern threats, however, rarely seek to cause outages, but instead aim to:

• Steal valuable corporate data
• Deploy complex strains of malware behind perimeter defenses

To bring defenses in line with these goals, security staff are required to monitor more pieces of data.

The Rise of SIEM & EDR

This changing goal can be tracked in the security tools that have become popular over time – the rise of Security Information and Event Management (SIEM) tools in the early 2010s saw a push toward ingesting and analyzing large quantities of log files.

Since then, the amount of data being ingested has increased.

Endpoint Detection and Response (EDR), for instance, continuously monitors the internal activities of every company laptop, phone, and PC, while firewalls do the same for network-level activity. These individual pieces of data are created faster than can be manually investigated.

(but they still need to be turned into actionable intel.)

This is where AI, such as Machine Learning, has made significant strides.

The Adoption of AI

It works by training algorithms on large datasets, from which it organizes network or malware data into recognizable patterns. These patterns can then be applied across new sets of data, allowing anomalies to be recognized automatically, such as:

• 不尋常登入嘗試
• Data access patterns

Over time, the ML models adapt and improve their accuracy by continuously learning from new data.

It’s just one way in which AI allows human cybersecurity teams to work faster, more efficiently, and assess wider swathes of threat intelligence than is possible with just human eyes.

人工智慧安全風險

雖然人工智慧在許多行業中具有巨大的前景和潛在的好處，但它也可能帶來安全風險，包括：

• 資料外洩：人工智慧模型需要大量資料進行訓練。 收集和使用這些大型資料集會帶來被攻擊者破壞的潛在風險。
• 對抗性攻擊：將人工智慧整合到各種流程中會帶來網路攻擊者針對人工智慧的風險。 例如，攻擊者可能會嘗試破壞訓練資料或訓練對抗性人工智慧系統來識別人工智慧模型中的錯誤，從而使其被繞過或利用。
• 偏見和歧視：人工智慧模型是基於標記的訓練資料建構的。 如果該數據包含偏差（例如主要包含特定人口群體的圖像），那麼人工智慧模型將學習相同的偏差。
• 缺乏透明度：人工智慧可以識別趨勢並檢測複雜的關係。 然而，它的模型不透明或不可解釋，使得識別最終模型中的錯誤或偏差變得不可行。

How Can AI Help Prevent Cyber Attacks?

The proliferation of high-powered AI is a driving force behind tighter and more accurate security controls and workflows. Because AI can be implemented in drastically different formats according to the data it’s trained on, the following use cases are grouped according to the security tools implementing the AI.

AI In Network Security

AI’s implementation in network security can run the gamut from identifying suspicious external connections to implementing tighter network segmentation.

Automated Identity Discovery

Role-Based Access Control (RBAC) is a way of implementing network security according to the principle of least privilege.

Instead of assigning blanket permissions to static groups of individuals – which is highly time- and resource-demanding – RBAC links specific roles to the permissions that reflect their job responsibilities. Users are then assigned to these roles – automatically inheriting the associated permissions.

For instance, a new employee may be linked to the role of ’database admin’: the permissions involved would be:

• Creating and deleting databases
• Backing up and restoring data

These explicit permissions would look completely different from those in an ‘accountant’ role.

AI is accelerating RBAC adoption thanks to its ability to discover identities automatically. New network security tools may scan logins, file access, and application usage across departments, to then build a profile of what real employees are accessing day-to-day.

Should it detect that a specific group regularly accesses accounting software, handles payroll data, and runs monthly reports, it’s able to automatically suggest a “Finance Analyst” role. New employees with similar job functions can then be automatically assigned this role, streamlining RBAC onboarding.

Real-Time Threat Classification

Network security is dominated by the stateful firewall. A tried-and-tested approach that monitors the incoming and outbound connections between enterprise devices and the public Internet, they remain a bastion of security since Check Point invented them in 1993.

With AI, however, firewalls are able to automate far more of the threat detection workflow: this can be applied to both incoming traffic and when assessing the legitimacy of external sites.

For instance, AI-supported firewalls are pre-trained on labeled traffic network data.

Since the AI model becomes highly adept at recognizing and labelling malicious network activity, the firewall can link disparate policy violations into the wider picture of a real-life attack.

次世代防火牆

Next-generation firewalls take this capability beyond alert labels, and offer automated response capabilities according to the suspected attack type. This could include:

• Automated updating of internal traffic policies
• Isolating communications to an infected subnet

Last-resort response capabilities, such as moving traffic over to dedicated failover servers, must be manually added to the firewall via playbooks, to ensure business continuity.

It’s not just internal traffic that firewall AI can assess: depending on your firewall provider, some also offer URL categorization. This uses Natural Language Processing (NLP) AI to categorize URLs according to their safety.

Dangerous or inappropriate sites can be blocked at the firewall level, leading to maximum security.

Zero Day Attack Prevention

While the vast majority of attacks rely on pre-established attack vectors, there is a highly lucrative black market for zero day vulnerabilities. These are so valuable precisely because these vulnerabilities do not yet have patches.

(And when levied against firewalls, can represent a major security concern.)

An AI-enhanced firewall is able to defend against zero days by establishing a baseline of normal network activity. For instance, it’s able to plot a typical data’s worth of transfer volumes for each user role. If the firewall detects a sudden spike in data transfer to an external server at an unusual hour, it flags or blocks the activity as potentially malicious.

This same technique can also protect otherwise unpatched applications.

AI in Endpoint Security

Secure Endpoints are now an integral component to enterprise security. At its core, Endpoint Detection and Response (EDR) collects detailed telemetry from these endpoints, such as:

• Process execution
• Parent-child process relationships
• File interactions such as creation, modification, and deletion

This data is rich but complex, making it ideal for AI analysis.

Endpoint-Based Behavioral Analysis

AI enables predictive threat detection by learning what normal behavior looks like and spotting subtle anomalies that may indicate malicious activity.

This makes it particularly adept at spotting complex or tightly-engineered malware that employs obfuscation techniques like process hollowing – or even when a malicious process is named something legitimate-looking. Since EDR monitors which process is interacting with which file, its AI can then spot when a background process is accessing sensitive files it normally wouldn’t.

This deviation allows an alarm to be raised far before a successful attack is deployed.

Predictive Analytics

Because different strains of malware act in different ways, an EDR AI is able to identify trending patterns within an ongoing attack, and predict which systems or users are likely to be targeted next. For instance, if account takeover is the suspected root cause of an attack, it’s able to examine which databases the account may have access to.

If the EDR is integrated with the firewall, this can be turned automatically into corresponding firewall policy changes.

在安全領域利用人工智慧技術的好處

人工智慧為企業網路安全提供了巨大的潛在好處，包括：

• 增強威脅偵測：人工智慧可以分析大量安全警報並準確識別真正的威脅。 這使得安全團隊能夠更快地偵測和回應潛在的入侵。
• 快速事件修復：識別安全事件後，人工智慧可以根據劇本執行自動修復。 這加快並簡化了事件回應流程，降低了攻擊者對組織造成損害的能力。
• 提高安全可見性：人工智慧可以分析大量數據並提取有用的見解和威脅情報。 這可以讓組織更了解其 IT 和安全基礎架構的當前狀態。
• 更高的效率：人工智慧可以自動執行許多重複性和低階的 IT 任務。 這不僅減輕了IT人員的負擔，提高了效率，也保證了這些任務定期、正確地執行。
• 持續學習：人工智慧可以在主動運作的同時不斷學習和更新其模型。 這使其能夠學習偵測和回應最新的網路威脅活動。

人工智慧安全建議和最佳實踐

實施人工智慧的一些安全最佳實踐包括：

• 確保訓練資料品質：人工智慧的準確性和有效性取決於其訓練資料。 在建立人工智慧系統和模型時，確保標記訓練資料的正確性是關鍵。
• 解決道德影響：由於培訓中個人資料可能存在偏見或濫用，人工智慧的使用會產生道德影響。 確保保障措施到位，以確保培訓數據完整併已獲得必要的同意。
• 執行定期測試和更新：人工智慧模型可能會包含錯誤或隨著時間的推移而過時。 定期測試和更新對於確保人工智慧模型的準確性和可用性至關重要。
• 實施人工智慧安全策略：網路威脅行為者可能會在攻擊中針對人工智慧系統。 實施安全策略和控制，以保護人工智慧訓練資料和模型免受潛在的利用。