ukncsa.orgNational Cyber Security Association

UKNCSA Articles

AI in Cyber Security: How Does it Help Us? Real Examples

AI in Cyber Security: How Does it Help Us? Real Examples We’ve been hearing about machine learning and artificial intelligence assisting decision making for a few years now and cyber security does look like an ideal subject for some assistance.

Why Now?

The algorithms for machine learning have been around for some forty or fifty years, but it is only recently that we have gained access to two other important ingredients: lots of data and cheap processing power.

With the vast improvements in chip design, we can now not only process data much faster, but can also move it around (bandwidth) and store it in ever increasing volumes. These are the key ingredients required to make machine learning and its cousin artificial intelligent really very useful.

In cyber security we now have an avalanche of data available to process. Most devices on the network now generate log data, we have the configuration data, we have identity and access data and of course we have the network traffic meta data.

In addition, we can open the traffic packets and examine the content data as well. If there is any part of the network where we do not have data, that can be solved by deploying an agent to gather the information we need. All this different data needs to be normalised before it can be rapidly analysed.

The Perfect Application?

We are all very much aware of the massive rise in cyber criminal activity, every day, our networks are being attacked ether with a scatter gun approach or a highly targeted attack. A medium to large size company now needs to have a SOC team to monitor and respond to these attacks, and they get flooded with too many system alerts to be able to deal with them all effectively. This is clearly an ideal application for artificial intelligence.

As we all know, in cyber security, there always seems to be a new shiny object to entice us to part with a slice of the company budget, so natural scepticism is very healthy! Rather than wax lyrical about the subject, let’s look at some actual examples that I have come across when working in this field.

The Real Life Example

This is an interesting event because it is unlikely to have been caught without the AI software.
The software being used builds up patterns from the traffic data and over a period of a couple of weeks has enough pattens to recognize any traffic or events that are out-of-the-ordinary, in other words, anomalous.

The company using the software is a US manufacturer of IoT controllers. On Thursday at around 1.30 pm an alert was generated that flagged a suspicious download of a file named OfficeActive.bin. It looked like a Microsoft update file but the AI software recognised it as different from the usual Microsoft updates especially as it was being downloaded from a 100% “rare source” for company the network.

In addition to just sending the alert, the software is able to force a “normal pattern of working” based on the device group or the individual device for a set period – this gives some granularity of response. The device group has a broader range of activities which are considered “normal” whereas the device-specific pattern is a more narrow and restricted definition.

This automatic response happens within seconds and it prevents the download from completing and any execution of the file, but does not interfere with “normal” activity.
It seems likely that the user just thought he was downloading a legitimate Microsoft update file.

In this case the recommended restriction was based on the device group pattern for two hours. Within the period however, the AI software recognised another two attempts at downloading files from the same site and the software responded with an escalated restriction for five minutes to only the device’s “normal pattern” of activity and alerting the SOC team to investigate.

The device then attempted make a new connection to another previously unvisited site and the software escalated again with blocking the device from making any outgoing connections for one hour allowing time for the SOC team to fully investigate.

Very Interesting Application of AI

This was a very interesting application of AI because the events occurred while the SOC team was busy with other events and would not have picked up on this particular activity. The automated response only limited the device in question and had no impact on other users.

The series of automatic responses were appropriate to the anomaly and did not prevent normal working activities. Because the system compares real time system traffic to its stored “normal” patterns of behaviour it can respond within seconds. The AI software is not looking for any particular file type, only the anomalous behaviour so the system does not rely on receiving intelligence feeds or other external input.

Prevented a Zero-day Attack

This event all occurred within just 20 minutes and was resolved when the SOC manager contacted the user. It seems likely that the user just thought he was downloading a legitimate Microsoft update file. The SOC team investigated by scanning the OfficeActive.bin file with their anti-virus solution and inputting the URL – the results showed that this was in fact a zero-day attack which their anti-virus software was unable to stop.

This type of AI implementation can significantly benefit the over-burdened SOC team by identifying and responding to anomalies and buying the team additional time to resolve the issue.

More Examples

I have some other very different examples of AI augmented cyber security to share and I’ll write about these soon. In the meantime, if you would like more information about the AI solutions, feel free to contact me.

Author: David R. Bird.
MSc Cyber Security, CISSP.
Contact: Please use the form below.

In order to get the Weekly Cyber Bulletin and news of the
new articles in your email ... Sign up for free membership.



First Name: 
Last Name:
Email Address:

A confirmation email will be sent to this address

Company Name:

Membership Type:

Your Requirements:

How many flags do you see in the image above? 

Obviously, we need to communicate with you about your membership; to advise you of changes and improvements to the services. Tick to approve.
YES, send me the UKNCSA Weekly Bulletin.

UKNCSA™ is the National Cyber Security Association™ for the UK.
UKNCSA is administered by UKNCSA Ltd (a non-profit organisation).
Company Reg.11995004
Reg Office. 101 Avondale Road, London N153SR.
Sharing helps our association.