How Security Systems are Implementing AI and ML for Threat Detection
28-10-2020 | By Robin Mitchell
A recent study showed that over 90% of security operating centres are now implementing or considering the use of AI and machine learning to detect and defend against digital threats. What is the traditional method for threat detection, what has AI and ML allowed, and how is the hardware world reacting to threats?
Since their introduction, computers have played a key role in modern life, providing services such as internet access, online banking, message exchange, and remote work. However, the transmission of sensitive information along with the processing capabilities of any single computer has also resulted in the development of malware by cybercriminals. These programs fall under several categories, including viruses, trojans, and worms, all of which perform different tasks. Of these, their exact function can be separated further; some malware works to destroy a system while others may steal sensitive information.
Finding threats on a system can be challenging, and when combined with malware being able to infect a wide range of everyday devices and the rapid increase in the development of such malware the job for security organisations to track infections increasingly becoming difficult. The traditional way for an antivirus system to detect malware is to scan all files stored on a system and then look through the raw binary data that makes up those files. The binary data is then compared to a database that contains commonly used code segments by already discovered malware, and if a match is found, then the file is either quarantined or destroyed. When new malware is released into the public, security experts have to obtain a copy of the malware, identify unique strands of code, and then add this sequence to the malware database. Other detection methods include unexpected access to communication ports, applications that are logging keystrokes, and programs that try to access restricted areas in memory. However, all these methods rely on reactionary action, meaning that when a new virus, trojan, or worm is developed, all systems are vulnerable.
How can AI and ML be used in threat detection?
The development of Artificial Intelligence (AI), and Machine Learning (ML), has led to its implementation in many applications, including autonomous driving, industrial processes, facial recognition, and voice-activated devices. However, the ability for AI to learn and adapt to its environment now has engineers and security experts experimenting with AI systems in malware detection. According to a recent study, over 90% of security operation centres have looked into AI and ML as a method for malware detection.
One task that AI is particularly good at is recognising patterns, and the more data fed to the AI, the better it performs. As time progresses, and cyber criminals create more malware, an AI system tasked to identify it would become progressively better at spotting it. However, unlike traditional systems, which rely on databases of example code, an AI-driven security system would be able to detect new malware without ever seeing it before. The exact mechanism which allows a security AI system to identify new malware may not be known, but it may form links between commonly used code patters, embedded messages in the malware code, and even location data. AI and ML systems can also perform real-time analysis on CPU usage, RAM, and hard-disk access to look for anomalous activity. Once detected, the source of the anomalous activity can be found, and from there terminated.
Is hardware threat detection also playing a role?
Software driven AI systems could provide future systems with the ability to monitor their systems, identify malware based on experience, and take preventative measures to protect themselves. But some malware can be difficult to stop on a software level, and in these instances, only a hardware-based system can prevent such malware from causing havoc. Hardware security is an area of engineer that has recently been gathering traction due to its ability to protect designs from the silicon level and prevent attacks including malware injection into bootloaders, tamper from physical attacks, and attempts to access privileged instructions. While hardware security comes in a wide variety, there are even hardware systems that can monitor buses and processors to detect anomalous operations which are not normally expected, and once detected can initiate a system reset or raise an interrupt for the CPU to execute a special subroutine.
Overall, AI and ML will allow for the creation of malware detection systems that can not only learn about the malware they detect and stop but also potentially stop new malware that has never been seen before. Software AI and ML will allow for systems to defend against malware on the application level while hardware security will help to prevent attacks that are too low-level for software to detect.