In the next few years, Artificial Intelligence (AI) will transform and expand as a decision engine across every enterprise business layer from product development to operations to finance to sales. While, internet biggies like Google, Facebook, Microsoft and Saleforce are already embedding AI into their products, the Information Security (InfoSec) industry is also catching up to leverage AI in InfoSec. Almost every InfoSec vendor is claiming to have AI in their product. This makes it difficult for end-user organizations and they need to evaluate the AI capabilities of multiple vendors. A recent Gartner report by Whit Andrews and Jim Hare [1] raised this concern and provided a well-reasoned set of guidelines to help end-user organizations validate the AI claims made by vendors.
AI is a loosely defined term and its definition changes from vendor to vendor. In most of the discussions, AI is referred to as more of recent advances in deep learning combined with large compute power to automate most of the mundane tasks that humans can do with ease. For example, classifying images, translating speech, automatically tagging photos etc. What we need to understand: why AI is synonymous with deep learning today? Deep learning is an advanced representational learning that brings in more context for taking better decisions [2]. With the wider context available, systems will obviously do better. To build them, one needs a large amount of data. The AI solution needs to learn from a large amount of data to be contextually aware, and then act to maximise the probability of success of a defined task in that environment.
Let us discuss more on what is AI in InfoSec? Is Snort, Bro rule-based anomaly detection AI? Is Spark-based anomaly detection framework AI? Is deep learning-based classifier for malware/ransomware classification AI? These are solutions to specific subproblems that aid in InfoSec however, independently they don’t form a cohesive AI solution.
The InfoSec problem is like defending a complex system made of hundreds of subsystems and every subsystem defense needs a different solution. Deep learning is not a silver bullet that can solve all the InfoSec problems because deep learning needs a large labeled dataset and no such labeled data is available for the all the InfoSec problems. InfoSec involves monitoring and defending multiple layers of network, endpoints, data centers, etc. using typically 20-50 different technologies.
Keeping these factors in mind, we propose the following definition of AI in the context of InfoSec: “AI is a cohesive solution that employs deep learning, advanced data science techniques, machine learning and security domain knowledge to solve a lot of subproblems and brings a lot more contextual knowledge about the advanced threats present within the enterprise.”
Also, we believe that using AI-based solutions alone cannot defend our networks. We need to have an interplay of AI along with other approaches. At Acalvio, we are using deception to detect adversaries and advanced threats that may have already penetrated through the firewalls, IDS, etc. and are hiding within the enterprise network to carry out their next stage of attack kill chain. We fuse AI and deception to give a new defense layer that can detect, delay, divert, engage as well as a response to these insider threats. We use AI to automatically deploy, keep up the deceptive security within the enterprise and take the load off the shoulders of IT admins.
As the Gartner report [2] says: for any AI solution development, the tech vendor should have a focused team with either some researchers/scientists on-board or collaborate with scientists in the community to enhance the algorithms and in turn, evolve the product with more AI capabilities. At Acalvio, AI has been built into the foundation of the product from the beginning. A focused AI team is deeply embedded along with the system engineering, networking and InfoSec experts to build products with AI capabilities. At Acalvio, we have been sharing our AI methodologies with the community from early on at various technical conferences (to name a few – Splunk .conf2016, .conf2017, Cypher 2016, Data Science Summit 2017) and enhancing the AI capabilities of the ShadowPlex based on their feedback.
AI is deeply integrated and embedded in ShadowPlex, and is used to automatically produce the efficient decoys and content:
AI to Determine Decoy Configurations: To compute the decoy configs, we use several principles. One such principle is that for deception to be effective, it is important that it blends well within the enterprise network, e.g. a VLAN having Windows desktops should not have Linux desktop decoys. The same is true for services as well, a vlan having telnet service only at 5% of the endpoints should have only about 5% of the decoys having telnet service. This blending has to be computed and maintained for hundreds of vlans and thousands of hosts with ever-changing networks. It can be automated and accomplished only using AI. We leverage existing network scan data to infer the network state, topology, services, operating systems, etc. This data is used as a baseline to determine the decoy configs such that they blend well with the environment. Specifically, we have formulated this as a binary linear optimisation problem where the output is the configurations of thousands of decoys having specific set of services and mac address, etc. such that they blend well within the existing hosts.
AI to Generate Content for Decoy Share Drives: Another example of an effective deception type is a decoy SMB share drive. If the contents of the SMB share drive are static and the same in each VLAN, then the adversaries can easily spot them. In the ShadowPlex, we use AI to determine the optimal content of a fake SMB drive such that the content is contextual for each VLAN and each enterprise. Therefore it becomes difficult for the adversary to figure out the difference between fake and real content. For example, a marketing vlan SMB drive should have documents related to customer leads, marketing campaigns and marketing strategies, etc. To create the content, we use Natural Language Processing (NLP) and deep learning (specifically, LSTM networks).
Here, we have shared few use cases, however, AI is not just limited to above use cases. We are working on using AI to automatically change deceptions in real-time, based on the threats detected in each VLAN and play a game with the adversary, slow down the adversary, therefore, provide more time and richer context for the incident response team to take preventive actions.
References
[1] Gartner Report, “Questions to Ask Vendors That Say They Have ‘Artificial Intelligence’ ” Whit Andrews, Jim Hare, Gartner Report ID: G00334005, 7 August 2017.
[2] “Artificial Intelligence: A Modern Approach”, Upper Saddle River, New Jersey: Prentice Hall, Stuart J. Russel; Peter Norvig, 2003.
Authors
