Cybersecurity and AI/ML: Lessons from a Security Expert

Joanne LennonSenior Manager, Product Marketing November 12th 2018

As highlighted in my recent blog, How Secure is Your Edge Network? Are AI & ML the Answer?, security remains top of mind for all enterprises, and few emerging technologies have garnered more interest lately than Artificial Intelligence (AI) and Machine Learning (ML).

To get a candid, practical view of the role of AI/ML in cyber-security, I talked with Extreme’s Distinguished Systems Engineer and resident cyber-security expert, Ed Koehler, to discuss what’s real, and what isn’t when it comes to AI and ML in security.  Below is a glimpse of our Q&A:

Question 1: How do you define machine learning and artificial intelligence? 

That’s a great place to start as there is a lot of ambiguity and abuse between the ML and AI terminology. Fortunately, there is a good dichotomy between the two.

Machine Learning is largely based on statistical mechanics and analysis. ML can take in a lot of big information and run mathematical algorithms and disseminate knowledge to provide a clear view of what is going on. Using machines allow us, humans, to make decisions around the data that is generated. Machines can process more data and process it faster than humans can, which is why ML is mainstream and widely used today.

Artificial Intelligence, on the other hand, is at the razor’s edge. AI requires a system that will start up and basically learn its environment like the way a human does. In my view, AI is virtually non-existent today; not even IBM Watson is artificially intelligent.

Question 2: How important is the knowledge base that feeds AI/ML? 

Very important. Information is broad – some information can be represented well statistically, and some information can’t. The construct of the knowledge base is a crucial factor.  The narrower the construct of information, the more suited it is for ML and AI.

Consider a game of chess…. it has a narrow, well-defined set of rules. IBM Watson can play the world’s top chess player and win.  The reason is the knowledge base of information is well defined; it is easy to ‘train’ Watson in every possible move.

In contrast, using IBM Watson to diagnose pre-cancerous tumors has been proven to be less effective. Why? because the knowledge base of information is less defined. Even the world’s best research scientists and doctors don’t have all the answers. In this environment, the scientists can more accurately diagnose tumors than Watson, because in addition to relying on data, they leverage their experience and intuition. This does not mean that Watson is useless, it just means that it falls short of the definition of true AI in this space.

The key point is that machines need to be trained, like humans do, and lack the flexibility in ontology that humans have. Think about it. We can effectively move between a vast scope of environments with minimal training. Machines can’t do this as effectively. They need to be trained to a problem or action. Don’t under estimate the power of human intuition.

Question 3: Do you see a role for ML and AI in cybersecurity? 

Absolutely. There are many areas where ML solutions are being effectively used today.  The security environment is constantly changing and evolving, and ML solutions work best in areas where there is a narrow construct of information.  

Threat detection systems & firewalls are a good example.  Consider someone in Europe getting hacked by a new method – botnet or malware. That event is registered, a signature is uploaded to the cloud so that when someone in the US gets hacked, the breach has been seen before. In this instance, cloud technology and ML works like the human immune system. Recognizing and reacting to the threat.

Another example is Active Directory (AD). By correlating AD logs, you can determine brute force enumeration attacks, impersonations, administrative account privilege searches, etc. The challenge is the sheer volume of AD information makes it difficult to tease out what is important. ML can take a lot of garbage out of the way to allow humans to focus on the data sets that are important. We call this ‘actionable knowledge’.

Question 4: Any concerns about the negative use of AI/ML in cybersecurity?

Yes! We are already seeing examples where criminals are taking advantage of AI/ML solutions. If I can manipulate the knowledge base on which security systems are making decisions on, I can compromise it. This is why it is essential never to rely solely on technology – you always need human involvement.

Consider self-driving cars and the danger of manipulating the knowledge base. What would happen if the traffic signal or stop sign suddenly disappeared from an autonomous car’s view? It could have dire consequences. However these types of things can, and do, happen in the cyber world.  You need to be vigilant in protecting the integrity of your knowledge base and you can never take the human completely out of the loop. Similar to how a human can regain control of the car – there will be times where you need a human to regain control of security.

Question 5: Where should enterprises start when it comes to AI/ML?

My advice is twofold. First, invest in information. 90% of what we talked about is information. The more information that you have that can be correlated against one another the better. Invest in systems that can work in an open ecosystem.  Look for solutions with end-to-end analytics capabilities, application telemetry, etc.

Second, invest in security experts. We will never take humans out of the mix. You can’t rely on ML/AL alone so invest in human knowledge and give them the right tools. Look to hire what you don’t have – penetration experts, risk assessment experts, etc.

Additional Information

To learn more about security and Extreme Networks solutions, check out the resources below: