Is the Future of Cyber Security in the Hands of Artificial Intelligence (AI)? - Pentestmag

Is the Future of Cyber Security in the Hands of Artificial Intelligence (AI)?


Is the Future of Cyber Security in the Hands of Artificial Intelligence (AI)?

by Ensar Seker

It is a fact that machine-learning has taken great steps in recent years, from autonomous tools to virtual assistants, from chatbots to face/object recognition. What about cybersecurity?

Chinese philosophy, yin and yang represent how the seemingly opposite poles can complement each other and achieve harmony.

In cybersecurity, this ancient philosophy perfectly represents the relationship between supervised and unsupervised machine learning. For example, monitored machine learning processes can be used for detection, while unsupervised machine learning uses clustering. In the case of cybersecurity and data security research and development, monitored machine learning is often implemented in the form of machine learning algorithms.

It is not easy to describe Artificial Intelligence (AI). It has no clear definition. Most of the existing definitions try to express AI as a computer process that mimics human intelligence and behavior and acts intelligently. But this situation brings more questions such as what is intelligence? Do people always act smart and logical? Is the desired achievement for AI, human intelligence? Or can a computer perform better than a human? The definition of approaches that base AI on rational behavior refers to a computer doing things that are difficult to do. In this article, however, a pragmatic approach is adopted to simplify the issue and AI is defined as a scientific area responsible for producing computer-based solutions to the complex problems that human beings have difficulty in finding solutions.

Figure 1 - AI Technology Landscape

The use of AI in cybersecurity is relatively new. While some cybersecurity experts argue that the answer to cybersecurity is machine learning to detect sophisticated breaches and that cybersecurity will only continue to succeed if the IT environment is secured by the help of AI-based solutions. Others argue that while machine learning is very good at finding similarities, it is not good enough at detecting anomalies and is therefore not suited to cybersecurity.

Beyond these discussions, it is a fact that machine-learning has taken great steps in recent years, from autonomous tools to virtual assistants, from chatbots to face/object recognition. As we move towards a future where cybersecurity is much more integrated into our daily life, it is important to be aware of different approaches based on machine and deep learning in order to better defend the network and data security against increasingly complex and advanced attacks.

As you already may know, there are four types of machine learning algorithms to train a machine neural network: Supervised Learning, Unsupervised Learning, Semi-supervised Learning (also known as active learning), Reinforcement Learning. Supervised learning is about learning from a training data set, while unsupervised machines learn from the data itself that is limited in its ability to detect threats, as it only looks for details it has seen and flagged before, while unsupervised learning constantly scans the network and finds anomalies. Unsupervised learning, however, does not require labeled training data and is better suited to detecting suspicious activity, including detecting attacks that have never been observed before.

Supervised learning is about learning from a training dataset. Supervised machines learn from the data itself, which is limited only by its ability to detect threats when searching for details that it has previously seen and marked. For unattended learning, tagged training data is not required and is more suitable for detecting suspicious activity, including detecting attacks that have never been observed before. Unsupervised learning constantly scans the network and finds anomalies.

Figure 2 – Machine Learning Algorithms

Machine learning is already used to reduce the load that attack detection and prevention tools can handle as part of cybersecurity systems. AI algorithms similar to real human decision mechanisms try to model a decision mechanism.

There have been a number of attempts to override unattended machine learning security solutions, resulting in a host of untested solutions to a variety of security problems. Many of these early attempts had difficulty generating enough data to effectively detect complex breaches such as identity fraud and advanced cyberattacks.

By contrast, unsupervised machine learning is about finding and describing the hidden structures in the data. This problem is related to the problem of defining distance functions, since most, if not all, cluster algorithms are based on numerical and non-categorical data, and therefore we hear as much about cluster algorithms as we do about classification.

In the context of cybersecurity, AI tries to defend the system by weighing behavior patterns that indicate a threat to the systems. From this point of view, machine learning is the process of learning patterns that lead to malicious behavior.

AI solutions are generally analyst-oriented and unsupervised machine learning-focused in information security. Using unsupervised machine learning to detect rare or abnormal patterns can increase the detection of new attacks. However, it can also trigger more false positives and warnings. This requires a significant amount of analysis effort to investigate the accuracy of these false positives. Such false alarms can cause alarm fatigue and insecurity and, over time, lead to its return to analytical-focused solutions and the resulting weaknesses. Three major challenges facing the information security industry, each of which can be addressed by machine learning solutions, have been identified as follows [2]:

Missing or Lack of Tagged Data: Many organizations lack the ability to use tagged examples and supervised learning models of previous attacks.

Continuously Evolving Attacks: Even though controlled learning models are possible, attackers can change their behavior and override them.

Limited Time and Budget for Research or Investigation: Applying to analysts to investigate attacks is costly and time-consuming.

As the industry is still experimenting with the technology as a proof-of-concept, however, the idea of trust is ideal where the security solution is machine learning. It can help to improve the fight against cybercrime, and while AI can boost human efforts by automating the pattern-recognition process. Machine learning systems report useful data based on categories, while analysts talk openly about how machine learning can be a black box solution for security, where CISOs are not quite sure what is under the hood.

Today, AI is not ready to replace humans, but by automating the pattern-recognition process, it can enhance human efforts. There is a truth here that cannot be denied because machine learning has very different uses in cyber defense.

Considering all usage areas, it is possible to evaluate the use of AI in cyberspace in two categories; the use of artificial intelligence for cyber defense and the use of artificial intelligence for the cyber offense.

The Use of Artificial Intelligence for Cyber Defense

Traditional fixed algorithms (such as hard-wired logic on decision-making level) are ineffective to combat dynamically evolving cyber-attacks. Therefore, more innovative approaches are needed, such as using Artificial Intelligence methods and practices that provide flexibility and learning ability, especially in cyber defense.

Considering cyber defense, the existing Artificial Intelligence methods and architectures can be listed as follows;

  1. Neural Nets: Neural networks have a long history, which began in 1957 with the discovery of “perceptron” by Frank Rosenblatt. In machine learning, the perceptron is an algorithm developed for supervisory learning of binary classifiers (functions that decide whether the input represented by vector numbers belongs to a particular class). One of the most popular elements of these neural networks is artificial neurons [3, 4]. A small number of perceptrons working together can learn and solve problems. But neural networks can consist of a large number of artificial neurons. Neural networks consisting of a large number of artificial neurons can provide mass parallel learning and decision making functionality. The most prominent feature of these networks is their operational speed. They are very suitable for pattern recognition, learning, classification, and response to attacks. They can be applied to both hardware and software [5].

Neural networks are also suitable for intrusion detection and prevention [6, 7, 8, 9]. Scientific studies shows how effective to use these networks for DoS detection [10], computer worm detection [11], spam detection [12], bot detection [13], malware classification [14] and digital forensic research [15].

One reason neural networks are popular in cyber defense is their high speed if they can be implemented in hardware and used in graphics processors. Third generation neural network — applications of spiking neural networks that mimic biological neurons more realistically are among the new developments in neural network technology. Systems provided by FPGA (Field Programmable Gate Arrays) that allow neural networks to develop rapidly and adapt to changing threats make significant contributions to cyber defense [16].

Figure 3 – Neural Networks

  1. Expert Systems: Expert systems are the most used Artificial Intelligence tools. The expert system is software used in the activity areas in some applications to finding answers to questions presented by a user or another software. It can be used directly to support decisions in areas such as medical diagnostics, finance, or cyberspace. There are a variety of specialist systems for solutions to problems, from small technical diagnostic systems to complex, very large and sophisticated hybrid systems. Conceptually, an expert system includes a database of expert knowledge about a particular application area. The empty knowledge base and extraction engine are collectively referred to as the expert system shell. To be used, it must be filled with information. The expert system shell should be able to be supported by the software to add information to the knowledge base and be extensible for user interactions and other programs that can be used in hybrid expert systems. Developing an expert system primarily means selecting /adapting an expert system shell, and secondly, acquiring expert knowledge and filling the knowledge base with information or dataset. The second step is much more complicated than the first step and takes much more time. An example of expert systems that can be used in cyber defense is security planning [17]. An expert system used in this field significantly simplifies the task of choosing security measures and provides guidance for the best use of limited resources. In addition, the use of expert systems in intrusion detection goes back to old times [18, 19].

Figure 4 – Expert Systems

  1. Intelligent Agents: Intelligent agents are software components with some features of intelligent behavior that make it special (proactivity, understanding, and responding to agent communication language). These software components have planning, variability, and deep thinking capabilities. It has been adopted as a concept in software engineering where software agents are thought of as proactive and agent communication language. However, when comparing agents and objects, it can be shown as differences that objects can be passive and do not need to understand any language (although it accepts messages with well-defined syntax) [17].

There are studies showing how effective intelligent agents against DDoS attacks are used in cyber defense [20, 21]. It is also stated in some of these studies that it is possible to develop a “cyber police” consisting of mobile smart agents after solving some legal and commercial problems [22]. In addition, hybrid multiple agents, neural network-based intrusion detection systems [23], and agent-based distributed intrusion detection systems [24] are other scientific researches in this regard.

Figure 5 – Intelligent Agent

  1. Search: Search is found in almost every smart program in various shapes and formats, and its efficiency is often critical to the performance of the entire program. While meeting the requirements for a solution, additional information can be used to guide the research with this way search effectiveness can be significantly improved. Many search methods have been developed in AI and although they are used in many software, this is not generally seen as the use of AI. For instance, dynamic programming [25, 26] is used specifically to solve optimal security problems, but an embedded search does not appear to be an AI application. Andor trees (andor trees), αβ-search, minimax search, and stochastic search are widely used in game applications and are especially useful for decision making for cyber defense. The αβ-search algorithm, originally developed for computer chess games, is very successful in problem-solving and especially in evaluating and deciding the best possible actions of two attacks. Using the least winning and most losing predictions, this algorithm allows the search to be accelerated by ignoring a large number of options.

Figure 6 – The Search Algorithms

  1. Learning: Learning develops an information system by expanding or rearranging the knowledge base or by developing the inference engine [27]. Machine learning includes calculation methods to get new information, new skills and new ways to organize existing information. Learning problems differ greatly from the complexity of simple parametric learning (the complex values ​​of symbolic learning, such as learning the values ​​of some parameters and learning concepts, language structures, functions, and even behavior learning).

Artificial Intelligence offers methods for both supervised learning and unsupervised learning. Unsupervised learning is particularly useful if large amounts of data are available, and this method is common in cyber defense where large logs can be collected. Data mining was originally out of unsupervised learning in Artificial Intelligence [6, 28).

An outstanding learning class has been created by parallel learning algorithms that are suitable for execution on parallel hardware. These learning methods are represented by genetic algorithms and neural networks. Genetic algorithms and fuzzy logic methods have been used in cyber defense, for example, in threat detection systems [29].

  1. Constraint Solving: Constraint Solving is a technique developed using Artificial Intelligence (logical expressions, tables, equations, inequalities, etc.) in solving the problems presented by giving a series of constraints on the solution [30]. The solution to a problem is a collection (a series) of values ​​that meet all the restrictions. In fact, there are many different types of constraints, depending on the nature of constraints (for example, constraints on finite sets, functional constraints, rational trees). At a very abstract level, almost any problem can be presented as a problem of constraint satisfaction. The solution to these problems is often difficult due to the need for a large number of calls. It can be used in constraint, logic programming, and situation analysis and decision support [31, 32].

The possible cyber defense system should provide at least three levels of cybersecurity. The first level includes traditional static cyber defense mechanisms such as identity and authentication, cryptographic protection, access control, and network filtering, etc. The second level includes proactive cyber defense mechanisms such as information gathering, security assessment, network status monitoring, and attack. The third level corresponds to cyber defense management, which performs a holistic assessment of network status, the choice of appropriate or optimal defense mechanisms, and their adaptation [33].

Early warning, intrusion detection, and prevention systems, including artificial intelligence technologies, play an important role in ensuring these cybersecurity levels.

Early Warning Systems (EWS) are used to protect against cyber-attacks and respond as soon as possible. However, due to the new level of cyber threat evolving with new technologies, unlike traditional and pure packet inspection, the new EWS architecture needs to collect, analyze, correlate data, and at the same time detect, analyze and respond to threat models in near real-time. It is heard. This need includes the development of virtual sensors, sophisticated correlation of data, new logic models for network behavior analysis, learning algorithms, and the development of concepts and new approaches that can provide scalability, reliability, and flexibility, especially in IPv6 networks [34].

The aim of using Artificial Intelligence in early warning and intrusion detection is to develop an advanced, intelligent help system for detecting attacks from the internet as early as possible in both local area networks and wide area networks. Within this framework, widely used internet protocols such as FTP, SMTP, and HTTP should also be considered, as well as newer protocols such as SOAP.

The main problem that needs to be addressed with the use of Artificial Intelligence in the field of cyber defense is that the available technologies are not at the desired level and what Artificial Intelligence methodologies should be developed and adapted in order to minimize the human factor, which is considered as the weakest link in cyber defense.

The Use of Artificial Intelligence for Cyber Offense

Misuse of AI can threaten security in several ways;

  • Threats to digital security,
  • Threats to physical security,
  • Threats to social /economic/political security,

Automation of Social Engineering Attacks: NLP (natural language processing) tools are able to mimic the victim’s writing style, so Artificial Intelligence systems collect online information to create personalized malicious websites/emails/links that are likely to be clicked automatically.

Automation of Vulnerability Discovery: Past models of code vulnerabilities help speed up the discovery of new vulnerabilities.

Advanced Hacking: Artificial Intelligence can be used in many ways in hacking. For example, Artificial Intelligence provides automated tools to improve target selection and prioritization, avoid detection, and respond creatively to changes in the target’s behavior. It can also mimic human-like behavior that directs the target system to a less secure state.

Automation of Ransomware Tasks: Artificial intelligence techniques can automate various tasks such as dialogue and payment processes with victims of ransomware attackers.

Utilization of Artificial Intelligence in Applications: Artificial intelligence is used to create data poisoning attacks, or backdoor (backdoor).

Flock Attacks: Distributed autonomous robotic system networks allow monitoring of large areas and execution of fast, coordinated attacks.

Attacks on Autonomous Drones and Vehicles: The control of artificial intelligence-based autonomous drones and vehicles as a result of cyber-attacks poses significant threats.

Fake News: When the latest developments in image processing are combined with natural language creation techniques, the public tries to be misled by producing highly realistic videos of state leaders who seem to be making speeches and comments that they have never actually done.

Personalized Disinformation and Impact Campaigns: AI-powered social network analysis can identify key factors to be approached with (malicious) offers or targeted by disinformation.


[1] K.R. Chowdhary, “Fundamentals of Artificial Intelligence,” Springer India, 2020.

[2] K. Veeramachaneni, I. Arnaldo, A. Cuesta-Infante, V. Korrapati, C. Bassias, K. Li, “AI2: Training a Big Data Machine to Defend”, IEEE International Conference on Big Data Security in New York City, 2016.

[3] F. Rosenblatt. “The Perceptron — A Perceiving and Recognizing Automaton”, Cornell Aeronautical Laboratory, 1957.

[4] Y. A. Freund, R. E. Schapire, “Large Margin Classification Using the Perceptron Algorithm, Machine Learning”, 37(3):277–296, 1999.

[5] G. Klein, A. Ojamaa, P. Grigorenko, M. Jahnke, E. Tyugu, “Enhancing Response Selection in Impact Estimation Approaches”, Military Communications and Information Systems Conference (MCC), Wroclaw, Poland, 2010.

[6] J. Bai, Y. Wu, G. Wang, S. X. Yang, W. Qiu, “A Novel Intrusion Detection Model Based on Multilayer Self-organizing Maps and Principal Component Analysis, Advances in Neural Networks”, ISNN Springer Berlin Heidelberg, 2006.

[7] F. Barika, K. Hadjar, N. El-Kadhi, “Artificial Neural Network for Mobile IDS Solution”, Security and Management, 2009.

[8] D. A. Bitter, T. Elizondo, “Application of Artificial Neural Networks and Related Techniques to Intrusion Detection”, IEEE World Congress on Computational Intelligence, CCIB, Barcelona, Spain, 2010.

[9] R. I. Chang, L. B. Lai, W. D. Su, J. C. Wang, J. S. Kouh, “Intrusion Detection by Backpropagation Neural Networks with Sample-query and Attribute-query”, International Journal of Computational Intelligence Research, 2007.

[10] B. Iftikhar, A. S. Alghamdi, “Application of Artificial Neural Network in Detection of DOS Attacks”, Proceedings of the 2nd international Conference on Security of Information and Networks. New York, NY, 2009.

[11] D. Stopel, Z. Boger, R. Moskovitch, Y. Shahar, and Y. Elovici, “Application of Artificial Neural Networks Techniques to Computer Worm Detection”, International Joint Conference on Neural Networks, 2006.

[12] C. H. Wu, “Behavior-based Spam Detection Using a Hybrid Method of Rule-based Techniques and Neural Networks”, Expert Systems with Applications, 2009.

[13] P. Salvador, et al., “Framework for Zombie Detection Using Neural Networks”, Fourth International Conference on Internet Monitoring and Protection, 2009.

[14] M. Shankarapani, K. Kancherla, S. Ramammoorthy, R. Movva, S. Mukkamala, “Kernel Machines for Malware Classification and Similarity Analysis”, IEEE World Congress on Computational Intelligence. Barcelona, Spain, 2010.

[15] B. Fei, J. Eloff, M. S. Olivier, H. Venter, “The Use of Self-organizing Maps of Anomalous Behavior Detection in a Digital Investigation”, Forensic Science International, 2006.

[16] E. Tyugu, “Artificial Intelligence in Cyber Defense”, 3rd International Conference on Cyber Conflict, 2011.

[17] J. Kivimaa, A. Ojamaa, E. Tyugu, “Graded Security Expert System”, Springer, 2009.

[18] D. Anderson, T. Frivold, A. Valdes, “Next-generation Intrusion Detection Expert System (NIDES)”, SRI International, Computer Science Lab, 1995.

[19] T. F. Lunt, R. Jagannathan, “A Prototype Real-Time Intrusion-Detection Expert System”, IEEE Symposium on Security and Privacy, 1988.

[20] I. Kotenko, A. Ulanov, “Multi-Agent Framework for Simulation of Adaptive Cooperative Defense Against Internet Attacks”, International Workshop on Autonomous Intelligent Systems: Agents and Data Mining, Springer.

[21] I. Kotenko, A. Konovalov, A. Shorov, “Agent-Based Modeling and Simulation of Botnets and Botnet Defence”, Conference on Cyber Conflict, CCD COE Publications, Tallinn, Estonia, 2010.

[22] B. Stahl, D. Elizondo, M. Carroll-Mayer, Y. Zheng, K. Wakunuma, “Ethical and Legal Issues of the Use of Computational Intelligence Techniques in Computer Security and Computer Forensics”, IEEE World Congress on Computational Intelligence, Barcelona, Spain, 2010.

[23] E. Herrero, M. Corchado, A. Pellicer, A. Abraham, “Hybrid Multi Agent-neural Network Intrusion Detection with Mobile Visualization”, Innovations in Hybrid Intelligent Systems, 2007.

[24] V. Chatzigiannakis, G. Androulidakis, B. Maglaris, “A Distributed Intrusion Detection Prototype Using Security Agents”. HP OpenView University Association, 2004.

[25] J. Kivimaa, A. Ojamaa, E. Tyugu, “Pareto-Optimal Situation Analysis for Selection of Security Measures”, MilCom, 2008.

[26] J. Kivimaa, A. Ojamaa, E. Tyugu, “Managing Evolving Security Situations”, MilCom, 2009.

[27] P. Norvig, S. Russell, “Artificial Intelligence: Modern Approach”, Prentice Hall, 2000.

[28] V. K. Pachghare, P. Kulkarni, D. M. Nikam, “Intrusion Detection System using Self Organizing Maps”, International Conference on Intelligent Agent & Multimedia Agent Systems, 2009.

[29] R. Hosseini, J. Dehmeshki, S. Barman, M. Mazinani, S. Qanadli, “A Genetic Type-2 Fuzzy Logic System for Pattern Recognition in Computer Aided Detection Systems”, IEEE World Congress on Computational Intelligence. Barcelona, Spain, 2010.

[30] B. Mayoh, E. Tyugu, J. Penjam, “Constraint Programming”, NATO ASI Series, Springer Verlag. 1994.

[31] I. Bratko, “PROLOG Programming for Artificial Intelligence”, Addison-Wesley, 2001.

[32] X. Ou, “A Logic-programming Approach to Network Security Analysis”, PhD Thesis, Princeton University, 2005.

[32] X. Ou, “A Logic-programming Approach to Network Security Analysis”, PhD Thesis, Princeton University, 2005.

[33] I. Kotenko, “Multi-agent Modelling and Simulation of Cyber-Attacks and Cyber-Defense for Homeland Security”, IEEE International Workshop on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, 2007.

34] M. Golling, B. Stelte, “Requirements for a Future EWS — Cyber Defence in the Internet of the Future”, 3rd International Conference on Cyber Conflict, CCD COE, 2011.

The article has originally been published at:

Featured graphics by Brannon Naito

June 22, 2020
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013