Cybersecurity arguably is the discipline that could benefit most from the introduction of artificial intelligence (AI). Where conventional security systems might be slow and insufficient, artificial intelligence techniques can improve their overall security performance and provide better protection from an increasing number of sophisticated
cyber threats. Beside the great opportunities attributed to AI within cybersecurity, its use has justified risks and concerns. To further increase the maturity of cybersecurity, a holistic view of organizations’ cyber environment is required in which AI is combined with human insight, since neither people nor AI alone has proven overall success
in this sphere. Thus, socially responsible use of AI techniques will be essential to further mitigate related risks and concerns.
Since 1988, when the first denial-of-service (DoS) attack was launched,1 the sophistication, number, and impact of cyberattacks have increased significantly. As cyberattacks have become more targeted and powerful so have cybersecurity countermeasures. While the first security tool was limited to spotting signatures of viruses and preventing their execution, today we find solutions that are designed to provide holistic protection against a wide range of attack types and a variety of target systems; nevertheless, it has become increasingly challenging to protect information assets in the virtual world.
To implement resilient and continuous protection, security systems need to constantly adjust to changing environments, threats, and actors involved in the cyber play. Cyber reality, however, appears somewhat different. Security approaches are regularly tailored to known attacks, and due to a lack of flexibility and robustness, security systems typically are unable to adapt automatically to changes in their surroundings. Even with human interaction, adaption processes are likely to be slow and insufficient.2
Due to their flexible and adaptable system behavior, artificial intelligence (AT) techniques can help overcome various shortcomings of today’s cybersecurity tools.3 Although AT has already greatly improved cybersecurity,4 there are also serious concerns. Some view AT as an emerging existential risk for humanity.5 Accordingly, scientists and legal experts have expressed alarm at the increasing role that autonomous AT entities are playing in cyberspace and have raised concerns about their ethical justifiability.6
The purpose of this work is to highlight the shortcomings of traditional security measures as well as the progress that has been made so far by applying AT techniques to cybersecurity. Tn addition, this work summarizes the risks and concerns linked to this development, by exploring AT’s status quo, addressing present concerns, and outlining directions for the future.
Challenges of Today’s Cybersecurity
Although awareness of cyber threats has increased; large amounts of money has been invested; and efforts are being made to fight cybercrimes, the ability of organizations to sufficiently protect their own virtual assets is not yet known.7 The involved parties in cyberspace range from single individuals, private organizations, non-state actors to governmental organizations, all aiming to protect their cyber assets, attack those of others, or both. Tn addition, the sources of cyber threats are manifold: cyber threats basically arise from potential malicious acts due to financial, political, or military reasons.8
However heterogeneous and dynamic the nature of cyberspace might be, certain similarities of attacks and their countermeasures can be used to describe and allow for a holistic security framework. Most cyberattacks follow certain attack phases that can be described as a cyber kill chain.9 This framework assumes that every attack sequence starts with a reconnaissance phase, in which an attacker tries to locate gaps and vulnerabilities of a target system. The weaponizing phase follows, during which the uncovered weaknesses are used to develop targeted malicious code. This is followed by the delivery phase when the malware is transferred to the potential target. After the malware is delivered successfully, the exploit phase occurs during which the malware triggers the installation of an intruder’s code. Afterwards, the compromised host system allows the establishment of a command and control channel so that the attacker can initiate malicious actions. Counteractions can be determined depending upon where a malicious action appears in the cyber kill chain.
The integrated security approach10 (TSA) provides key ideas for a holistic view on cyber defense and a framework for such categorization. The main aim of the TSA is to generate early warnings, or alarms, preferably before the attack is launched (before the exploit phase). The alarm is supposed to generate a relevant warning message that translates newly gathered threat data into actionable tasks. By this means, the message further supports the selection of countermeasures or already contains dedicated counteractions to prevent organizations from being victims of an attack. Tf an intrusion can not be prevented in advance, the extent of the attack must be detected, followed respectively by reaction and response. These measures should include actions to stop or counterattack the invader, in addition to defining recovery procedures to quickly rollback the system to its initial state.
The cyber kill chain includes the seven phases of a cyberattack, whereas the TSA consists of four counteraction phases. For detecting and blocking attacks as early as possible, all attack phases of the cyber kill chain need to be considered within the comprehensive TSA framework.11 As stated above, the emphasis is on preventing attack and detecting malicious activities during the first three phases of an intrusion, here visualized as recon, weaponize, and deliver on the left side of the diagram within the gray arrow. After the attack-depicted as exploit in the center of the arrow-the TSA measures detection, reaction, and response necessary to interfere with the compromising malicious activities.
The complex and dynamic nature of cyberspace leads to various strategic and technological challenges that hinder and complicate an organization’s ability to protect itself sufficiently in this virtual environment. These challenges comprise data acquisition, technology driven matters, as well as shortcomings in regulation and process management.
Challenges in Gathering Cyber Intelligence
The fact that perpetrators leave tracks when attempting to attack a potential target system is the key to better understanding an attacker. Consequently, an TSA with its holistic view of an organization’s security requires gathering and analysis of a range of information for gaining cyber intelligence.12 There are challenges, however, in acquiring relevant data as well as in processing, analyzing, and using it. Therefore, related efforts to effectively prevent, detect, and respond to malicious intrusions are regularly aided by security tools that aim to automate supporting security processes. The main challenges in acquiring relevant data tracks are:13
a. Amount of data: The amount of data has increased exponentially since electronic devices and their use has become ubiquitous in our work and daily lives. For the implementation of an TSA, data from all systems across entire organizations may need to be considered.
b. Heterogeneity of data and their sources: The variance in data and its sources makes it difficult to identify and collect those data; moreover, both are spread across organizational and national borders. Even if the relevant heterogeneity within the cyber environment is identified, topology and behavior of systems and networks may change and, thus, require constant adaption.
c. High data velocity: The high rate at which data is produced and processed within its sources leads to challenges in data storing and processing, which, in turn, is essential for subsequent analysis.
When it comes to processing, analyzing, and using the acquired date, intrusion detection prevention systems (TDPS) have proved to be an invaluable tool for cybersecurity,14 one of many in today’s cybersecurity arsenal. An TDPS is either software or hardware configured to protect single systems or entire networks. There are two main principles for TDPSs: the misuse detection approach, which identifies malicious activities by defining patterns of abnormal network and/or system behavior, and the anomaly detection approach, which is based on defining patterns of normal network and/or system behavior. Security experts define both patterns, mainly based on their experiences plus their prior knowledge of cyber threats.15
Cyber reality, however, is a highly complex and dynamic nature; new threats appear constantly, and attacks are specifically tailored to circumvent known protection scenarios. While the desired characteristics of TDPSs are optimized performance, maximum protection, and minimum error,16 traditional security systems are no longer able to fully fulfill these requirements. The most critical technological weaknesses are:17
a. Low detection rate: Any inaccuracy in defining patterns of abnormal or normal network and/or system behavior may affect the TDPS’s detection rate. The continuously changing network environment makes this task even more challenging. Errors in defining abnormal patterns can lead to high false negative detection rates. Here, the malicious network activities of attempted attacks are not detected in advance because a non-malicious network behavior was assumed instead. By contrast, erroneous definition of normal patterns can cause high false positive rates, causing non- malicious network activities to be categorized as malicious.
b. Slow throughput: TDPSs can show limitations in processing and analyzing gigabits of data per second. Mechanisms that address this issue are based mainly on the distribution of data processing and, thus, can further affect the system’s operation, maintenance, and related costs.
c. Lack of scalability and resilience: Cyber environments are dynamic. Tnfrastructures and network traffic change and expand constantly, and vast amounts of heterogeneous data needs to be processed and analyzed. These dynamics further lead to performance issues and a loss of efficiency,
as TDPSs might be not able to provide and maintain their functionalities when coping with these dynamics.
d. Lack of automation: TDPSs are not yet able to adapt automatically to changes in their environment. This can result in the need for individual analysis of log data; the manual readjustment of systems to changes in the network environment; or for experts to determine the appropriate reaction for every individual warning message. This lack of automation results in a constant need for human supervision, and causes delays as well as an overhead in costs and resources.
Due to the technological challenges, organizations may face security deficits at some point; they may use several security systems or purchase security intelligence, in terms of security consulting, through third-party providers.18
Besides the comprehensive acquisition of data and the use of solid security technologies for protecting the full range of information in a timely manner, supporting processes also need to be considered. The establishment and maintenance of these processes is as important as data acquisition and the use of appropriate security technologies. Tnter-organizational as well as intra-organizational processes can help to further improve and maintain organizations’ TSAs, in addition to increasing their cybersecurity maturity level.19 Furthermore, the creation of a so-called cyber ecosystem20 encourages partnerships between diverse actors across the cyber landscape that aim to address and share security threats, experience, or resources.
Organizations operating in different sectors also tend to have inconsistent demands of cybersecurity. These differences can correspond to heterogeneous security requirements as well as varying responses when facing similar cyberattacks.21 Tn cases where organizations need to protect critical infrastructures, such as water treatment or nuclear power plants, they focus on increased security rather than on financial aspects. Tn comparison, private organizations tend to focus on financial losses and do not give too much importance to endangering public safety.22
These are only some of the challenges that trouble organizations when setting up their security strategy. Given the important role of security systems in this context, the following section will focus on the technological measures.
Intelligent Techniques to Facilitate Security Measures
Tn tackling intelligence-gathering issues for cybersecurity, intelligent machines show promise of improving today’s security measures. Intelligent machines can perform some human cognitive abilities (ability to learn or reason) as well as having sensory functions (ability to hear or see). These machines exhibit what we could call intelligence.23 Such artificial intelligence enables machines to behave intelligently and imitate human intelligence-albeit to a limited extent.
The development of intelligent systems, either software or hardware, provides methods to solve complex problems-problems that could not be solved without applying some intelligence.24 Whereas traditional computer systems are based on fixed algorithms25 and require known data formats for decision making, the computer science discipline of AT developed flexible techniques, such as the recently revived approach of deep neural networks, that enables machines to learn26 and adapt automatically to the dynamics of their environment. Tn cyberspace, this may include the automatic adaption to heterogeneous data formats, changing data sources, or noise27 in cyber activities.
Tn the realm of AT, cybersecurity arguably is the industry that could benefit most from the introduction of machine intelligence; furthermore, the challenges of conventional security systems are supposed to be overcome by using autonomous AT systems.28 Consequently, the issues in data acquisition (amount, heterogeneity, and velocity of data) as well as the problems of the related tools (low detection rate, slow throughput, a lack of scalability and resilience, and a lack of automation) could be mitigated through AT. Thus, efficiency and the effectiveness of cybersecurity and its respective tools could be improved.
The field of AT has developed and is still developing numerous techniques to address intelligent system behavior, and many have been established already in the field of cybersecurity. These systems can therefore handle and analyze vast amounts of information within a reasonable time frame and in the event of an attempted attack, can analyze the information and select dedicated counteractions. Possible scenarios, where AT techniques are applied to security issues related to the four categories within the TSA, can demonstrate the vast possibilities of the various branches of AT.
Interacting Intelligent Cyber Police Agents to Monitor Entire Networks
The paradigm of intelligent agents is a branch of AT that arose from the idea that knowledge in general and, especially, knowledge to solve problems ought to be shared between different entities. A single agent is an autonomous cognitive entity,29 with its own internal decision-making system and an individual goal. To achieve its goal, an agent acts proactively within its environment and with other agents. Tn addition, agents have a reactive behavior; they understand and respond to changes in their environment and interact with it and other decentralized agents. Over time, agents self-adapt to dynamic changes in their environments, given their own accumulated experiences.30
Due to their decentralized and interacting nature, intelligent agents are predestined to gather information on entire networks and surrounding systems. Tt appears that this favorable characteristic has been used not only in terms of defense measures, but also for reconnaissance and exploitation (see the cyber kill chain discussed above) of potential target systems.31 Since the behavior of every agent is formed by its experiences within its own personal environment, it is quite challenging to protect against such individualized threats.