AI algorithms and machine learning can sort huge volumes of data efficiently and in a relatively short period of time. This is essential to help network defenders sift through an endless amount of alerts and identify those that pose a potential threat (instead of false positives). Reinforcement learning underpins the benefits of AI for the cybersecurity ecosystem and is closest to how humans learn through experience and trial and error.
Contrary to supervised teaching, reinforcement learning focuses on how agents can learn from their own actions and feedback in an environment. The idea is that reinforcement learning will maximize its capabilities over time by using rewards and punishments to calculate positive and negative behaviors. Enough information is collected to make the best decision in the future.
How Reinforcement Learning Can Help
Alert fatigue The search for security operations center (SOC) analysts has become a legitimate business concern for information security managers, who consequently worry about analyst burnout and staff turnover . Any solution that can handle most of the alert “noise” so that analysts can prioritize real threats will save the organization time and money.
AI capabilities help mitigate the threat posed by social engineering, phishing and large-scale spam. campaigns by understanding and recognizing the kill chain of such attacks before they succeed. This is important given the security resource constraints faced by most organizations, regardless of size and budget.
More sophisticated dynamic attacks pose a greater challenge and, depending on the threat actor, can only be used a limited number of times before attackers adjust or change part of the attack sequence. This is where reinforcement learning can study attack cycles and identify applicable patterns from previous failed and successful attacks. The more individuals are exposed to sophisticated attacks and their varied iterations, the better placed reinforcement learning is to identify them in real time.
Certainly, there will be a learning curve at first, especially if attackers frequently change how they carry out their attacks. But part of the attack chain will remain, becoming a relevant data point to drive the process.
From detection to prediction
Detection is only part of threat monitoring. AI reinforcement learning may have applicability in prediction to also prevent attacks, by learning from past experiences and weak signals and using models to predict what might happen next time.
Cyber threat prevention is a natural step forward from passive detection and is a necessary progression to proactive cybersecurity rather than reactive. Reinforcement learning can improve the capabilities of a cybersecurity product by making the best decisions based on the threat. This will not only streamline responses, but also maximize available resources through optimal allocation, coordination with other cybersecurity systems in the environment and deployment of countermeasures. The continuous cycle of feedback and reward-punishment will make prevention stronger and more effective the longer it is used.
Reinforcement Learning Use Cases
One use case for reinforcement learning is network monitoring, where an agent can detect network intrusions by observing traffic patterns and applying lessons learned to raise an alert. Reinforcement learning can go even further by executing countermeasures: blocking or redirecting traffic. This can be particularly effective against botnets where reinforcement learning can study communication patterns and network devices and disrupt them based on the best course of action.
AI reinforcement learning can also be applied to a virtual sandbox environment where it can analyze how malware operates, which can facilitate vulnerability management patch management cycles.
Reinforcement learning comes with specific challenges
An immediate concern is the number of devices continually being added to networks, creating more endpoints to protect. This situation is exacerbated by remote work situations, as well as personal devices being allowed in business environments. The constant addition of devices will make it increasingly difficult for machine learning to account for all potential attack entry points. Although the Zero Trust approach alone could pose insurmountable challenges, synergizing it with AI reinforcement learning can achieve strong and flexible IT security.
Another challenge will be access to enough data to detect trends and adopt countermeasures. Initially, there may not be enough data available to consume and process, which can distort learning cycles or even result in erroneous defensive actions.
This could have consequences when dealing with adversaries who deliberately manipulate data to fool learning cycles and impact the “ground truth” of the information from the start. This needs to be considered as more AI reinforcement learning algorithms are integrated into cybersecurity technologies. Threat Actors Are Nothing Otherwise innovative and ready to think outside the box.
Contributing author: Emilio Iasiello, Global Head of Cyber Threat Intelligence, Dentons