New AI applications are an essential tool to combat novel, AI-enabled security threats. The view that a major cyberattack poses a threat to financial stability is accepted. It’s not a question of if such an attack will arise, but when, according to the IMF. Meanwhile the global cost of cybercrime was estimated at some $8.4trillion last year and is predicted to increase. Keeping track of threats is not simple.
“When you work in cybersecurity, you are bombarded with threat intelligence; information about risks and attacks in a semi-structured text format,” explains Sven Niedner, Founder and CEO of Synamic Technologies.
On the attack
The goal of Synamic’s cyber security project, supported by ELISE, is the automation of cyber security processes. This requires reliable information that computers can read. To deliver this material, their SCR.AI system turns full text incident and threat reports into machine-readable data sets, by using – and extending the capabilities of – a cyber security knowledge graph the company had already developed.
The automation process begins with a web crawler, which finds sources of threat intelligence such as cyber incident reports. When a report is found, it is analysed using transformer models and Natural Language Processing (NLP) to extract useful knowledge by focusing on specific phrases containing malicious code. A multi-label classifier then identifies how that attack model is designed to wreak havoc on victim’s computers, for example detecting the technique and attack framework.“
Cyber-attacks are a complex chain of events and prevention is only possible with full picture detection,” Sven Niedner, founder of Synamic Technologies says. To make this possible, a knowledge graph is used to enable the threat information to be organised in the proper sequence, forming an ‘attack graph’, which Niedner likens to a fingerprint that describes how attackers will reach their goals. The edges and nodes of a graph are datapoints following a clearly defined ontology. “You basically get a machine-readable, automatically plausible description of a cyber-attack in question,” he explains. To ensure attack graphs can be shared and integrated with other tools, data is expressed using industry standards, such as MITRE ATT&CK and STIX2.
Troubleshooting with ELISE
Of course, developing such a complex tool is challenging. “You reach a point where you need additional experts to discuss problems and people with expertise in both cyber security and AI are hard to find,” Niedner says. The ELISE programme gave Synamic Technologies’ data scientist access to a fellow expert who could exchange ideas about the use of transformer models and discuss data quality, specifically the point at which the company should stop training its AI model. This is because if you over-train a model it no longer works as well, so finding the sweet spot where data quality is the best it can be is difficult. “It was very helpful to have this assistance and inspiration,” Niedner says.
Ensuring SCR.AI can detect the very latest threats is another challenge. It requires that the company continuously tests its tool’s ability on a training data set to make sure its AI is robust and threats are being detected. “The bad guys always come up with new strategies, so we have to think of a way to retrain and keep our models updated,” Niedner explains.
Explainability and deployability
To translate these technical processes to actionable insights, Synamic Technologies designed a simple user interface, with the front end featuring a visualization of the attack graph. This allows users to gain an intuitive understanding of complex processes underpinning the different attack steps. By its visual nature, the attack graph offers a degree of explainability. The overall design of the interface is intended to reflect user needs, because most users are cyber security professionals: “They are all programmers themselves and they prefer the tool to come with a more programmer like interface,” Niedner explains.
The SCR.AI tool has various applications in the cyber security industry. “It can be used to create an early warning system for upcoming threats and also to automate the processing of threat intelligence,” he says. It is currently being used by a customer in the financial services industry to simplify the process of analysing intelligence to prevent cyber security attacks.
Building a secure future
The start-up is working on a proof of concept to help it grow in the financial sector and is in discussions with partners in a bid to expand into the Internet of Things (IoT) domain. This is because as devices get smarter, the components used in them are vulnerable to cyber-attacks. Connected, critical infrastructure is a prime target for criminals and so moving into the IoT area is important for Synamic Technologies.
Niedner considers that the applications for AI in cyber security are only at their beginning, with “huge potential” for deep learning models to improve security; the ultimate aim in AI-powered cyber security is automated defence. This is a logical progression from his company’s attack graph. While SCR.AI can automatically detect attacks by recognising anomalies and patterns to warn cyber security professionals of an attack, he says “the next step is for a system to take preventative measures autonomously, without human intervention”.
While this could prove invaluable to financial services companies and operators of critical infrastructure, it requires people to have confidence that the AI system will act safely and effectively in their best interests. Furthermore, while ‘good’ AI could one day automatically protect businesses from the malicious threats, it could also be harnessed by criminals to inflict more harm by staging attacks. This means the cat-and-mouse nature of cyber security will endure.