AI in cybersecurity

AI, Machine learning, and Deep learning definition within cybersecurity

AI cybersecurity, with the support of machine learning, is set to be a powerful tool in the looming future. As with other industries, human interaction has long been essential and irreplaceable in security. While cybersecurity currently relies heavily on human input, we are gradually seeing technology become better at specific tasks than we are.

Every technology improvement brings us slightly closer to supplementing human roles more effectively. Among these developments, a few areas of research are at the core of it all:

  • Artificial intelligence (AI) is designed to give computers the full responsive ability of the human mind. This is the umbrella discipline under which many others fall, including machine learning and deep learning.
  • Machine learning (ML) uses existing behavior patterns, forming decision-making based on past data and conclusions. Human intervention is still needed for some changes. Machine learning is likely the most relevant AI cybersecurity discipline to date.
  • Deep learning (DL) works similarly to machine learning by making decisions from past patterns but makes adjustments on its own. Deep learning in cybersecurity currently falls within the scope of machine learning, so we’ll focus mostly on ML here.

What AI and machine learning can do for cybersecurity

AI and cybersecurity have been touted as revolutionary and much closer than we might think. However, this is only a partial truth that must be approached with reserved expectations. The reality is that we may be faced with relatively gradual improvements for the future to come. In perspective, what may seem gradual when compared to a fully autonomous future is actually still leaps beyond what we’ve been capable of in the past.

As we explore the possible implications with security in machine learning and AI, it’s important to frame the current pain points in cybersecurity. There are many processes and aspects we’ve long accepted as normal that can be treated under the umbrella of AI technologies.

Human error in configuration

Human error is a significant part of cybersecurity weaknesses. For example, the proper system configuration can be incredibly difficult to manage, even with large IT teams engaging in setup. In the course of constant innovation, computer security has become more layered than ever. Responsive tools could help teams find and mitigate issues that appear as network systems are replaced, modified, and updated.

Consider how newer internet infrastructure like cloud computing may be stacked atop older local frameworks. In enterprise systems, an IT team will need to ensure compatibility to secure these systems. Manual processes for assessing configuration security cause teams to feel fatigued as they balance endless updates with normal daily support tasks. With smart, adaptive automation, teams could receive timely advice on newly discovered issues. They could get advice on options for proceeding, or even have systems in place to automatically adjust settings as needed.

Human efficiency with repeated activities

Human efficiency is another pain point within the cybersecurity industry. No manual process is perfectly repeatable every time, especially in a dynamic environment such as ours. The individual setup of an organization’s many endpoint machines is among the most time-consuming tasks. Even after initial setup, IT teams find themselves revisiting the same machines later on for correcting misconfigurations or outdated setups that cannot be patched in remote updates.

Furthermore, when employees are tasked with responses to threats, the scope of said threat can rapidly shift. Where human focus may be slowed by unexpected challenges, a system based on AI and machine learning can move with minimal delay.

Threat alert fatigue

Threat alert fatigue gives organizations another weakness if not handled with care. Attack surfaces are increasing as the aforementioned layers of security become more elaborate and sprawling. Many security systems are tuned to react to many known issues with a barrage of purely reflexive alerts. As a result, these individual prompts leave human teams to parse out potential decisions and take action.

A high influx of alerts makes this level of decision-making an especially taxing process. Ultimately, decision fatigue becomes a daily experience for cybersecurity personnel. Proactive action for these identified threats and vulnerabilities is ideal, but many teams lack the time and staffing to cover all their bases.

Sometimes teams have to decide to confront the largest concerns first and let the secondary objectives fall to the wayside. Using AI within cybersecurity efforts can allow IT teams to manage more of these threats in an effective, practical fashion. Confronting each of these threats can be made much easier if batched by automated labeling. Beyond this, some concerns may actually be able to be treated by the machine learning algorithm itself.

Threat response time

Threat response time is absolutely among the most pivotal metrics for a cybersecurity teams’ efficacy. From exploitation to deployment, malicious attacks have been known to move very quickly. Threat actors of the past used to have to sift through network permissions and disarm security laterally for sometimes weeks on end before launching their attack.

Unfortunately, experts in the cyber defense space are not the only ones benefiting from technology innovations. Automation has since become more commonplace in cyber attacks. Threats like the recent LockBit ransomware attacks have accelerated attack times considerably. Currently, some attacks can even move as quick as half-an-hour.

The human response can lag behind the initial attack, even with known attack types. For this reason, many teams have more often engaged in reactions to successful attacks rather than preventions of attempted attacks. On the other end of the spectrum, undiscovered attacks are a danger all their own.

ML-assisted security can pull data from an attack to be immediately grouped and prepared for analysis. It can provide cybersecurity teams with simplified reports to make processing and decision-making a cleaner job. Going beyond just reporting, this type of security can also offer recommended action for limiting further damage and preventing future attacks.

New threat identification and prediction

New threat identification and prediction serve as another factor that impacts response timeframes for cyber attacks. As noted previously, lag time already occurs with existing threats. Unknown attack types, behaviors, and tools can further deceive a team into slow reactions. Worse, quieter threats like data theft can sometimes go completely undiscovered. An April 2020 survey by Fugue gathered that roughly 84% of IT teams were concerned over their cloud-based systems being hacked without their awareness.

Constant attack evolution leading to zero-day exploits is always an underlying concern within network defense efforts. But for some good news, cyber attacks are not commonly built from scratch. Being that they are often constructed atop behaviors, frameworks, and source codes of past attacks, machine learning has a pre-existing path to work from.

Programming based in ML can help highlight commonalities between the new threat and previously identified ones to help spot an attack. This is something that humans cannot effectively do within a timely fashion and further highlights that adaptive security models are necessary. From this viewpoint, machine learning can potentially make it easier for teams to also predict new threats and reduce lag time due to increased threat awareness.

Staffing capacity

Staffing capacity falls under the scope of ongoing issues plaguing many IT and cybersecurity teams globally. Depending on the needs of an organization, the number of qualified professionals can be limited.

However, the more common situation is that hiring human help can also cost organizations a healthy amount of their budget. Supporting human staff requires not only compensating for daily labor but providing assistance in their ongoing need for education and certification. Staying current as a cybersecurity professional is demanding, especially in regard to the perpetual innovation that we’ve continued to mention throughout the discussion thus far.

AI-based security tools can take the lead with a less dense team to staff and support it. While this staff will need to keep up with the cutting-edge areas of AI and machine learning, cost and time savings will come alongside the smaller staffing requirements.


Adaptability is not as obvious of a concern as other point mentioned but can shift the abilities of an organization’s security dramatically. Human teams may be lacking in their capacity to customize their skill set to your specialized requirements.

If the staff is not trained in specific methods, tools, and systems, you may find that your team’s effectiveness is stunted as a result. Even seemingly simple needs like adopting new security policies can move slowly with human-based teams. This is just the nature of being human, as we cannot learn new ways of doing things instantly and must have time to do so. With the right datasets, aptly trained algorithms can be morphed to be a bespoke solution specifically for you.

machine learning in cybersecurity

How AI is used in cybersecurity

Artificial intelligence in cybersecurity is considered to be a superset of disciplines like machine learning and deep learning cyber security, but it does have its own role to play.

AI at its core is concentrated on “success” with “accuracy” carrying less weight. Natural responses in elaborate problem-solving are the ultimate goal. In a true execution of AI, actual independent decisions are being made. Its programming is designed for finding the ideal solution in a situation, rather than just the hard-logical conclusion of the dataset.

To further explain, it’s best to understand how modern AI and its underlying disciplines work currently. Autonomous systems are not within the scope of widely mobilized systems, especially in the field of cybersecurity. These self-directed systems are what many people commonly associate with AI. However, AI systems that either assist or augment our protective services are practical and available.

The ideal role of AI in cybersecurity is the interpretation of the patterns established by machine learning algorithms. Of course, it's not yet possible for modern-day AI to interpret results with the abilities of a human yet. Work is being done to help develop this field in pursuit of humanlike frameworks, but true AI is a distant goal that requires machines to take abstract concepts across situations to reframe them. In other words, this level of creativity and critical thought is not as close as the AI rumors would like you to believe.

How machine learning is used in cybersecurity

Machine learning security solutions are different from what people envision to be of the artificial intelligence family. That said, they are easily the strongest cybersecurity AI tools we have to-date. In the scope of this technology, data patterns are used to reveal the likelihood that an event will occur — or not.

ML is somewhat opposite to that of true AI in some respects. Machine learning is particularly “accuracy” driven, but not as focused on “success.” What this means is that ML proceeds intending to learn from a task-focused dataset. It concludes by finding the most optimal performance of the given task. It will pursue the only possible solution based on the given data, even if it’s not the ideal one. With ML, there is no true interpretation of the data, which means this responsibility still falls on human task forces.

Machine learning excels at tedious tasks like data pattern identification and adaptation. Humans are not well suited to these types of tasks due to task fatigue and a generally low tolerance for monotony. So, while the interpretation of data analysis is still in human hands, machine learning can assist in framing the data in a readable, dissection-ready presentation. Machine learning cybersecurity comes in a few different forms, each with its own unique benefits:

Data classifying

Data classifying works by using preset rules to assign categories to data points. Labeling these points is an important part of building a profile on attacks, vulnerabilities, and other aspects of proactive security. This is fundamental to the intersection of machine learning and cyber security.

Data clustering

Data clustering takes the outliers of classifying preset rules, placing them into “clustered” collections of data with shared traits or odd features. For example, this can be used when analyzing attack data that a system is not already trained for. These clusters can help determine how an attack happened, as well as, what was exploited and exposed.

Recommended courses of action

Recommended courses of action elevate the proactive measures of an ML security system. These are advisories based around behavior patterns and former decisions, providing naturally suggested courses of action. It is important to restate here that this is not intelligent decision making via true autonomous AI. Rather, it’s an adaptive conclusion framework that can reach through preexisting data points to conclude logical relationships. Responses to threats and mitigating risks can be assisted immensely by this type of tool.

Possibility synthesis

Possibility synthesis allows for the synthesizing of brand-new possibilities based on lessons from previous data and new unfamiliar datasets. This is a bit different from recommendations, as it is concentrating more on the chances that an action or the state of a system falls in line with similar past situations. For example, this synthesis can be used for a preemptive probing of weak points in an organization’s systems.

Predictive forecasting

Predictive forecasting is the most forward-thinking of the ML component processes. This benefit is achieved by predicting potential outcomes by evaluating existing datasets. This can be used primarily for building threat models, outlining fraud prevention, data breach protection, and is a staple of many predictive endpoint solutions.

Examples of machine learning in cybersecurity

To explain further, here are a few examples that underline the value of machine learning as it pertains to cybersecurity:

Data privacy classification and compliance

Protecting your organization from violations of privacy laws has likely risen to be a top priority over the past few years. With the General Data Protection Regulation (GDPR) leading the way, other legal measures have appeared such as the California Consumer Protection Act (CCPA).

Managing the collected data of your customers and users must be done under these acts, which usually means this data must be accessible for deletion upon request. The consequences of not following these legislations include hefty fines, as well as, damage to your organization’s reputation.

Data classifying can help you separate identifying user data from that which is anonymized or identify-free. This saves you from manual labor in attempts to parse out vast collections of old and new data, especially in large or older organizations.

User behavior security profiles

By forming custom profiles on network staff based around user behaviors, security could be tailor-made to fit your organization. This model can then establish what an unauthorized user might look like based on the outliers of user behavior. Subtle traits like keyboard strokes can form a predictive threat model. With the outline of possible outcomes of potential unauthorized user behaviors, ML security can suggest recommended recourse to reduce exposed attack surfaces.

System performance security profiles

Similar to the user behavior profile concept, a custom diagnostic profile of your entire computer’s performance can be compiled when healthy. Monitoring the processor and memory use alongside traits like high internet data use can be indicative of malicious activity. That said, some users may regularly use high volumes of data through video conferencing or frequent large media file downloads. By learning what a system’s baseline performance generally looks like, it can establish what it should not look like, similar to the user behavior rules we mentioned in an earlier ML example.

Behavior-based bot blocking

Bot activity can be an inbound bandwidth drain for websites. This is especially true for those that depend on internet-based business traffic, such as those with dedicated e-commerce storefronts and no brick-and-mortar locations. Authentic users may have a sluggish experience that causes a loss of traffic and business opportunity.

By classifying this activity, ML security tools can block the bots’ web, regardless of tools used like virtual private networks that can anonymize them. Behavioral data points on the malicious parties can help a machine learning security tool form predictive models around this behavior and preemptively block new web addresses for displaying this same activity.

The Future of Cybersecurity

Despite all the glowing dialogue around the future of this form of security, there are still limitations to be noted.

ML needs datasets but may conflict with data privacy laws. Training software systems requires plenty of data points to build accurate models, which doesn’t meld well with “the right to be forgotten.” The human identifiers of some data may cause violations, so potential solutions will need to be considered. Possible fixes include getting systems to either make original data virtually impossible to access once software has been trained. Anonymizing data points is also in consideration, but this will need to be examined further to avoid skewing the program logic.

The industry needs more AI and ML cybersecurity experts capable of working with programming in this scope. Machine learning network security would benefit greatly from staff that can maintain and adjust it as needed. However, the global pool of qualified, trained individuals is smaller than the immense global demand for staff that can provide these solutions.

Human teams will still be essential. Finally, critical thinking and creativity are going to be vital to decision-making. As mentioned much earlier, ML is not prepared or capable of doing either, and neither is AI. To continue this thread, you’ll have to use these solutions to augment your existing teams.

3 Tips for embracing the future of cybersecurity

On the road to artificial intelligence security, there are a few steps you can take to get yourself closer to the future:

  1. Invest in staying future-focused with your technology. The costs of being exploited due to outdated technology or using redundant manual labor will be far greater as threats become more elaborate. Staying ahead of the curve can help mitigate some risk. By using forward-thinking solutions such as Kaspersky Integrated Endpoint Security, you’ll be more prepared to adapt.
  2. Supplement your teams with AI and ML, do not replace them. Vulnerabilities will still exist, as no system on the market today is foolproof. Since even these adaptive systems can be deceived by clever attack methods, be sure your IT team learns to work with and support this infrastructure.
  3. Routinely update your data policies to comply with evolving legislation. Data privacy has become a focal point for governing bodies across the globe. As such, it will remain among the top points of concern for most enterprises and organizations for the foreseeable future. Be sure that you are keeping per the most recent policies.

Related Articles:

AI and Machine Learning in Cybersecurity — How They Will Shape the Future

AI cybersecurity, with the support of machine learning, is set to be a powerful tool in the looming future. As with other industries, human interaction has long been essential and irreplaceable in security.
Kaspersky Logo