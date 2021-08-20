In this episode of “The Buzz,” Bank Automation News speaks with cybersecurity research analyst Micah Musser of Georgetown University’s Center for Security and Emerging Technologies, and a co-author of the recent report, “Machine Learning and Cyber Security: Hype and Reality” about the use of artificial intelligence (AI) and machine learning (ML) in creating sophisticated attacks.

AI and ML could be leveraged to coordinate spear-phishing attacks that target specific people, or even to build malware that could navigate networks, to analyze what to infect as it goes, Musser tells BAN. However, “could” is the operative word there. There is much speculation as to how AI and ML could be used, but how can financial institutions separate the hype from reality?

Musser shares some of the ways AI and ML could potentially be used to both accomplish cyberattacks and heighten security. As it turns out, some of the techniques marketed by vendors as AI and ML have been around for 20 years. In this week’s podcast, Musser breaks down what is overhyped and what is not — and how financial institutions can separate marketing fiction from cybersecurity reality.

The Bank Automation News webinar on automation technology for exceptional bank cybersecurity and ID verification takes place on Thursday, Sept. 9, at 11:30 a.m. ET. Register here. Attendees will be able to ask questions via chat.

Subscribe to The Buzz Podcast on iTunes, Spotify, or download the episode.

The following is a transcript generated by AI technology that has been lightly edited but still contains errors.

Loraine LawsonGood day this is Bank Automation Newsdeputy editor Loraine Lawson and welcome to the Buzz. This week I spoke with Micah Musser, a research analyst with the Center for Security and Emerging Technology at Georgetown University. He co authored a research report on Machine Learning and Cyber Security: Hype and Reality. We discussed what financial institutions needed to know to separate the hype from reality when it comes to AI and automated cybersecurity. You looked at the academic literature on a wide range of applications combining cybersecurity and artificial intelligence to sort of assess their potential for cybersecurity. Before we get into the cybersecurity itself, I was curious about one thing you mentioned early in the report, and that is speculation about the way AI will be used to further intensify cyber attacks in the near future. Can you discuss some of the ways they might actually be used to cyber attack?

Micah Musser

Sure, yeah. So this is actually something that CSET has a has a different report, looking at the offensive cyber and how AI might be used in cyber attacks. And there, we speculate that it could be useful for a couple of things. Uhm… probably one of the easiest things you could do. There are very sophisticated language models now that can write persuasive text. And so it might be easier to generate spear phishing campaign or spear phishing emails that target specific people and like use a couple biographical details about them, but that come across as much better than your standard phishing email. Beyond that, I mean, on a on a technical level, they’re also speculatively AI could be used to sort of build malware that can learn how to pivot through networks, or can sort of make cost benefit decisions about which computers to infect on the fly. But a lot of that is very speculative. And I think there are so many news about new attacks every day that I don’t know that there’s a huge need for attackers to turn to AI right now. They’re doing fine without it. Probably the email writing the phishing thing is is going to be like the lowest hanging fruit for attackers to start using AI for.

Loraine Lawson

Okay, interesting. Um, I admitted I covered security off and on for decades now. And I was surprised to say that quote, it might surprise, same policymakers to learn that machine learning systems have a color use for a number of key cybersecurity tasks for your 20 years. And quote, can you explain how ML and AI have already been used at work in cybersecurity and what’s been done?

Micah Musser

Yeah, so probably some of the, in this report, we talk about three areas where ml has been used for a while now, about two decades for each of them. One is spam detection. So email classifiers, that try to find ways of learning what spam emails look like have been pretty common for a while. They mostly make use of ml and have since about 2002. intrusion detection and malware detection are the other two, the difference between them being intrusion detection focuses on on behaviors across a network. And now we’re detecting this looks at a specific file and tries to figure out is this file malicious. And there’s been research on using ml for about two decades for both of those. Part of the reason why it sometimes surprises people to hear that ml has been used for these things is because with the rise of deep learning in the last decade or so, which is really just a specific type of machine learning, more and more stuff that really always was machine learning is getting called that. And so earlier, it might have just been called like this is a statistical analysis. But now that everybody is thinking about machine learning and AI, those things are in marketing materials. They’re getting reclassified as ml.Loraine Lawson

Yeah, so a little bit of the hype there. Yeah. You write a wide range of specific tasks can be fully or partially automated with the use of machine learning, including some forms of vulnerability, discovery, deception and attack disruption. But many of those most transformative of these possibilities still require significant machine learning breakthroughs. He should break that down a bit and maybe provide some examples for the audience so they can get an idea of where the hype is.

Micah Musser

Sure. So I’ll mention Two examples. One is automated vulnerability discovery. So for instance, one way that cybersecurity analysts find vulnerabilities is with something called fuzzers. That will, basically though they’ll take input, and they’ll bombard a program with a bunch of inputs and try to see what causes strange behavior. And then experts can come along and figure out is that strange behavior, something that could be exploited? does it indicate a vulnerability. And one thing you could do with machine learning is you could try to sort of learn over time, which of those inputs are causing strange behavior. And then like focus more on those, mutate those specific ones and see if you can learn underlying patterns between them. A lot of fuzzers already kind of do certain form of this without technically being machine learning, but there’s been more and more interest in using deep learning for that. And the other the other one I mentioned is, one thing attackers might want to do is if you have a network, and a piece of malware is moving through it, you might want to be able to automate the question of when do you isolate computers from the rest of the network, or impose restrictions on them? And so you could think of a machine learning program that sort of tries to figure out from within the computer, like, what is the risk threshold? You know, when what is the likelihood that this machine has been compromised? Do I need to make the disruptive decision of sequestering that. And the issue here is that in simulations, machine learning programs can do very well with that, but only on pretty small simulations. It uses a technique, that’s called reinforcement learning. But that method gets very slow to run if your environment if your network becomes reasonably complex. So that’s why I sort of say some of this is waiting for other breakthroughs, because I don’t think we yet have good ways of efficiently calculating those sorts of ml tasks for a complex network.

Loraine Lawson

Okay. Are there other ways in which is overhyped security? Bottom line? Do you think there’s a lot of hype out there right now. And a, anything you want to specifically point to besides what you’ve already discussed,

Micah Musser

There’s definitely a lot of hype. I think the place you noticed this a lot. The stories, I think that get the most coverage have to do with detection systems, like oh, this new method is going to help us finally detect every attack before it occurs. And that’s actually where I’m sort of least optimistic about ml. Partly because detection is the stuff that ml in some form has been used for the longest. So as ml and deep learning get better, you do see more and more improvements, but like, it’s marginal, it’s not necessarily going to solve things. And the other issue, one of the other issues is that machine learning has vulnerabilities of its own. There are these things called adversarial example, examples that with a lot of machine learning, you can sort of create these inputs that look totally normal to human, but cause the model to do all sorts of wacky stuff. And there are examples of people taking image classifiers and just sort of offering pixels a little bit so that it classifies like a building as a triceratops. And it’s totally confident in that. Um, so you know, the other issue with with machine learning is that sometimes they do bring new ways to attack. And if you’re not also guarding against that, you could just be introducing more vulnerabilities at the same time that you’re protecting against others.

Loraine Lawson

So your model, when you looked at it, you looked at prevention, detection, response recovery, in active defense, you break it down by those, that four or five categories. Correct. Um, were there areas was one of those areas. Are you more optimistic about them? The others?

Micah Musser

Yeah. There’s there’s good stuff in prevention and response and recoveries, some of it is like waiting for more of those ml breakthroughs we talked about. Active defense is also interesting by that we sort of mean like, beyond just reacting to people when they attack you like what can you do to try and go out there and get information about potential adversaries. And part of the reason that’s interesting is because As ml might make tactics available to a lot more organizations that formerly it took a lot of expertise to manage. So one of the examples is honey pots. honeypot for those who don’t know, listening is basically you set up like a fake computer, but it’s designed to look like it has some like very juicy files on it, right. And so you want attackers to come and spend a lot of time there. So you can sort of figure out who they are based on the clues they leave, but the problem is, for it to look realistic, it oftentimes takes a lot of work to set these up and and plug them into the network. And one thing that machine learning can do is generate more dynamic honeypots that are watching the whole network they’re they’re sort of adjacent to and managing to find ways to make themselves look more like a part of that network. So if machine learning could take it from being like a super difficult thing to deploy to something that just takes an ITN less like a couple lines of code, then that I think would be a really helpful tool for machine or for cybersecurity people.

Loraine Lawson

Yeah, honey pots are really interesting, I think. Are there ways in which it leaders can separate the fact from fiction in a ml based in AI m l based security? Particularly with the marketing?

Micah Musser

Yeah. I would say don’t be afraid to bombard people with questions, you know, when and anytime they give you a percentage, oh, we detected X percent of attacks. You could ask them, what’s your baseline there? What counts as an detected attack? quote, unquote? You know, are these how many of these are unique things? What about how does it perform against previously unseen attacks? How do you know that what you aren’t meant catching those sorts of questions? I think it’s totally fair game to like, ask a lot of those sorts of questions. And I would also say, anyone who tells you that their ml product is like the one stop shop, I’d be suspicious of. I think ml can be can be really good at augmenting certain parts of cybersecurity. I would not trust someone who says that it’s going to solve your issues for you.

Loraine Lawson

You’ve been listening to the buzz of bank automation news podcast. Thank you for your time and be sure to visit us at BankAutomationNews.com for more automation news. You can also follow us on Twitter and LinkedIn. Please don’t hesitate to rate this podcast on your podcast platform of choice.