At best, malware attacks honeypots; in many cases, however, it is also IT networks that are still defenceless against it. With an average of 394,000 new malware variants per day, one hundred percent malware protection is difficult to imagine.

Anti-malware solutions use heuristics to detect malware based on its behavior. Heuristics - the art of deriving the most likely result from incomplete information - is a form of artificial intelligence (AI) or machine learning.

Traditional spam filters also work purely reactively. They add up the scoring of keywords in the content of emails and classify an email as spam above a certain threshold value. If machine learning is used in spam filters, similar keyword spellings, too many special characters and capital letters in an email, hidden HTML texts and unsubscribe links referring to command and control servers are recognized in addition to keywords. Machine learning therefore ensures that the filters are trained and learn. If the email recipient works in a bank, for example, keywords such as 'credit' or the '€ sign' are accepted without any consequences. Artificial intelligence in spam filters achieves detection rates of over 99%.

Machine learning recognizes patterns

Machine learning is a sub-area of the broader term artificial intelligence and should not be used as a synonym. Machine learning can be used to identify patterns in structured data and apply them under different conditions. In the case of spam filters, for example, it is used to recognize typical behaviour, text patterns, keywords and senders, but also to analyse emails that are subsequently classified as spam by the recipient. The recognition of new patterns is constantly trained in machine learning and will be used independently by machines in the future. Such training takes time and only leads to better results after a while. Users must allow for this period of time.

Machine learning uses algorithms that are optimized for the analysis and recognition of signatures. In addition to this logic, recognized patterns are generally stored and recognized in a different context. Machine learning functions can now be found in almost all cybersecurity solutions.

Deep learning teaches machines to learn

Deep learning - as a subset or method of machine learning - independently correlates new situations with existing results. These decisions form the basis for future processes and evaluations. Deep learning is similar to processes in the human brain: the brain perceives something, thinks about it, links it to past experiences and then derives an overall assessment of the new situation. The results are repeatedly checked for accuracy and this results in continuous optimization.

Deep learning uses so-called artificial neural networks (ANNs), which are able to constantly form new links. The ANNs are made up of several layers. There are sometimes hundreds of hidden intermediate layers between the input and output layers. The weighted logic is integrated in these hidden layers. This is where the learning and correlation of information takes place. Deep learning requires large amounts of data for calibration.

Despite existing deep learning frameworks, the development of deep learning is still very time-consuming and cost-intensive. The complex and constantly improving evaluations in the hidden layers are non-transparent and hardly comprehensible. And this is precisely the disadvantage of deep learning.

On what basis are the algorithms developed? Are principles such as the GDPR or national standards adhered to? Deep learning is susceptible to false positives. But: incorrect interpretations are no longer recognized as incorrect due to the lack of transparency and subsequently lead to undetected errors. The opacity of the calculations in the hidden layers can be susceptible to attacks and prepared for manipulation by manufacturers or public clients, or at least be used for this purpose. Any manipulations are hardly recognizable due to the complexity.

Where is deep learning used?

Deep learning can interpret and process structured and unstructured data. Large amounts of data do not pose a problem. On the contrary: the more data, the more granular the links in the neural networks and the better the future results. This is why deep learning is used in image and speech recognition: voice services such as Siri, for example, are based on deep learning. Chatbots recognize the meaning of a question despite different language skills and spellings.

Face recognition or the identification of road signs, even in different weather situations and viewing angles, are also typical applications of deep learning.

The next level

Perfidious attack methods that are constantly being developed further, strong attackers (also known as the 'red team' in simulated cyber security defence) who are increasingly choosing weaker opponents (the defending 'blue team') - such as medium-sized companies -, advancing digitalization with the resulting large amounts of unstructured data and 'new work' are causing stress and worry for the blue team. The blue team is constantly trying to prevent the infiltration of the company network with suitable defense mechanisms.

Artificial intelligence on both sides is taking the 'rabbit and hedgehog game' to the next level. As always, however, attackers are ahead of the game, as AI also has to learn to recognize attack vectors first. However, if organizations have established systems that talk to and/or learn from each other via the cloud, the learning curve becomes steeper and the filters work more granularly.

But: don't automated defensive measures make the situation even worse because of all the panic, as they work emotionlessly according to algorithms? After all, they lack intuition and a view of the big picture.

The author: Robert Korherr is Managing Director of ProSoft in Geretsried.

© ProSoft

The real artificial intelligence in cybersecurity is deep learning. Deep learning learns from changes in behavior almost in real time and independently derives assessments and actions from this. However, the hidden layers, the multi-layered system within deep learning, do not work transparently. Manufacturers do not reveal the intelligence in the artificial neural networks in an effort to achieve unique selling points. As a result, the results and susceptibility to manipulation can hardly be interpreted. Teamwork in defending against attacks and regular security training for employees therefore remain more important than ever. 60% of all attacks are carried out by internal perpetrators.