The introduction of AI and machine learning should not mean a decision of man or machine, but one of man and machine bringing combined skills together.
Speaking at Infosecurity Europe 2018, Christopher Morales, head of security analytics at Vectra Networks, looked at 'Building Security That Works, Machine Learning Fundamentals for Cybersecurity Professionals' admitted that there is confusion around what AI, machine learning and deep learning are.
“AI is the output of what you’re trying to do, and do things that are repetitive tasks,” he said. “Machine learning is the method and the means to AI, but it is not AI itself.”
Morales went on to say that deep learning is part of machine learning, and there are two types: supervised or unsupervised. Supervised means it is task driven, “you give it input and have X data and you get Y output.” With unsupervised, he explained that you “have the X but no Y, a set of data and no outputs.”
Explaining unsupervised machine learning, Morales said that as conference delegates “we’ve been clustered by a vendor."
He went on to address algorithms, saying that if you have a single algorithm and you’re using it to do a job, that is not really AI, that is about using the right tool for the job. “Look at the task and who administrates the system, and if you want to find a remote access trojan, that is a good use of supervised learning as you are being specific on what you are looking for and how to apply it,” he said.
Moving on to how this can help with security, Morales said that pattern matching has been done for years, and users have focused on understanding what malware is, and with machine learning you can focus on what it does rather than what it is – and match it to that decision.
“Focus on behavior and how it relates to an attack, and focus on what to do and what it is doing to you now.”
He went on to encourage users to train systems on a subset of tools and what it looks like when an attacker wants to get on your network, and apply it to the network so it looks for any tool doing the same behavior.
“Unsupervised learning is good at learning local context and what people do, and in this case security research on what an attacker actually does,” he said.
He concluded by saying that the real value of AI is in replicating human tasks, but what you get out is to reduce the workload of the human. “We need to realize that machines are not going to replace humans, and in most instances they increase the human‘s work,” he said.
“But in security machines and humans are inherently different: machines are good at memorizing data and repetitive tasks and do it fast in multiple tasks, and humans are good at being creative and looking at context. It is not man or machine, but a combination of machines doing tedious work so humans can focus on creative work.”