Use of Machine Learning (ML) is a hot topic in cybersecurity, one which will undoubtedly shape the industry for years to come. To see evidence of this we’d have to look no further than the booths at this most recent RSA Security Conference, where ML was promised as a solution for corporate cybersecurity problems. But why exactly will ML play such a prominent role, and how could it prove useful? Oddly enough the answer comes from the recent victory of ML in a game of poker.
A competition took place in Pittsburgh last month that matched top poker players against a Machine Learning system called Libratus. This tournament shared some similarities to previous victories in checkers, chess, go and Jeopardy!, all of which hinted at the promise of ML. In this particular competition, four players each individually faced the computer in a 1-1 match. Rather than the traditional setup (in which a poker face can be as important as the cards you have), this competition was more analogous to playing online- no player had access to facial expressions or visual/audio cues, and computers served as mediums.
For much of the match it was unclear who would win- at the halfway mark contestant Dong Kim was slightly beating Libratus, with other players not far behind. An arduous 120,000 hands were played to provide statistical confidence in the outcome. While it is generally assumed by poker pros that both skill and luck are required to win, in the latter half of the match it became clear that other factors prove critical as well. While Libratus never tired, human participants undoubtedly felt the effects of eleven hours of consecutive play. Even more significant than this was Libratus’ ability to pick up on each player’s strategy and subsequently use it against them, leading to its eventual victory. No matter how many times a player may alter their technique, a computer will still be able to compile enough information to produce useful “tells”. Furthermore, unlike humans, these algorithms are unaffected by regret for past hands and remember each preceding scenario perfectly.
This sounds pretty hopeless for humans, but ML’s advanced use of data actually proves to be its downfall. It needs all that data to prove effective. In the poker competition Libratus was able to leverage a large amount of data and win largely because it had unlimited access to data and the rules of the game remained consistent. But what about for cybersecurity? In threat intelligence it is nearly impossible to come across mass quantities of labeled data corpora, which makes data scoring, automation and collaboration so critical. I myself am part of a team at Anomali where we use ML to contextualize and make sense of threat data provided by our Anomali partners. The ultimate application of this technology is to enable users of our ThreatStream platform to automate the process of filtering through millions of indicators for relevant threat information.
The role of ML in cybersecurity is more nuanced though, providing some advantages over humans but ultimately not able to replace them. Touching back to our poker example, humans are limited in that they can only play or remember so many hands in a lifetime. In the near future computers will easily incorporate more data from poker hands or cybersecurity incidents than a human could ever see across generations. Machine Learning algorithms are also more effective at pattern recognition, and never tire. From this evidence it’s fairly safe to conclude that computers have the greater experience. Humans, however, prove far better in unexpected situations where there is no previous information to draw from. Therefore the future of cybersecurity and poker have been dealt the same hand, where computers will be used for general situations and human intuition will be needed for unexpected situations and common sense. This human-ML hybrid is the future of game-playing, medical diagnosis, and already cybersecurity.
ML’s unprecedented victory might help to take the cybersecurity one step ahead of adversaries. In previous iterations of man vs. machine challenges, such as with Chess and Go, both computer and player had access to the same information. Cybersecurity is more analogous to poker though- the cards are hidden, and threat actors will rarely play their full hand. Therefore it’s left to the other players to guess at breaches or malicious intent. In these situations victory depends less on individual intelligence and more on strategic maneuvering. Typical questions threat analysts need to answer are:
- What new actors may emerge to target organizations?
- Might multiple threat actor groups really be the same one?
- What intentions might an actor group have?
- Are nation-state cyberattacks just one part of a larger political strategy?
Unfortunately for us threat actors will fold before they show their cards. Attribution in cybersecurity proves very challenging. Within the poker competition the computer had access to data from 120,000 different hands, which means a lot of contextual data. Conversely with cyber-attacks, one confident connection between a threat actor and campaign won’t provide in-depth information on that attacker’s patterns. Maybe you’ll identify a few pieces of malware or a handful of targets.
However we’ve now seen an algorithm do what was thought impossible, win without all the data. This is encouraging in a field where so many of the good guys believe a fully secure future is impossible. As actors and malicious tooling increase in sophistication, the security industry should look to Machine Learning not as robots taking away human jobs, but rather a means to empower cybersecurity professionals in the next generation of cyber intelligence defense.
About the Author
Evan Wright is a principal data scientist at Anomali where he focuses on applications of machine learning to threat intelligence. Before Anomali, he was a network security analyst at the CERT Coordination Center and a network administrator in North Carolina. Evan has supported customers in areas such as IPv6 security, ultra-large scale network monitoring, malicious network traffic detection, intelligence fusion, and other cybersecurity applications of machine learning. He has advised seventeen security operations centers in government and private industry. Evan holds a MS from Carnegie Mellon University, a BS from East Carolina University, a CCNP and six other IT certifications. Twitter: @evanwright