Defensive AI in Cybersecurity - Master's Course

Questions and Answers

What role do recurrent neural networks (RNN) play in the field of malware detection?

They predict early-stage malware based on patterns. (correct)

They analyze phishing email content for malicious links.

They generate user and entity behavior profiles.

They perform authentication using biometric data.

Which machine learning model is mentioned for filtering phishing URLs?

Expandable Random Gradient Stacked Voting Classifier (ERG-SVC) (correct)

Deep Reinforcement Learning Classifier

Generative Adversarial Network Classifier

Support Vector Machine Classifier

For what purpose is user and entity behavior analytics (UEBA) employed?

To enhance the speed of phishing email identification.

To continuously monitor and identify deviations in user behavior. (correct)

To reinforce identity verification through biometric authentication.

To streamline the process of malware detection.

What kind of data is analyzed in phishing detection to identify malicious activities?

Content and context of communications

How does AI/ML contribute to identity verification in cybersecurity?

Through biometric authentication and facial recognition technologies

What is the primary focus of the document regarding vulnerability analysis?

Automated post-mortem analysis using natural language processing

Which method is highlighted for backup scheduling within the document?

Markov chains for modeling and optimization

What type of applications are discussed concerning AI in cybersecurity?

AI applications within the CCN-CERT framework

Which reference indicates a critique of the relationship between machine learning and cybersecurity?

CSET: Machine Learning and Cybersecurity Hype and Reality

What year was the literature review mentioning AI in cybersecurity published?

2023

Which Core Function primarily focuses on understanding and prioritizing cybersecurity risks?

Identify

Which core functions are primarily supported by AI/ML methods?

Protect and Detect

What is a key purpose of AI/ML methods in cybersecurity according to the Core Functions?

Serving as an autonomous decision mechanism

Which component is NOT explicitly part of the Protect function in the NIST Core Framework?

Risk Assessment

What role does Security Continuous Monitoring play within the NIST Core Functions?

Aids in the Detect function

Which function addresses improvement and recovery planning in the NIST framework?

Recover

In the context of the NIST Cybersecurity Framework, what is primarily involved in the Detect function?

Tracking detection processes

Which of the following elements contributes to the Protective Technology component of the Protect function?

Encryption practices

What is the primary purpose of using k-means clustering in asset cybersecurity classification?

To create groups of similar security assets

Which AI/ML method is used to automate vulnerability classification from its description?

Topic Modeling

How does AI/ML contribute to cybersecurity risk assessment?

It quantifies risks and predicts potential impacts

What is the role of Natural Language Processing (NLP) in threat intelligence?

To process large volumes of threat data for emerging threats

Autonomous Penetration Testing based on Improved Deep Q-Network focuses on which aspect of cybersecurity?

Automating penetration test processes

Which approach utilizes risk scoring using Fuzzy Sets in cybersecurity?

Asset criticality and risk prediction

What aspect of AI/ML is utilized in AutoPentest-DRL?

Deep reinforcement learning techniques

What is one of the key benefits of implementing AI/ML in vulnerability assessments?

Automatically proposing mitigations

What role does AI/ML play in intrusion detection and prevention?

It monitors network traffic and system behavior in real-time.

Which of the following approaches is used for anomaly detection in network traffic?

Auto-Encoders

How does Security Orchestration, Automation, and Response (SOAR) enhance incident response?

By selecting and executing predefined actions automatically.

What is the primary focus of AI-powered honeypots?

To enhance IoT botnet detection.

Which technology is employed to tackle class imbalance in intrusion detection systems?

Generative Adversarial Networks (GANs)

What is the goal of automatic incident response systems?

To restore systems to normal operations with enhanced resilience.

What does the term UEBA stand for in the context of network traffic analysis?

User Entity Behavior Analytics

Which method is used for predicting cyber-events through analysis?

Sentiment analysis on hacker forums.

Study Notes

CYB. Defensive AI (part 2)

• This is a Master's in Artificial Intelligence course, 2024/25 at ESEI University of Vigo.
• The course is focused on defensive AI.

AI/ML in NIST Core Functions

• AI/ML methods are employed in various cybersecurity subtasks, including detection, prediction, and response.
• These methods can contribute to several core functions simultaneously.
• AI/ML is predominantly used within the Protect and Detect functions, though they often overlap.

NIST Cybersecurity Framework Core Functions

• Identify: Asset management, business environment, governance, risk assessment, and risk management are central to this function.
• Protect: Access control, awareness & training, data security, information protection, processes, maintenance, and protective technology are crucial here.
• Detect: Anomalies and events, security continuous monitoring, and detection processes are essential to this component.
• Respond: Response planning, communications, and improvements are important to this function.
• Recover: Improvements, recovery planning, communications, and mitigation are critical.

AI/ML in NIST Core Functions (II)

• Identify: Includes asset management, business environment, governance, and risk assessment. Automated systems and processes are highlighted for risk assessment and policy enforcement.
• Protect: Features identity management, authentication/access control, awareness and training, data security, and information protection. Automated validation of security controls is a key aspect.
• Detect: Includes anomalies and events detection, security continuous monitoring, and detection processes. Automated threat intelligence sources and analysis are mentioned.
• Respond: Consists of response planning, communications, and improvements. Automated responsibility allocation and incident reporting are mentioned components.
• Recover: Covers recovery planning, improvements, communication, and mitigation. Includes aspects like automated isolation, incident characterization, and remediation.

AI/ML in NIST Core Functions (III)

• Identify: Automatic asset inventory using AI/ML clustering, vulnerability assessment using AI/ML (automatic scanning).
• Automation of vulnerability classification from descriptions using machine learning. Common vulnerabilities and exposures (CVE) database analysis by topic modeling and classification is mentioned.
• Red Team and Penetration Testing: AI/ML/RL can automate certain aspects (AutoPentest-DRL). Autonomous penetration testing using improved deep Q-Networks.

AI/ML in NIST Core Functions (IV)

• Cybersecurity Risk Assessment: AI/ML quantifies risks, assets, and vulnerabilities, using text mining for analysis of online hacker forums.
• Risk prediction: Asset criticality and forecasting is critical for comprehensive risk management, potentially using fuzzy sets.
• Threat Intelligence: AI/ML/NLP processes large threat intelligence datasets to identify and assess emerging threats and vulnerabilities.

AI/ML in NIST Core Functions (V)

• Protect: Malware detection & analysis using recurrent neural networks (RNNs), early-stage prediction.
• Phishing Detection: AI/ML/NLP identifies phishing emails and malicious links by analyzing content, sender behavior, and context. Robust ensemble models developed for filtering phishing URLs and related DNS.
• Authentication & Identity Verification: AI/ML used for biometric authentication, facial recognition, and behavioral analytics; ensuring a robust identification system.
• User and Entity Behavior Analytics (UEBA): AI/ML profiles user behavior to detect deviations from normal activity to detect potential security incidents in User and Endpoint Behavior Analytics.

AI/ML in NIST Core Functions (VI)

• Detect: Intrusion Detection and Prevention systems using AI and machine learning. Intrusion detections based on AI-powered honeypots for enhanced IoT botnet detection. Anomaly detection models applied on network traffic and various forensic data.
• Anti-fraud systems and network traffic analysis are highlighted, using AI/ML models. Detection of threat actors by analysing sentiments in hacker forums.

AI/ML in NIST Core Functions (VII)

• Respond: Security Orchestration, Automation, and Response (SOAR) – AI/ML to automate incident response, using techniques like heterogeneous security event prioritization and intelligent dynamic and isolation of ransomware attacks and mitigation.
• Automatic Incident Response: A Case-Based Reasoning approach to aid the development of response methodologies and the creation of incident response playbooks. Recommendation systems for selecting the appropriate playbook are used.

AI Applications in Cybersecurity (CCN-CERT BP/30)

• This document provides a framework for AI applications in cybersecurity, outlining AI applications for areas like threat detection, intrusion analysis, and automated responses.
• It emphasizes areas like biometric identification, improved automation, and threat intelligence.

Complementary References

• This section includes key publications on artificial intelligence for cybersecurity (including those related to literature reviews, future research directions, and specific research findings).

Description

This quiz tests your knowledge of Defensive AI concepts as part of the Master's program in Artificial Intelligence at ESEI University of Vigo for 2024/25. Dive into AI/ML applications in cybersecurity, focusing on the NIST Cybersecurity Framework's core functions like Identify, Protect, Detect, and Respond.