Defensive AI in Cybersecurity - Master's Course

Questions and Answers

What role do recurrent neural networks (RNN) play in the field of malware detection?

• They predict early-stage malware based on patterns. (correct)
• They analyze phishing email content for malicious links.
• They generate user and entity behavior profiles.
• They perform authentication using biometric data.

Which machine learning model is mentioned for filtering phishing URLs?

• Expandable Random Gradient Stacked Voting Classifier (ERG-SVC) (correct)
• Deep Reinforcement Learning Classifier
• Generative Adversarial Network Classifier
• Support Vector Machine Classifier

For what purpose is user and entity behavior analytics (UEBA) employed?

• To enhance the speed of phishing email identification.
• To continuously monitor and identify deviations in user behavior. (correct)
• To reinforce identity verification through biometric authentication.
• To streamline the process of malware detection.

What kind of data is analyzed in phishing detection to identify malicious activities?

Content and context of communications (D)

How does AI/ML contribute to identity verification in cybersecurity?

Through biometric authentication and facial recognition technologies (A)

What is the primary focus of the document regarding vulnerability analysis?

Automated post-mortem analysis using natural language processing (B)

Which method is highlighted for backup scheduling within the document?

Markov chains for modeling and optimization (C)

What type of applications are discussed concerning AI in cybersecurity?

AI applications within the CCN-CERT framework (C)

Which reference indicates a critique of the relationship between machine learning and cybersecurity?

CSET: Machine Learning and Cybersecurity Hype and Reality (D)

What year was the literature review mentioning AI in cybersecurity published?

2023 (C)

Which Core Function primarily focuses on understanding and prioritizing cybersecurity risks?

Identify (C)

Which core functions are primarily supported by AI/ML methods?

Protect and Detect (B)

What is a key purpose of AI/ML methods in cybersecurity according to the Core Functions?

Serving as an autonomous decision mechanism (D)

Which component is NOT explicitly part of the Protect function in the NIST Core Framework?

Risk Assessment (C)

What role does Security Continuous Monitoring play within the NIST Core Functions?

Aids in the Detect function (B)

Which function addresses improvement and recovery planning in the NIST framework?

Recover (D)

In the context of the NIST Cybersecurity Framework, what is primarily involved in the Detect function?

Tracking detection processes (A)

Which of the following elements contributes to the Protective Technology component of the Protect function?

Encryption practices (D)

What is the primary purpose of using k-means clustering in asset cybersecurity classification?

To create groups of similar security assets (B)

Which AI/ML method is used to automate vulnerability classification from its description?

Topic Modeling (C)

How does AI/ML contribute to cybersecurity risk assessment?

It quantifies risks and predicts potential impacts (D)

What is the role of Natural Language Processing (NLP) in threat intelligence?

To process large volumes of threat data for emerging threats (D)

Autonomous Penetration Testing based on Improved Deep Q-Network focuses on which aspect of cybersecurity?

Automating penetration test processes (B)

Which approach utilizes risk scoring using Fuzzy Sets in cybersecurity?

Asset criticality and risk prediction (C)

What aspect of AI/ML is utilized in AutoPentest-DRL?

Deep reinforcement learning techniques (C)

What is one of the key benefits of implementing AI/ML in vulnerability assessments?

Automatically proposing mitigations (D)

What role does AI/ML play in intrusion detection and prevention?

It monitors network traffic and system behavior in real-time. (D)

Which of the following approaches is used for anomaly detection in network traffic?

Auto-Encoders (D)

How does Security Orchestration, Automation, and Response (SOAR) enhance incident response?

By selecting and executing predefined actions automatically. (B)

What is the primary focus of AI-powered honeypots?

To enhance IoT botnet detection. (A)

Which technology is employed to tackle class imbalance in intrusion detection systems?

Generative Adversarial Networks (GANs) (C)

What is the goal of automatic incident response systems?

To restore systems to normal operations with enhanced resilience. (C)

What does the term UEBA stand for in the context of network traffic analysis?

User Entity Behavior Analytics (A)

Which method is used for predicting cyber-events through analysis?

Sentiment analysis on hacker forums. (B)

Flashcards

Malware Detection

Using AI/ML to study patterns, actions, and characteristics of malicious software to identify it.

Early-Stage Malware Prediction

Predicting the emergence of malware using RNN algorithms.

Phishing Detection

AI/ML algorithms analyzing email content, sender behavior, and context to identify and block phishing attempts.

Authentication and Identity Verification

Using AI/ML for biometric authentication like fingerprint, facial recognition, and analyzing user behavior to verify identities.

User and Entity Behavior Analytics (UEBA)

AI/ML tracking and analyzing user and endpoint behavior to detect anomalies, indicating potential security breaches.

Clustering for Asset Security Classification

A technique that uses k-means clustering to group assets into categories based on their security characteristics.

Automatic Vulnerability Assessment

Machine learning models can analyze vulnerability descriptions to automatically classify their severity and suggest potential mitigation strategies.

AutoPentest-DRL

Deep Reinforcement Learning (DRL) can be used to automate the process of discovering and exploiting vulnerabilities in a system.

Text Mining for Cyber Risk Assessment

A cybersecurity risk assessment framework that leverages text mining techniques to analyze hacker forum discussions and identify potential risks.

Threat Intelligence

Threat intelligence involves gathering and processing large amounts of information to identify emerging threats and vulnerabilities.

Cyberattack Prediction

AI/ML can be used to analyze threat intelligence data, identify patterns, and predict potential cyberattacks.

Automatic Vulnerability Scanning

AI/ML models can automate the process of identifying potential vulnerabilities and suggesting remediation actions.

AI/ML Benefits in Cybersecurity

AI/ML are important for security because they can automate tasks, analyze large data sets, and identify patterns that humans might miss, improving overall security posture.

Intrusion Detection and Prevention

AI/ML analyzes network traffic and system behavior to identify malicious activity in real-time.

Anti-fraud Systems

AI/ML models analyze transaction data to identify fraudulent activities.

Security Orchestration, Automation, and Response (SOAR)

AI/ML helps automate incident response by selecting and executing actions in response to security incidents.

Anomaly Detection

AI/ML identifies unusual patterns in network traffic, system logs, and user activities.

Predicting Cyber-Events

AI/ML can be used to predict cyber events by analyzing sentiment on hacker forums.

Alert Triage and Prioritization

AI/ML techniques help prioritize security alerts based on their importance and urgency.

Automatic Detection and Isolation of Ransomware Attacks

AI/ML techniques can be used to automatically detect and isolate ransomware attacks.

Case-Based Reasoning for Incident Response

AI/ML can be used to recommend the best course of action for incident response based on past experiences.

Automated Post-Mortem Analysis

A computer program that uses algorithms to analyze vulnerabilities and detect potential threats in a system. The program then uses natural language processing to understand the relationships between vulnerabilities and suggest ways to mitigate them.

Natural Language Processing

A type of machine learning that helps computers understand and process human language. It can be used in cybersecurity for analyzing text data, identifying patterns, and detecting attacks.

Distributed Backup Scheduling

A method of scheduling backups to protect data against data loss or breaches. It uses Markov chains, a mathematical concept, to schedule backups in a way that optimizes the frequency and timing of backups.

CCN-CERT

An organization that provides guidance and resources on cybersecurity best practices and threats. It is often associated with a government agency.

CCN-CERT BP/30

A document published by CCN-CERT outlining best practices for integrating artificial intelligence (AI) into cybersecurity.

AI/ML in Cybersecurity Subtasks

AI/ML methods contribute to various cybersecurity tasks such as detection, prediction, and response, aiming to either automate or support decision-making processes.

AI/ML's Impact on NIST Core Functions

AI/ML techniques often play a role in multiple core functions of the NIST Cybersecurity Framework, enhancing security and resilience.

What are the NIST Cybersecurity Framework's Core Functions?

The NIST Cybersecurity Framework focuses on five essential functions: Identify, Protect, Detect, Respond, and Recover.

Where does AI/ML shine within the NIST Framework?

AI/ML techniques are particularly effective within the "Protect" and "Detect" functions of the NIST Framework, playing a significant role in safeguarding assets and identifying threats.

What's involved in the 'Identify' core function?

Identifying and prioritizing cybersecurity risks, assets, and vulnerabilities within an organization is the first crucial step in the NIST Framework.

How does the 'Protect' function work?

The 'Protect' function emphasizes implementing security controls like access restrictions, data security measures, and awareness training to minimize risks.

What's the role of the 'Detect' function?

The 'Detect' function involves continuously monitoring for unusual activity, analyzing events, and employing detection processes to identify potential threats.

What happens during the 'Respond' function?

The 'Respond' function involves developing plans, communicating effectively, and taking actions to mitigate threats once they are detected.

Study Notes

CYB. Defensive AI (part 2)

• This is a Master's in Artificial Intelligence course, 2024/25 at ESEI University of Vigo.
• The course is focused on defensive AI.

AI/ML in NIST Core Functions

• AI/ML methods are employed in various cybersecurity subtasks, including detection, prediction, and response.
• These methods can contribute to several core functions simultaneously.
• AI/ML is predominantly used within the Protect and Detect functions, though they often overlap.

NIST Cybersecurity Framework Core Functions

• Identify: Asset management, business environment, governance, risk assessment, and risk management are central to this function.
• Protect: Access control, awareness & training, data security, information protection, processes, maintenance, and protective technology are crucial here.
• Detect: Anomalies and events, security continuous monitoring, and detection processes are essential to this component.
• Respond: Response planning, communications, and improvements are important to this function.
• Recover: Improvements, recovery planning, communications, and mitigation are critical.

AI/ML in NIST Core Functions (II)

• Identify: Includes asset management, business environment, governance, and risk assessment. Automated systems and processes are highlighted for risk assessment and policy enforcement.
• Protect: Features identity management, authentication/access control, awareness and training, data security, and information protection. Automated validation of security controls is a key aspect.
• Detect: Includes anomalies and events detection, security continuous monitoring, and detection processes. Automated threat intelligence sources and analysis are mentioned.
• Respond: Consists of response planning, communications, and improvements. Automated responsibility allocation and incident reporting are mentioned components.
• Recover: Covers recovery planning, improvements, communication, and mitigation. Includes aspects like automated isolation, incident characterization, and remediation.

AI/ML in NIST Core Functions (III)

• Identify: Automatic asset inventory using AI/ML clustering, vulnerability assessment using AI/ML (automatic scanning).
• Automation of vulnerability classification from descriptions using machine learning. Common vulnerabilities and exposures (CVE) database analysis by topic modeling and classification is mentioned.
• Red Team and Penetration Testing: AI/ML/RL can automate certain aspects (AutoPentest-DRL). Autonomous penetration testing using improved deep Q-Networks.

AI/ML in NIST Core Functions (IV)

• Cybersecurity Risk Assessment: AI/ML quantifies risks, assets, and vulnerabilities, using text mining for analysis of online hacker forums.
• Risk prediction: Asset criticality and forecasting is critical for comprehensive risk management, potentially using fuzzy sets.
• Threat Intelligence: AI/ML/NLP processes large threat intelligence datasets to identify and assess emerging threats and vulnerabilities.

AI/ML in NIST Core Functions (V)

• Protect: Malware detection & analysis using recurrent neural networks (RNNs), early-stage prediction.
• Phishing Detection: AI/ML/NLP identifies phishing emails and malicious links by analyzing content, sender behavior, and context. Robust ensemble models developed for filtering phishing URLs and related DNS.
• Authentication & Identity Verification: AI/ML used for biometric authentication, facial recognition, and behavioral analytics; ensuring a robust identification system.
• User and Entity Behavior Analytics (UEBA): AI/ML profiles user behavior to detect deviations from normal activity to detect potential security incidents in User and Endpoint Behavior Analytics.

AI/ML in NIST Core Functions (VI)

• Detect: Intrusion Detection and Prevention systems using AI and machine learning. Intrusion detections based on AI-powered honeypots for enhanced IoT botnet detection. Anomaly detection models applied on network traffic and various forensic data.
• Anti-fraud systems and network traffic analysis are highlighted, using AI/ML models. Detection of threat actors by analysing sentiments in hacker forums.

AI/ML in NIST Core Functions (VII)

• Respond: Security Orchestration, Automation, and Response (SOAR) – AI/ML to automate incident response, using techniques like heterogeneous security event prioritization and intelligent dynamic and isolation of ransomware attacks and mitigation.
• Automatic Incident Response: A Case-Based Reasoning approach to aid the development of response methodologies and the creation of incident response playbooks. Recommendation systems for selecting the appropriate playbook are used.

AI Applications in Cybersecurity (CCN-CERT BP/30)

• This document provides a framework for AI applications in cybersecurity, outlining AI applications for areas like threat detection, intrusion analysis, and automated responses.
• It emphasizes areas like biometric identification, improved automation, and threat intelligence.

Complementary References

• This section includes key publications on artificial intelligence for cybersecurity (including those related to literature reviews, future research directions, and specific research findings).