CYB. Defensive AI (part 2) PDF

CYB. Defensive AI (part 2) Master in Artificial Intelligence 2024/25 ESEI – University of Vigo AI/ML in NIST Core Functions AI/ML in NIST Core Functions AI methods employed in various cybersecurity subtasks with different roles (detection, prediction, response) and purposes (as an autonomous or complementary decision mechanism) AI/ML methods can contribute simultaneously to several Core Functions Mainly within Protect and Detect Functions (not exclusive, often overlapping) NIST Cybersecurity Framework Core Functions Identify Protect Detect Respond Recover - Asset Management - Access Control - Anomalies and Events - Response Planning - Improvements - Business Environment - Awareness and Train- - Security Continuous - Communications - Recovery Planning - Governance ing Monitoring - Analysis - Communications - Risk Assessment - Data Security - Detection Processes - Mitigation - Analysis - Risk Management - Information Protection Improvements - Mitigation Processes - Maintenance - Protective Technology 1 AI/ML in NIST Core Functions (II) Source: Artificial intelligence for cybersecurity: Literature review and future research directions R. Kaur et al.. Information Fusion, vol. 97, Sep. 2023 2 AI/ML in NIST Core Functions (III) 1. Identify: Understand and prioritize cybersecurity risks, assets, and vulnerabilities within the organization. Automatic Asset Inventory : AI/ML cluster and classify security assets - A Clustering Method of Asset Cybersecurity Classification (k-means clustering to create asset groups) Vulnerability Assessment: AI/ML automatically scans systems for vulnerabilities, prioritize severity and (optionally) proposes mitigations - Automation of Vulnerability Classification from its Description using Machine Learning - Topic Modeling And Classification Of Common Vulnerabilities And Exposures Database (Text Mining [categorization, topic modeling] on CVE descriptions) Red Team and Penetration Testing : AI/ML/RL can be used to automate certain aspects of red teaming and penetration testing - AutoPentest-DRL and Deep Exploit [derived version] (Automatic penetration test [enumeration + exploitation] using Deep Reinforcement Learning) - Autonomous Penetration Testing Based on Improved Deep Q-Network (Pentesting with RL using Deep Q-Networks) 3 AI/ML in NIST Core Functions (IV) Cybersecurity Risk Assessment: AI/ML quantifies the organization’s cybersecurity risks and the potential impact of security threats and vulnerabilities - A text-mining based cyber-risk assessment and mitigation framework for critical analysis of online hacker forums (Risk scoring through NLP on hacker forums) - Asset criticality and risk prediction for an effective cybersecurity risk management of cyber-physical system (Risk scoring using Fuzzy Sets) Threat Intelligence: AI/ML/NLP assists in gathering and processing large volumes of threat intelligence data to identify emerging threats and vulnerabilities - Cyberattack Prediction Through Public Text Analysis and Mini-Theories (Threat hunting using NLP on Dark Web forums) 4 AI/ML in NIST Core Functions (V) 2. Protect: Implement safeguards to mitigate risks and protect against cyber threats. Malware Detection and Analysis: AI/ML examines patterns, behavior and signatures to identify malicious software - Early-stage malware prediction using recurrent neural networks (RNN in malware prediction) Phishing Detection: AI/ML/NLP identifies phishing emails and malicious links by analyzing content, sender behavior, and context - DNS dataset for malicious domains detection - Robust Ensemble Machine Learning Model for Filtering Phishing URLs: Expandable Random Gradient Stacked Voting Classifier (ERG-SVC) (Filtering Phishing related DNS and URLs) Authentication and Identity Verification: AI/ML for biometric authentication, facial recognition, and behavioral analytics - https://onlinelibrary.wiley.com/doi/abs/10.1002/dac.4685 (Biometrics with CNN) User and Entity Behavior Analytics (UEBA): AI/ML profiles and monitors user and endpoint behaviors, identifying deviations from normal activities to alert potential security incidents -Securing Smart Offices Through an Intelligent and Multi-device Continuous Authentication System (Behavior-based continuous authentication) 5 AI/ML in NIST Core Functions (VI) 3. Detect: Continuously monitor systems and networks to identify and alert on cybersecurity events. Intrusion Detection and Prevention: AI/ML monitors network traffic and system behavior in real-time to identify malicious activity - AI-Powered Honeypots for Enhanced IoT Botnet Detection (AI-based Honeypots using ML) - GAN-IDS: An imbalanced generative adversarial network towards intrusion detection system in ad-hoc networ (Deep Learning based IDS using GAN to tackle class imbalance) Anomaly Detection: AI/ML identifies unusual patterns and behaviors in network traffic, system logs, and user activities - Anomaly detection in a forensic timeline with deep autoencoders (Anomaly detection using Auto-Encoders) Anti-fraud Systems: AI/ML behavior-based models analyze transaction data to identify fraudulent activities in financial and e-commerce systems Other: Network Traffic Analysis, UEBA - Predicting Cyber-Events by Leveraging Hacker Sentiment (Detecting Threat Actors by Sentiment Analysis on Hacker Forums) 6 AI/ML in NIST Core Functions (VII) 4. Respond: Develop and execute an incident response plan to contain, mitigate, and recover from cybersecurity incidents. Security Orchestration, Automation, and Response (SOAR): AI/ML helps to automate incident response by selecting and executing predefined actions in response to security incidents - Heterogeneous Security Events Prioritization Using Auto-encoders (Alert Triage and Prioritization using Autoencoders) - Intelligent and Dynamic Ransomware Spread Detection and Mitigation in Integrated Clinical Environments (Automatic Detection and Isolation of Ransomware attacks with anomaly detection, NN, NB and RF) Automatic Incident Response. - A Case-Based Reasoning Approach for the Cybersecurity Incident Recording and Resolution (Case-Based Reasoning for Incident Response) Application of the Metric Learning for Security Incident Playbook Recommendation (Recommender System for Selecting Incident Response Playbooks) 5. Recover: Restore and recover systems and data to normal operations following a cybersecurity incident while improving resilience. - An Automated Post-Mortem Analysis of Vulnerability Relationships using Natural Language Word Embeddings (Post-Morten Analysis of Vulnerabilites using NLP) - Distributed backup scheduling: Modeling and optimization (Backup scheduling using Markov chains) 7 AI applications in Cybersecurity (CCN-CERT BP/30) According to CCN-CERT BP/30. Informe de buenas prácticas: IA y ciberseguridad 8 Complementary references Ramanpreet Kaur, Dušan Gabrijelčič, Tomaž Klobučar: Artificial intelligence for cybersecurity: Literature review and future research directions. Information Fusion, Volume 97 (2023) ENISA (European Union Agency for Cybersecurity): Artificial Intelligence and Cybersecurity Research (2023) CSET (Center for Security and Emerging Technology): Machine Learning and Cybersecurity Hype and Reality (2021) Centro Criptológico Nacional (2023): CCN-CERT BP/30 Aproximación a la Inteligencia Artificial y la ciberseguridad (pdf) [english version] 9

CYB. Defensive AI (part 2) PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue