It seems like everyone is talking about applying artificial intelligence and machine learning to security data, if you believe the hype you’d think that all you need to do is install a vendor’s product, and hey presto your problems are solved. My experiments with a manic depressive chatbot showed me that perhaps, it’s a bit more complicated than that!
A few years ago, I was hired into a very small infosec innovation group for a large organisation. My primary goal was to work with our data science team to understand the various machine learning techniques and how we might apply them to information security. I was thrilled to find out that I had sole ownership and responsibility for the company’s first deep learning supercomputer. After a bit of engineering and more than a few dollars spent, the day finally came to power up the beast. My data science mentor and I were awestruck at the potential before us. However, for the first few weeks, we accomplished little more than making the datacentre a few degrees warmer!. So where to start?
My mentor and I took quite different approaches. As a trained data scientist, he took a more methodical approach. I took the “Let’s throw stuff at the wall and see what sticks” approach. An approach that, even today, I contend has value in an innovation setting. Thankfully, he was willing to indulge my impulses as long as it didn’t encroach on his work. Regardless of our approach, we knew we’d be using an artificial intelligence technique called “deep learning”.
Machine learning
But what is deep learning and how does it work? Deep learning is a subset of machine learning. Machine learning is one of the many methods of producing artificial intelligence. In short, many deep learning models start as little more than a disorganised mathematical mess. It’s only through a series of iterative training steps and positive reinforcement that they can learn to organise themselves and make reasonably accurate determinations. The more you train and the more diverse the data, the better.
I decided to do a little experimenting with AI chatbots and natural language. I wanted to see if I could create a chatbot that could answer some basic questions. My first chatbot was…interesting. But, it taught me a few key lessons that remain true today.
Lesson 1: Context is key
My first AI chatbot wasn’t trained very well because I wasn’t a very good trainer. I gave the seriously disorganised model a dictionary of words and wanted to see what it could produce with little or no training. I still laugh at the results when I think about it.
Our first conversation went like this.
Me: Hi.
Chatbot: CAKE CAKE CAKE CAKE DEPRESSION DEPRESSION DEPRESSION DEPRESSION
What I discovered is that, although the chatbot was aware of words, it had never actually seen written language before. It had no frame of reference. The output was complete nonsense because it had no contextual understanding of word sequences. The model picked the nearest two words out of the bag and doubled down on them. While somewhat amusing, it was an otherwise useless result. Or, perhaps it was just hungry and feeling a little blue.
My security lesson is:
When a security company tells you it uses the power of AI to make their product better, ask yourself “Will their model be hungry and depressed or will it have enough experience and training to actually apply itself in my environment?” Or, more importantly, “Can it adapt to changes in my environment?” What may appear anomalous one month may be normal the next. High transaction volume during month-end may be normal but a complete anomaly on the 15th. Context is key. Make sure the models can understand the “language” of your environment.
Lesson 2. Data is(almost) always the hardest part
To better train my chatbot I used open-source and freely available datasets of movie subtitles. With a bit more English language context, my chatbot and I could have something resembling a conversation. However, if I wanted to ask it a question about a topic more meaningful like security policy, it didn’t know where to begin. I needed better data. The ‘corpus’ of data matters as much as the AI. In fact, because of the recent democratisation of AI frameworks, I found deep learning models to be quite simple to build and train. The challenge I encountered in all of the AI projects I have run was “Who has the data?” and more importantly “Are they willing (or able) to give me that data?”
What does this mean for security and AI?
When a security company says their product can learn from and adapt to your environment, ask yourself where that data might come from. Meaningful answers come from meaningful data. A single view of events rarely tells the true story. Why did the transaction load spike? Access logs may have the answer. Having a lot of transaction log data may tell one side of the story but combined with access logs they tell a more complete story. The trouble is that data is often siloed physically, logically and culturally within an organisation. Corporate cultures that view data as an asset, information classification as an important attribute and are culturally open to sharing data are generally more well suited to bring AI into their organisation.
In time, I did manage to develop some interesting and more useful data models. However, I learned the most practical application from the first few chatbots I built. Feed your AI a wide variety of good meaningful data and they will be hungry and depressed no more!
Like most things, you can’t beat training and experience and of course, data is key. If you or anyone you know has a need for information security expertise or would like to chat with Tory about his journey into AI, feel free to contact us here.
Author’s Disclaimer:
I’m not a data scientist nor do I play one on TV. I’m a technologist turned infosec practitioner who dabbled in machine learning. I developed an “intuitive sense” of how AI worked. A significant amount of credit for my achievements in these areas go to my mentors for keeping me pointed in the right direction during my less than scientific methodology. Tory Young.