Long gone are the days of simple, signature-based defenses against cyber-threats.
Cyber-threats are growing at an exponential rate in the perpetual cat-and-mouse game of cybersecurity, and traditional approaches to cybersecurity are struggling to keep pace. In 2021, anti-malware vendors estimated that they detected between 300,000 and 500,000 new pieces of malware every day. That means than in 2021 alone, over 100 million new pieces of malware were created. Even if cybersecurity vendors can keep up with the sheer volume of new pieces of malware, traditional signature-based and even heuristic-based detection algorithms will struggle to keep up – and that’s only for known malware.
Ransomware has grown by significant leaps and bounds as the fastest-growing and most prevalent malware type. In 2013, ransomware accounted for only $300 per year. In 2021, ransomware was estimated to be a $400 million per year criminal enterprise. Undoubtedly, the profitability in ransomware has significantly encouraged the development of new attack methods and associated malware.
The malware threat evolved to new levels in 2020 with the SolarWinds breach – a nation state supply-chain attack affecting over 18,000 out of 300,000 customers. For months, thousands of customers were infected with malware through what they believed was a trusted vendor. Attackers are now bypassing defenses by attacking software developers directly, injecting their malicious code at the source code level for distribution. With trusted security vendors’ own security solutions a potential attack vector for organizations, how can organizations hope to defend themselves? The answer may lie with artificial intelligence and machine learning, but adversaries are exploring these options as well.
The Potential for Adversaries to Leverage Artificial Intelligence
While polymorphic malware has been around for a rather long time, most of this malware has only been designed to slightly modify its own binaries to attempt to evade detection. This malware might make minor changes to its binary code, but these changes would not affect its capabilities or overall behavior. However, just as cybersecurity companies are developing next-generation solutions, adversaries are developing next-generation threats.
Imagine for a moment malware leveraging artificial intelligence to evolve like a physical virus, complete with new attack methods and infection vectors, potentially leveraging other software installed on the system to provide means of input/output and communication. While we hope this sort of malware will remain the subject of science fiction, we have no doubts that advanced persistent threat actors, especially those sponsored by nation states, are exploring how they can leverage AI and machine learning to build better, more evasive, and more persistent malware. Signature-based defenses would become useless against such self-updating malware, and advanced behavior analytics would be the only means of identifying this next-generation malware.
Diminishing Returns and Moore’s Law
Moore’s Law originally stated in 1959 that the number of transistors in an integrated circuit would double every two years, resulting in similar increases in processing speed and throughput. Unfortunately, since 2010, the microprocessor industry has seen diminishing returns on general purpose central processor unit (CPU) improvements, with current advances only reaching approximately half of predictions. Moore’s Law is quickly becoming obsolete as it relates to CPUs.
The larger malware signature databases are, the more processing time it’s going to take for traditional antivirus to scan. This means longer time between infection and detection. Even if cybersecurity vendors can keep pace with the ever-increasing number of malware signatures, traditional signature-based solution days are numbered since their ability to scan for malware is directly tied to CPU processing speed. Not only are the diminishing returns of Moore’s Law affecting CPUs, they’re also affecting our ability to detect cyber-threats in a timely manner. However, special-purpose processing holds the potential to help in overcoming these diminishing returns.
How Hardware-Accelerated Artificial Intelligence can Adapt and Overcome
Hardware-accelerated artificial intelligence may be one path forward to overcome diminishing returns of Moore’s Law. Some cybersecurity frameworks are leveraging graphic processor unit (GPU) and data processor unit (DPU) hardware acceleration for specialized processing of cybersecurity data. Many of these solutions involve transferring alerts and data to a cloud data center with hardware acceleration, offloading the processing from local machines to these special-purpose GPU and DPU cloud servers. This means organizations won’t need to upgrade every endpoint’s hardware to take advantage of this technology, allowing endpoints to keep up with evolving threats without significant per-endpoint costs.
Through adopting hardware-accelerated artificial intelligence and machine learning, next-generation cybersecurity technology can keep pace with the growing number of threats and augment, not replace, the current cybersecurity team. While artificial intelligence can never replace human analysts, it can drastically help improve their accuracy and efficiency in defending against threats to the enterprise.
Protection of the Future
Current use cases of artificial intelligence in cybersecurity reach beyond basic heuristic malware detection. Behavioral intelligence of metadata can provide early warning of compromised machines or user accounts, or even detect when a user is attempting to leak sensitive information outside of an organization. Best of all, by analyzing metadata instead of file contents, user privacy can be preserved and remain compliant with privacy regulations.
Artificial intelligence can also help overcome the challenges created by loss of visibility in TLS 1.3. Some vendors are developing deep packet inspection engines for encrypted traffic visibility. This packet inspection engine utilizes artificial intelligence to determine which packets require further inspection. By focusing on metadata instead of packet contents, contextual risk scoring can be assigned for fast processing instead of relying on full-packet decryption and inspection.
Finally, artificial intelligence can be used to help SOC analysts make intelligent decisions when investigating incidents or when applying new protections to the enterprise against emerging threats based on threat intelligence feeds. Utilizing unbiased risk scoring, AI can provide more effective insights to potential threats to the enterprise, allowing analysts to respond faster and take more accurate prevention and remediation procedures.
Shifting Moore’s Law to Special Purpose Processing and Artificial Intelligence
While Moore’s Law’s diminishing returns are being realized through the slowing development of CPUs, an alternative path may have been found. Through the usage of GPU and DPU special purpose-built cards, artificial intelligence and machine learning can offload their mathematically complex operations from the CPU. Not only do these devices accelerate AI and ML, they allow the CPU to focus on other generalized processing tasks.
By shifting from general purpose CPU processing and embracing hardware-accelerated, special-purpose processing combined with artificial intelligence, we can overcome the currently observed diminishing returns of Moore’s Law and keep pace with continuously growing cyber-threats.
The continuous cat-and-mouse game of cybersecurity may never truly end, but by utilizing artificial intelligence we can build better, smarter mouse traps.