Structured Query Language (SQL) is the query language for many

modern databases. Malicious instructions can be embedded into

an SQL database, causing it to return the contents of the entire
database (commonly referred to as an SQL injection). This can be
done by entering the code into a user input field in a web form.
This code then gets embedded as a user field in the SQL sent to
the database.

This is an old exploit, and today’s enterprises have updated their

database query codes to eliminate this kind of attack. One method
is using something known as parameterized SQL statements. This
pulls the user input information out of the actual SQL state-
ment itself and places it into parameters that are passed along.
This kind of programming has largely defeated the SQL injection
attack. But, there are many unpatched systems out there. It’s a bit
of work to go through and recode all those SQL calls in your pro-
gram. Not doing so means your Internet-facing database is just
not secure. So, problem solved?

Newer database types have arisen that are allowing for data to
be distributed across the Internet, making data access to mobile
applications much more efficient. These are called NoSQL databases,
one popular example being MongoDB. As you might expect, a query
language is not used to retrieve data from a NoSQL database. There
are different types of NoSQL databases that use various methods
of storing and retrieving data, but they have not proven immune
to injection attacks. Entire books can be written about injection
attacks. Suffice it to say that malicious code can be fed to NoSQL
databases like MongoDB or the superfast in-memory database
NodeJS. There are tools for checking the data sent to these new
databases, but they aren’t perfect.

The least technical, but possibly the most difficult to defend

against, is straight up credential theft. This is most often done
using sophisticated phishing and social engineering. Once the
user’s username and password has been compromised, it’s all
over. For the well-funded or state sponsored cyberattacker, it’s
also possible to send human beings to look for handwritten user-
name password sticky notes. Imagine the janitor each night pho-
tographing the sticky notes found on the front of monitors or on
desktops everywhere. Better password management and stricter
password requirements have had both a positive and negative
impact.

10 Artificial Intelligence & Cybersecurity For Dummies, IBM Limited Edition

These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Forcing users to have longer and more complicated passwords
and changing them regularly has also forced them to write them
down. The alternative to writing down the password is using one
of the new secure password managers. Yet, some of the password
management services have been hacked, and you can never be
really certain that you aren’t using a malicious clone program.
Two-factor authentication has gotten some of this under control.
This works by requesting a code sent to an app on your phone or
to your email before allowing access to untrusted computers. But,
the password is largely dead, and there is now a huge move to
implement better biometrics like facial recognition, voice print-
ing, fingerprinting, skin sensitivity, and heart sounds, or combi-
nations of these.

Detect, Respond, and Mitigate

While many network and computer intrusions go undetected, the
job of a security professional is to figure out when an incursion has
happened so something can be done. It’s the “uh-oh” moment.

There are different ways to monitor a network for intrusion. One

of those is anomaly-based detection. This is like walking into a room
and knowing something is out of place. At first it might not be
obvious what it is, but every fiber of your being knows that some-
thing is wrong. Looking at the landscape of network activity is the
same. There are system monitoring programs that alert you when
something is out of the ordinary. This might be a change in the
level of data access that may be a sign of a Denial of Service (DoS)
attack. It may be a change in the way a person is using her com-
puter that alerts the security team to a possible malware intrusion.

One of the significant problems with anomaly-based detection is

the high rate of false positives. Following each of these anomalies
is time consuming, and yeah, ultimately expensive.

One of the other common ways to be alerted to network intru-

sion is the use of deception to set a trap. Deception in nature is
pretty interesting. It is one of the fundamental ways organisms
have protected themselves over the millennia. One type of detec-
tion says, “Nope, not me. You’ve got the wrong guy. Eat someone

CHAPTER 1 Understanding Cybersecurity 11

These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 else.” This is done by mimicry, making yourself look like some-
thing not as appetizing as you otherwise might be. The other is
completely the opposite. It says, “Come here. Tastiest meal ever.”
Yes, that’s right, the mousetrap.

In cybersecurity, digital honey is used as bait. The traps, known

as honeypots and honeytokens, are designed to lure intruders away
from the good stuff. Honeypots are computer systems on a net-
work that appear to be full of data, just waiting to be stolen, but
in fact contain only the bait. Normal network users never use the
honeypot. So, when someone tries to gain access, that person
triggers an alert.

Various kinds of honeypots increase the chance that someone will

fall for the bait:

»» A low-interaction honeypot is normally an emulated network

service running on a special computer, for example, email, ftp,
and web servers. These fake services tend to be invulnerable,
thus protecting the honeypot computer. Essentially, they are
built from an open port and a listening socket and nothing
more. But they do trigger an alarm. They are lightweight,
and many of them can be run simultaneously on a single
computer. Sadly, it’s like putting a fake owl in the garden to
scare away the birds. Soon, the birds are sitting on the head
of the plastic owl. They don’t fool people for very long.
»» A high-interaction honeypot is the real deal. It’s a computer
system running on the network with real services providing
fake data. These computers have network monitors that
begin tracking intrusions and exploits from anyone trying to
interact with them. As you can imagine, the real limitation
here is the amount of effort it takes to maintain this kind of
honeypot. Again, there is the problem of weeding out the
false positives.

In today’s world, data is distributed across networks, mobile

devices, the cloud, and Internet of Things (IoT) devices. Once an
intrusion occurs, it becomes important to track where the attack
originated. Fake data, email addresses, and fake accounts known
as honeytokens do just that. This fake data is seeded across the
network, and a record is kept of where it was placed. When data

12 Artificial Intelligence & Cybersecurity For Dummies, IBM Limited Edition

These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 containing a honeytoken is stolen, you know where it was stolen
from. The same thing happens when honeytoken email addresses
or accounts are used. Cartographers do this same thing when they
add a fake street to a map just to prove that someone copied their
map. This is a good segue into what to do next, respond.

Responding to and Recovering From

Cyberattacks and Security Events
Once an intrusion attempt or an actual intrusion has been detected,
it’s all about investigation and response. How quickly can a secu-
rity team identify the intrusion, malware, or non-malware;
determine if it’s a false positive; figure out the method of intrusion;
learn as much as it can about the intrusion; close the door that
was used; and then get rid of the problem?

The best cybersecurity defense includes well-trained users. Their

response when they suspect something might be wrong is critical.
Train them to be paranoid.

According to a 2017 Ponemon Institute study, the time it takes

to respond to a security event was lowered, “from an average of
approximately 201 in 2016 to 191 days and the average days to
contain the data breach from 70 to 66 days.” While this is headed
in the right direction, the complexity of protecting and respond-
ing to information environments spread across everything from
smart devices to cloud hosting only becomes more difficult. Add
to this complexity response across a multinational organization
and you have a costly nightmare on your hands.

Meeting the Challenges of Cybersecurity

Smarter software is the trend in cybersecurity. Security Informa-
tion and Event Management (SIEM) software provides analysis of
security events and the storage and correlation of a wide variety
of information, including such things as log data, threat vector
and user behavior, and analysis of structured threat intelligence.

CHAPTER 1 Understanding Cybersecurity 13

These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 In addition to threat response, there is a move to make software
application development more secure as well. Integrating cyber-
security into the phases of software development helps manage
the risk involved in releasing software that will immediately be
attacked by hackers looking for mistakes and vulnerabilities. Code
is everywhere. It’s tempting to downplay the software running
on a smart refrigerator, but if it sits on a local area network, it’s
a point of vulnerability and its code is just as important as any
productivity application. Nothing is overlooked by anyone want-
ing to pierce the network. Nothing should be overlooked by those
wishing to protect it. The result of a network intrusion can have a
huge impact on organizations large and small.

14 Artificial Intelligence & Cybersecurity For Dummies, IBM Limited Edition

These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Predictive Analytics
Cybersecurity professionals use analytics to detect anomalies
in network patterns, network traffic, and normal user activi-
ties. Exploits are identified by their signatures (known patterns
of attack). These are the identifying methods that the malware or
attacker has used to gain entry into the network. Network analy-
sis software alerts the security team when a signature attack is
recognized. That’s all well and good for real-time monitoring
but it most always means that the deed was done. Cybersecurity
has moved on from a complete reaction to activity to one where
networks are managed based on risk. Each entity involved in the
network’s activity is scored based on the risk. You can think of
this like having a credit score, which is also a form of predictive
analysis.

Predictive analytics gives you a look into the future, albeit fuzzy.
One approach, which you might call an “on the doorstep” sce-
nario is being able to identify an intrusion without having a prior
signature. Machine learning in AI actually learns how to recog-
nize patterns far better than a human. By analyzing all kinds of
previous attacks machines have begun to have a “gut feeling” or
predictive ability about what might be an attack, even if it doesn’t
match a previously known signature.

With the network in constant flux, it becomes a superhuman job

to determine exactly what a network’s normal behavior looks
like. There are also malware programs that sit on the network
appearing innocuous because the damage (normally data theft) is
long term. These are called Advanced Persistent Threats (APTs).
They’re cleverly designed to be overlooked by network security
programs and to remain in place for as long as possible.

Taught Not Programmed

Artificially intelligent machines today are not the sum of their
programming as they once were. They analyze great sums of data,
the more the better, and find patterns that might have been oth-
erwise unrecognizable. Machine learning may examine millions
of math problems and their results and determine, based on a
pattern, what the result might be. Applied to cybersecurity the

30 Artificial Intelligence & Cybersecurity For Dummies, IBM Limited Edition

These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 goal is to examine this network data and apply everything it has
previously learned to augment a human-led security team.

The acronym URL, not to be confused with the Uniform Resource

Locator of the World Wide Web, is an acronym that stands for the
following:

»» Understand: Examine the mass of prior research using NLP.

This information can be found within videos, books, maga-
zines, journal articles, and yes, even PowerPoint.
»» Reason: Provide insights based on analysis that include what
type of attack may occur, or may have occurred, and the
types of threat entities involved in the attack and their
relationships.
»» Learn: Up to the millisecond research findings continually
add to the corpus of knowledge. New insights are continually
created based on new information.

Nothing stands still. It would be nice if there were a “stop” but-

ton. But the reality is that security research is made new every
moment, and the bad guys trying to break into the network get
smarter and more sophisticated. Humans are generally not good
at change. We get tied up in what we know. We get tired. We over-
look things. We get pet ideas and form pride in the knowledge
we’ve accumulated. When something comes along that says, “All
those years learning about computer viruses is now completely
useless,” it’s like a punch in the gut. But, not for computers. They
tirelessly learn, adapt, and form new ideas without ego about
what they already know.

Uncovering the needle in the haystack

If there was ever a bad phrase in cybersecurity, it might be
“false positive.” It’s the great time waster and money sink in the
world of network security. If you want a visual, imagine the SETI
researchers, hunting for alien signals. They’re looking for any
little blip on the screen that rises just above white noise. On large
enterprise networks, there’s a lot of background noise. So, at what
point does the abnormal behavior rise to the level of something
for which a security researcher needs to apply attention? This
attention begins the immediate application of time and money to
what might be nothing.

CHAPTER 4 Applying Machine Learning and Deep Learning to Cybersecurity 31

These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Both humans and machines can cause false positives. How often
have you rebooted a machine because some program has gone
crazy and started eating up all the memory and CPU cycles in your
machine? Or perhaps a user suddenly decides he needs a local
copy of that multi-gigabyte database and starts a download, trig-
gering a traffic alarm.

Software can also cause false positives. Programs that have not
been tested for security before release can cause a nightmare of
protocol violations that would appear to any good security pro-
gram like an attack but is really just untested software running
on your network.

One of the goals of using AI in cybersecurity is to weed out those

false positives. Computers, on their own, even really smart ones,
fall prey to the false positive. But, using the insights of a computer
in partnership with a human in a type of hybrid approach lowers
the risk that non-malicious network use will be seen as a false
positive. Because the AI is always learning, it can also learn from
its human partner. The security researcher examines the alerts
provided by the smart security system and determines which are
and aren’t false positives. Those results are fed back to the AI,
making it smarter. In time, the AI will report fewer false positives.

Introducing cognitive computing

Cognitive computing is AI that emulates the actions of a human
brain. Applied to cybersecurity it learns and gains the ability to
identify threats by investigating security incidents compiled
by security events from a variety of inputs. Cognitive comput-
ing machines use input from structured and unstructured data,
as well as human-machine partnerships that provide human
insight. It then augments a cybersecurity professional by provid-
ing insights it may never have come up with or suggesting unique
solutions, and all much faster than a human is capable.

One challenge of any network security team is fatigue. Respond-

ing to hundreds of thousands of security events, most of which
require no action, is enough to wear down the best and brightest.
Think of this like the chime on the door of a store. How long is it
until the clerk no longer even hears that chime. One of the rea-
sons it becomes background noise is that the door chime doesn’t
really tell them who is coming through the door. Is it a lost child?
Is it a shopper? Is it a robber? Without context, the chime quickly

32 Artificial Intelligence & Cybersecurity For Dummies, IBM Limited Edition

These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 fades from importance. Put a little facial recognition on that
chime and suddenly you’re paying more attention, as information
about each person appears on the screen. Correlate shopping data
from a frequent shopper card, and then you have a powerful tool.
“Hello Mr. Smith, we have a new crop of bananas now available
on the endcap of aisle 6.”

Cognitive computing systems provide the kind of contextual

information needed by a security professional to make faster and
smarter decisions with less fatigue. With data feeding in from
network security analytics software, and contextual data updating
the cybersecurity corpus of knowledge every second, combined
with previously determined insights (self-learning), cognitive
computing correlates all that data faster and more accurately than
any human.

It’s been more than half a decade since an AI computer trounced

the smartest human Jeopardy! players. Coming up with solutions
faster than a human has only improved over time.

Identifying root cause

Responding to continual exploits without finding the root cause
can waste a great deal of time. When analyzing an exploit, deter-
mine the causes, support it with evidence, find solutions, take
notes, and recommend actions. The actions you ultimately take
are based on two of these analysis points: discovering the root
cause and then finding a solution.

Root cause is sometimes an enterprise systemic thing. Therefore,

it makes sense to find the overarching cause rather than point-
ing a finger at an individual or group who may have been the
source of a particular exploit. It is far better to work together as
a team, taking an enterprise-wide approach that may uncover
problems that span across the enterprise. If the underlying cause
of a structural problem allows holes in the dike to form, fixing
one hole, without figuring out that weak cement throughout the
dike is causing the problem, will only mean that the problem will
pop up somewhere else in the future.

One method used in helping to determine root cause in an enter-

prise is using a technique that is found within the Six Sigma
DMAIC (Define, Measure, Analyze, Improve, Control) methodol-
ogy. This technique is known as the 5 whys because you ask five
why questions. Asking a why question, such as, “Why did our

CHAPTER 4 Applying Machine Learning and Deep Learning to Cybersecurity 33

These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.