VISVESVARAYA TECHNOLOGICAL

UNIVERSITY
“Jnana Sangama”, Belagavi-590018

TECHNICAL SEMINAR
(18CSS84)

REPORT ON
“HARNESSING ARTIFICIAL INTELLIGENCE
CAPABILITIES TO IMPROVE CYBERSECURITY”

Submitted in partial fulfilment of the requirements for the award of the

degree of

BACHELOR OF ENGINEERING
IN
COMPUTER SCIENCE AND ENGINEERING

Submitted by
SAI SNEHA SV
USN: 1JT17CS070

Under the guidance of

Technical Seminar Coordinator
Dr. Swathi K
Associate Professor
Department of Computer Science & Engineering
Jyothy Institute of Technology, Bengaluru-560082

Department of Computer Science & Engineering

Accredited By NBA
JYOTHY INSTITUTE OF TECHNOLOGY
Tataguni, Off Kanakapura Road, Bengaluru- 560082
2023-2024
 JYOTHY INSTITUTE OF TECHNOLOGY
BENGALURU-560082
Department of Computer Science & Engineering
Accredited By NBA

CERTIFICATE
This is to certify that the Technical Seminar entitled “Harnessing Artificial Intelligence
Capabilities to Improve Cybersecurity” presented by Sai Sneha S V, USN:
1JT17CS070 of VIII semester in partial fulfilment of the award of Bachelor of
Engineering in Computer Science and Engineering in Visvesvaraya Technological
University, Belagavi during the academic year 2023 - 2024. The Seminar Report has been
approved as it satisfies the academic requirements in respect of Seminar work prescribed
for the Bachelor of Engineering degree.

------------------------- ----------------------------- -----------------------------

Signature of the
Coordinator
Dr. Swathi K
Associate Professor,
CSE, JIT, Bengaluru
Signature of the H.O.D. Signature of the Principal.
Dr. Prabhanjan S Dr. K Gopalakrishna
Prof. & Head, Principal,
CSE, JIT, Bengaluru JIT, Bengaluru

Name of Student: University Seat Number:

Sai Sneha SV 1JT17CS070

 ACKNOWLEDGEMENT
The successful presentation of the seminar would be incomplete without the mention of the
people who made it possible and whose constant guidance crowned my effort with success.

I take this opportunity to express my sincere gratitude to our Management, Jyothy Institute
of Technology, Bengaluru for providing the environment to present the seminar.

I would like to extend my gratitude to Dr. K Gopalakrishna, Principal, Jyothy Instituteof

Technology, Bengaluru, for providing opportunity to present the seminar.

I thank Dr. Prabhanjan S, Professor and Head, Department of Computer Science and
Engineering, Jyothy Institute of Technology, Bengaluru for his encouragement to present
the seminar.

I whole heartedly thank Technical Seminar Coordinator, Dr. Swathi K, Associate

Professor, Department of Computer Science and Engineering, Jyothy Institute of
Technology, Bengaluru, for her constant support and guidance through out the seminar
presentation.

I would also like to thank Panel Members, Department of Computer Science and
Engineering, Jyothy Institute of Technology, Bengaluru, for their valuable inputs.

Finally, I would like to thank all the Teaching and Non-Teaching Staff of Department of
Computer Science and Engineering, Jyothy Institute of Technology for their co-
operation. Moreover, I thank all my family and friends for their invaluable support and
cooperation.

Sai Sneha SV
1JT17CS070

I
 DECLARATION

I, Sai Sneha SV bearing the USN: 1JT17CS070, studying in the 8th semester of
Bachelor of Engineering in Computer Science and Engineering at Jyothy Institute of
Technology, Bengaluru, hereby declare this seminar work entitled “Harnessing
Artificial Intelligence Capabilities to Improve Cybersecurity ” which is being
submitted by me in the partial fulfilment for the award of degree of Bachelor of
Engineering in Computer Science and Engineering, from Visvesvaraya Technological
University, Belagavi is an authentic record of me carried out during the academic year 2023-
2024 , under the guidance of seminar coordinator Dr. Swathi K, Associate Professor,
Department of Computer Science and Engineering, Jyothy Institute of Technology,
Bengaluru.

Place: Bengaluru Sai Sneha SV

Date: 1JT17CS070

II
 ABSTRACT

Cybersecurity is a fast-evolving discipline that is always in the news over the last decade,as
the number of threats rises, and cybercriminals constantly endeavor to stay a step aheadof
law enforcement. Over the years, although the original motives for carrying out
cyberattacks largely remain unchanged, cybercriminals have become increasingly
sophisticated with their techniques. Traditional cybersecurity solutions are becoming
inadequate at detecting and mitigating emerging cyberattacks. Advances in cryptographic
and Artificial Intelligence (AI) techniques (in particular, machine learning and deep
learning) show promise in enabling cybersecurity experts to counter the ever evolving
threat posed by adversaries. AI’s potential in improving cybersecurity solutions is explored
,by identifying both its strengths and weaknesses. The future research opportunities
associated with the development of AI techniques in the cybersecurity field across a range
of application domains is also discussed.

III
 CONTENTS

ACKNOWLEDGEMENT I

DECLARATION II

ABSTRACT III

1. Introduction 1

1.1. Key Sources of Cyberthreats 2

2. Cybersecurity Threats and Legacy Solutions 3

3. Artificial Intelligence 9

3.1. Machine Learning 10

3.2. Decision Trees 11

3.3. K Nearest Neighbors 13

3.4. Support Vector Machines 14

3.5. Artificial Neural Networks 15

3.6. Self-Organizing Maps 16

 CONTENTS

4. Applying AI to Strengthen Cybersecurity 18

4.1. The Internet 19

4.2. Network Infrastructure (Botnet) 19

4.3. Application Layer 21

4.4. Human Link and Malware. 22

4.5. The Internet of Things 24

5. Future Challenges and Research Opportunities 25

CONCLUSION 27

REFERENCES 28
 LIST OF FIGURES

Fig. 3.1 Spectrum on Intelligence Measures 9

Fig. 3.2.1 Example of Decision Tree 11

Fig. 3.3.1 Example of KNN 13

Fig. 4.1 Applying AI to Cybersecurity in Application Domains 18

Fig. 4.5.1 From Internet of Content to Internet Of Things 24

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

Chapter 1
INTRODUCTION

Cybersecurity is defined as a set of processes, human behaViour, and systems that help
safeguard electronic resources. Analogous to Moore’s law that forecasts the doubling of
components on an integrated circuit eVery two years (along with decreasing costs
associated with chip manufacturing), cybercriminals are increasingly doubling the
effectiVeness of their attack tools for half the cost eVery few months. Global cybersecurity
spending is expected to exceed $1 trillion from 2017 to 2021 , where spending on
cybersecurity already increased by almost 40 percent from 2013 to $66 billion . In the past
few years, cybersecurity researchers haVe started to explore Artificial Intelligence (AI)
approaches to improVe cybersecurity. Likewise, cybercriminals are also using AI to launch
increasingly sophisticated cyberattacks while hiding their tracks.

AdVances in AI haVe led to many exciting research results and systems since its emergence
in the 1950s. Further deVelopments led to the emergence of machine learning and deep
learning . Today, AI has been deployed in far-reaching application areas, including
healthcare, agriculture, space, law, and manufacturing. The continuous performance
improVements in computer hardware and software (along with their decreasing costs),
coupled with new paradigms such as big data and cloud computing, haVe led to the
deVelopment and deployment of a wide range of AI systems with Varying capabilities.
Today, many of these AI systems now perform a broad range of complex tasks that include
learning, planning, problem solVing, decision making, and face/speech recognition. A
decade ago, a subfield of machine learning, also known as deep learning, emerged that
enables machines to discoVer hidden relationships in their input data, thereby generating
more accurate results for planning and predicting. Recently, there is an increasing interest
in the use of AI and machine learning techniques to fight cyberattacks. A strong motiVation
for the use of these techniques stems from the large amounts of data that are constantly
being produced today, which requires significant resources and time to analyse and detect
any patterns, anomalies, or intrusions in traffic data.

Dept. Of CSE, Jyothy Institute Of Technology Page | 1

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

1.1. Key Sources of Cyberthreats

1. Script kiddies: These are noVices who haVe trained to create cyberattack tools to
hack into Vulnerable computing systems and to make a quick buck or boost their
ego through such actiVities. 2.
2. Criminal organizations: These include those inVolVed in illegal operations, who
launch cyberattacks that can cause a Denial of SerVice (DoS), steal data or state
secrets as a result of data breaches, seek payments through ransomware, and so
on.
3. Nation states: This inVolVes state-sponsored cybercriminal actiVities perpetrated
against enemy nations with the intent of crippling the Victim nation’s economy or
critical infrastructures, causing fatalities, disruption of state-sponsored programs,
or to ultimately topple the goVernment.
4. Terrorists: They attempt to cause nationwide losses and major disruptions to
society’s critical infrastructures, such as causing massiVe power outages in a
Victim country through cyberattacks.
5. Spies (including business rivals): They steal trade secrets to gain an unfair
market adVantage.
6. Disgruntled employees: Employees who are stressed and unhappy with their
jobs, rifts with management, or other factors may attempt to cause financial or
reputation losses to the organization by carrying out a cyberattack against
corporate resources.
7. External attackers and insider threats: Experts with a strong knowledge about
the operation of computing resources as well as human behaViour, who attempt to
exploit Vulnerable systems and gain (mainly financially) through such acts or
simply cause major disruptions to the organization’s normal operations.

Dept. Of CSE, Jyothy Institute Of Technology Page | 2

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

Chapter 2

CYBERSECURITY THREATS AND LEGACY

CYBERSECURITY SOLUTIONS

OVer the last decade, many types of cyberthreats haVe emerged. Some of the common
cybersecurity threats faced today are:

1. Denial of Service (DoS) attacks: These attempt to oVerwhelm a Victim system’s

computing resources by sending an oVerwhelming number of requests for it to process
within a short period of time. Such attacks can be carried out in one of seVeral ways:
 A single attacker machine can launch a DoS attack against a Victim machine by
transmitting a large number of network traffic packets that appear to be
legitimate, to bypass security controls along the way
 Multiple attacker machines can participate in a distributed-style DoS attack,
i.e., a Distributed Denial of SerVice (DDoS) attack, resulting in a similar
outcome at the Victim machine.
DoS attacks are increasingly becoming more sophisticated and harder to detect, because
of the ready aVailability of attacker tools, as well as the proliferation of the Cybercrime
as a SerVice (CCaaS) market.

2. Man-in-The-Middle (MiTM) attacks: These are legacy cyberattacks carried out

through the process of interception of transmitted data on a communication line between
two legitimate communicating parties. The attacker places itself either physically or
Virtually between two communicating parties, A and B, posing as A to communicate
with B through the interception of A B messages and replacing these withmalicious or
tampered messages, and repeating the same process on the BA communication line,
i.e., posing as party B and speaking to party A. Variant implementations of such an
attack include IP address spoofing, wherein the malicious actor conVinces legitimate
systems that it is a trusted entity, enabling system access forthe actor. A message replay
attack inVolVes the repeat transmission of a preViously stored, stale message on the
communication line, perpetrated by the malicious actor.

Dept. Of CSE, Jyothy Institute Of Technology Page | 3

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

3. Phishing and Spear-Phishing attacks: These are carried out by crafting emails that
appear legitimate and transmitting them to legitimate systems, with the intent of haVing
the naïVe end users click a link and diVulge personal information. Such attacks exploit
social engineering principles, wherein emails are made to appear legitimate to end
users, luring them to trust them. Spear phishing is defined as a carefully designed attack
that inVolVes a thorough background search carried out by the malicious actor on
susceptible Victims, for subsequent drafting of emails that appear to be Very legitimate,
with the ‘‘from’’ field often containing trusted email addresses.

4. Drive-by attacks: These are carried out by malicious actors who skim through the web
and search for Vulnerable websites, so that they can implant malware scripts into the
webserVers. End users who Visit the website are eVentually infected with the malware,
leading to system compromise, disclosure of sensitiVe data, and other damage.

5. Password attacks: These can be carried out by shoulder surfing user keyboard actiVity,
brute force into a system using common passwords, and crafting sophisticated
passwords through the application of AI techniques.

6. Structured Query Language (SQL) injection attacks: These are legacy cyberattacks
that exploit Vulnerabilities in the SQL language by injecting a webpage with input fields
with SQL query code, that when executed at the webserVer, would disclose some or all
of the stored content on a backend database serVer, possibly including usernames and
passwords.

7. Cross-site scripting attacks: These are carried out by injecting malicious code in a
Vulnerable webserVer. Subsequent retrieVal of the hosted webpages by naïVe end-users
would infect the Victim’s machine with malware. Such malware may transmit user data
from the Victim’s machine to the malicious actor’s serVers, and may lead to the
subsequent hijacking of web sessions, theft of credentials, installation of key stroke
loggers, capture screenshots, and eVen taking control of the Victim’s machine remotely.

Dept. Of CSE, Jyothy Institute Of Technology Page | 4

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

8. Birthday attacks: This hash of a message, also known as a message digest, which can
be computed using a standard algorithm such as the Secure Hash Algorithm1 (SHA-1).
When this algorithm is applied to a message of arbitrary length, the output is a hash
Value of fixed length. The birthday attack refers to the attempt by a malicious actor to
find two different messages that produce the same hash Value. Consequently, the
original message can be replaced with the other message that produces the same hash
Value, causing system and serVice disruption and data loss. Such attacks apply AI
techniques to discoVer random messages that produce the same hash Value as a
legitimate message

9. Malware attacks: One of the main difficulties to web-hosting organizations is that

their websites can become the source of malware spread. According to Symantec’s
2016 threat report, 78 percent of websites contain a critical Vulnerability that can be
exploited by the adVersary to allow malicious code to run without any user interaction.
Strengthening a website’s defences inVolVes deploying appropriate security controls
such as web proxies, firewalls, and intrusion detection systems. A major issue here is
the trade-off between the right leVel of security controls and usability of websites being
hosted. The higher the leVel of a website’s usability, the greater the area of Vulnerability
for the website.

10. Zero-Day Attacks: One type of threat that’s becoming more preValent and
continuously eVolVing in complexity oVer the years is the zero-day threat.
Consequently, the attacker exploits the computing resources’ security Vulnerability
(software or hardware) the same day it becomes known. When a zero-day attack targets
a software Vulnerability, the patching of the security hole must be initiated from the
software deVeloper or Vendor as quickly as possible. Such security patches take time to
be created and rolled out on a global scale. During this interim period, all non-patched
systems are exposed to the cyberthreat of the zero-day Vulnerability. An example of
such a threat is zero-day malware that can easily penetrate a target system while
bypassing malware detection software such as antiVirus.

Dept. Of CSE, Jyothy Institute Of Technology Page | 5

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

The traditional (non-AI) cybersecurity techniques for detecting cyberattacks that are in use
are briefed below:

1. Game theory: The malicious actor is considered as one player in a game, and the
Victim’s machine is the other player. Each player attempts to maximize his/her
incentiVe through strategic moVement, in which the player rationally justifies that
the goal would be reached by the moVe. Each player’s behaViours either can be
known beforehand or remain concealed. An example of a game could be a smart
grid enVironment where the attacker attempts to disrupt communication between a
power system and a home, whereas the defender attempts to maintain connectiVity
between these Various entities. At each step of the game, the attacker and the
defender would adopt strategies to be successful in their respectiVe goals.

2. Rate control: Attacks against the aVailability of systems include DoS and DDoS.
Rate-control techniques can minimize the impact on such systems’ operation when
they are under attack by reducing the Volume of incoming network traffic, through
basic traffic throttling and redefining permission lists.

3. Heuristics: Firewalls and intrusion detection systems commonly rely on heuristics

to identify the most apt rule for classifying network traffic as legitimate or
anomalous. One such technique, performs a sequence of steps comprising substring
matching in order to identify suspicious website addresses. The second phase of the
presented scheme comprises the scanning of the web address through the VirusTotal
application (i.e. a website where one can supply a web address and gets a scored
analysis about the degree of maliciousness of the input website), with the lowest
score of the two scans considered for deciding on whether to let the data packets
into the network or not.

4. Signature-based intrusion detection: A signature-based intrusion detection

system makes use of a database that may store legitimate signatures corresponding
to normal traffic or attack signatures corresponding to malicious traffic. The
intrusion detection system matches the contents of incoming network packets with

Dept. Of CSE, Jyothy Institute Of Technology Page | 6

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

the stored signatures in real time. This technique’s drawback is that in the absence
of releVant signatures, intrusion detection systems are limited in their capabilities
to accurately detect malicious traffic entering a network.

5. Anomaly-based intrusion detection: This technique creates a model of what can

be perceiVed as the norm. The models can be in terms of rule-based policies,
mathematical models, and statistical techniques. DeViations from the norm are
regarded as attacks. When compared to the signature-based detection, such
techniques haVe the adVantage of being relieVed from depending on signature
patterns, thereby remoVing them from administratiVe efforts to collect signatures.

6. Autonomous systems: These haVe the capability to self-protect and self-heal, and
to ensure reliability and aVailability, as in the case of the Bionic Autonomic NerVous
System (BANS). This system is comprised of four different modules, namely,
Cyber Neuron, Cyber Axon, Peripheral NerVe and Central NerVe. Cyber Neuron is
used to protect against spyware and malware. Cyber Axon is an intelligent tool to
recoVer from damage caused by spyware and malware. Similarly, Peripheral NerVe
proVides a robust defense against DoS/DDoS attacks by establishing a
communication path between multiple cyberneurons deployed on different deVices.
Last, Central NerVe serVes as a knowledge base against new attacks and to
disseminate information to other security deVices. CollaboratiVe defense by
peripheral nerVes is proposed to block DoS and DDoS attacks through cooperation
between deVices within the network.

7. End user security controls: Current end-user deVices such as mobile phones, smart
portable deVices (iPads), and personal computers require in-built security rather
than add-ons. End users might not update their deVices with the latest security
patches, with some Vendors attempting to push automatic updates, in order to install
security patches. The WannaCry ransomware attack is an example of an attack
wherein the latest security patches proVided by the Vendor were not applied on all
the end-user deVices.

Dept. Of CSE, Jyothy Institute Of Technology Page | 7

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

Chapter 3
ARTIFICIAL INTELLIGENCE

AI is concerned with how machines can think or act correctly, giVen what they know . This
uniVersal definition includes how closely machines can think or act like humans. At one
end of the spectrum, machines are deemed to be intelligent if they can maximize the
outcome on eVery state of the process. At the other end of the spectrum, the Turing Test
sets the standard on machine intelligence. Under this test, a computer communicating with
a human is said to haVe intelligence when the human cannot distinguish whether the
responses come from a computer or a human. At both sides of the spectrum, AI embodies
computing areas such as natural language processing, knowledge representation, logic,
automated reasoning, machine learning, mathematics, and game theory. Early AI
applications gaVe rise to thinking machines that solVed puzzles such as geometry, checker
games, and a family of blocks-world problems.

Fig. 3.1. Spectrum on intelligent measures from thinking humanly through the Turing
Test, to acting humanly to maximize the outcome.

The most releVant AI applications to the cybersecurity area are in intrusion detection
systems. Cybersecurity solutions often perform traffic analysis, where the Internet traffic
is classified as either legitimate or malicious. At the dawn of the Internet, cyberattacks were
identified with rule-based systems, where attacks could be detected based on their
signatures. OVer the years, as the number of Internet-connected deVices and their
applications increased, obserVing the huge amounts of network traffic being generated in
real-time and creating rules which analyse this traffic haVe become time-consuming and
make security protection systems behaVe defensiVely rather than proactiVely. Coupled with
this trend, technological adVances are also benefiting attackers who are deVeloping new

Dept. Of CSE, Jyothy Institute Of Technology Page | 8

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

sophisticated attack strategies that can aVoid detection by current security systems. As the
cyberthreat landscape continues to rise, we need adVanced tools and technologies which
can help detect, inVestigate, and make decisions faster for emerging threats. AI has the
potential to intelligently analyse and automatically classify large amounts of Internet
traffic.

Today, cybersecurity solutions, based on ML technologies, are being used to automate the
detection of attacks and to eVolVe and improVe their capabilities oVer time. ML-based
solutions are being used in intrusion detection systems as they can handle large Volumes of
data and a wide range of data attributes (e.g. a large number of table columns) used for
classification. Machine learning techniques learn from the collected Internet traffic to
distinguish the malicious from the legitimate traffic class.

3.1. Machine Learning

ConVentionally, machine learning methods can be classified into two categories: superVised
and unsuperVised learning. In superVised learning, data samples are labelled according to
their class (e.g., malicious or legitimate). Training data, or data labelling is usually
performed manually, requiring humans to detect data patterns with their classes. The trained
data is input to an algorithm to create a mathematical model, which can output the
predefined classes giVen new data samples. In unsuperVised learning, no data labelling or
training is required. Instead, the algorithms determine the degree of coherence/dispersion
among data samples, systematically creating classes, and then classifying these samples
according to the quality of data coherence within the class and data modularity between the
classes. Mathematical, statistical, and probabilistic methods are used by machine learning
techniques, allowing unsuperVised algorithms to label the data used by superVised
algorithms. Machine learning algorithms process data samples based on their determining
factors, commonly called features. The data input is processed as a table of rows and
columns, with rows serVing as data samples and the columns representing their features.

Dept. Of CSE, Jyothy Institute Of Technology Page | 9

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

3.2. Decision Trees

Fig. 3.2.1. An example of a decision tree that classifies network traffic into attack and
normal traffic type.

A decision tree is a technique used to create a set of rules from the training data samples.
The algorithm iteratiVely finds a feature that best categorizes data samples. The iteratiVe
diVision creates a sequence of rules for eVery side of the categories, resulting in a tree-like
structure, until data samples with only one class are found after a diVision. Fig.3.2 shows a
decision tree example that classifies network traffic using rules that lead to normal or attack
traffic classifications. The tree shows that, for example, if the flow of the traffic is low, but
the duration of the traffic pattern is long, then it is classified as an attack. The technique
proVides an intuitiVe method for detecting cybersecurity issues, because it shows the result
of a decision according to the feature Values, as what is required by classifying obserVed
eVents in cybersecurity as either legitimate or an attack. This technique’s benefit is that
once the effectiVe series of rules has been found, intrusion detection systems can classify
Internet traffic in real time. The quality of generated real-time alerts is one of the most
important attributes in detecting cyberattacks.

A different approach is the Rule-Learning technique, which seeks to find a set of feature
Values for each iteration while maximizing a score that defines the classification result’s

Dept. Of CSE, Jyothy Institute Of Technology Page | 10

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

quality—for example, the number of incorrectly classified data samples. Such an approach
is similar to decision trees in that it generates a set of rules for classification. While decision
trees find the best feature Values that lead to a class, a rule-learning technique finds a set of
rules that can describe a class. The adVantage of a rule-learning technique is that it can
factor human expert adVice in generating rules.

3.2.1. Case Study: Detection of DoS Attacks

Consider a study that employed 28 features to detect DoS attacks in cloud networks in
“Detection of DoS attacks in cloud networks using intelligent rule based classification
system” by R.Rajendran, S. V. N. Santhosh Kumar, Y. Palanichamy, and K. Arputharaj
[2]. The features consisted of computer and network indicators, such as Input/Output (IO)
reads, memory used, TCP flags detected, and the number of system resources opened. It
generated a set consisting of rules deriVed from the features (e.g. IO_reads greater
IO_reads(aVerage)), and employed feature-ranking algorithms to discern the most releVant
rules in finding the class. Afterward, the study employed human experts to optimize the
rules, such as remoVing redundancies. Thus, the technique is suitable for intrusion detection
systems where the configurations are mainly rule-based. Furthermore, the technique was
generally employed as a performance benchmark to other machine learning techniques in
detecting network intrusions.

3.3. K-Nearest Neighbors

The k-Nearest Neighbor (k-NN) technique learns from data samples to create classes or
clusters. It was first proposed as a non-parametric pattern analysis to find the proportion of
data samples in a neighborhood that yields a consistent estimate of a probability. The
neighborhood was set as k-number of data samples according to a distance metric, usually
the Euclidian distance to create clusters. The Votes from all k neighbors decide how new
data samples can be assigned to one of the clusters

Dept. Of CSE, Jyothy Institute Of Technology Page | 11

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

Fig. 3.3.1. The k-Nearest Neighbor (k-NN) algorithm classifies data in class 1 and class
2, based on the k nearest data samples in the neighborhood from the new data sample.

Fig. 3.3.1 illustrates the aboVe technique. A new data sample (the red dot) was added to the
data. In this example, the winning Vote came from the highest number of data samples from
one neighboring cluster. Hence, when k = 3, the sample was put into Class 2. When k = 9,
the sample was put into Class 1. This technique is computationally complex eVen for small
Values of k. HoweVer, it is attractiVe for intrusion-detection systems because it can learn
from new traffic patterns to reVeal zero-day attacks as its unseen classes. ActiVe research
in this area thus seeks to find how k-NN can be used for real-time detections of
cyberattacks. Recently, the technique was employed to detect attacks such as data
tampering and false data injection against industrial control systems and smart grids. It
performs well when the data can be represented through a model that allows the
measurement of their distance to other data–for example, in terms of a Gaussian distribution
or a Vector.

Dept. Of CSE, Jyothy Institute Of Technology Page | 12

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

3.4. Support Vector Machines

FIGURE 3.4.1 Support Vector Machines (SVMs) find a plane that separates data
samples.

The Support Vector Machines (SVMs) technique extends linear regression models. While
classifying data samples, SVMs find a plane that separates data samples into two classes
(as shown in Fig. 3.4.1). The separating plane can be shaped to form linear, nonlinear,
polynomial, Gaussian, Radial, sigmoid, and so on depending on the function employed
(called a kernel). SVMs can also separate multiclass data (that is, not only data to be
classified into two classes such as legitimate Versus attack class as what the preVious
examples showed, but rather data to be classified into more than two classes) by employing
more than one plane. This makes SVMs an attractiVe technique that can be used to analyse
Internet traffic patterns, which often consist of seVeral classes such as HyperText Transfer
Protocol (HTTP), File Transfer Protocol (FTP), Post Office Protocol 3 (POP3), and Simple
Mail Transfer Protocol (SMTP)
3.4.1. Case Study: Support vector machine for network intrusion and cyber-attack
detection.

Dept. Of CSE, Jyothy Institute Of Technology Page | 13

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

SVM is a superVised machine learning technique, which requires training data to create a
classification model. Therefore, it is used in applications where attacks can be simulated .
For example, network traffic generated from the penetration testing conducted on a network
system was used as the training data [3]. SVM was employed to create a mathematical
model to find a plane the penetration test traffic from normal traffic. A Variation on its use
creates a 1-class model for the normal traffic, while the model can be employed to detect
anomalies when attack traffic was introduced . From these perspectiVes, the benefit of
SMVs enables the deVelopment of attack detection models through simulations.

3.5. Artificial Neural Networks

The Artificial Neural Networks (ANNs) learning technique is inspired from how neurons
in the brain work. ANN techniques model neurons in terms of a mathematical equation that
reads a series of data samples to output a target Value. The equation closely resembles the
linear regression equation where data attributes of a sample are weighed to yield an output
Value. The ANN algorithm iterates until the output Value is within the range of an
acceptable error from the target Value. In each iteration, the neurons learn by correcting
their weights by measuring how far the error is from the target Value, when giVen certain
patterns identified from the data samples. When the error becomes negligible, the algorithm
yields a mathematical equation that outputs an informatiVe Value such as the class, when
giVen unseen data samples. ANN techniques can distinguish patterns that range from noisy
to incomplete data samples. They are suitable for intrusion-detection systems because they
adapt to new forms of communications.

3.5.1. Case Study: Detecting port scans against mobile devices with neural networks
and decision trees

In a cybersecurity study [4], an ANN application used the Cascade Correlation Neural
Network (CCNN) which adds new hidden units to the hidden layer, step by step. When
new eVents are detected, new hidden nodes are added to the network and only those are
trained with the newly collected data thereby enabling a runtime adaptiVe and scalable
system. In this work, the CCNN allows the training of the network with new data and does
not need to retrain the whole network with the original data to learn from desktop-platform

Dept. Of CSE, Jyothy Institute Of Technology Page | 14

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

traffic patterns to detect port scanning to mobile networks. During the past decade, the rise
of mobile deVices has created new traffic patterns, causing preViously built detection
models obtained from desktop traffic to become obsolete. Port-scanning actiVities against
mobile deVices differed in their frequency of receiVed packets and the number of ports
scanned per second. The study showed that ANN port-scanning detection performance was
comparable to other algorithms’ performance, such as Decision Trees

3.6. Self-Organizing Maps

Self-Organizing Maps (SOMs) take ANNs to the next leVel, namely, to self-adjust the
neurons’ weight to output a 2- or 3-dimensional (2D or 3D) map showing how the data can
be grouped. The technique learns by finding the correlations that exist in data samples.
Adjacent data samples share more similar features than the ones further away, thereby
clustering data and proViding an output in the form of a map. SOMs are computationally
complex, making it unsuitable for real-time intrusion detection. Their major benefit lies in
their ability to Visualize the data, which is therefore useful in Visualizing network
anomalies. Without Visualization, the outputs from intrusion-detection systems are hard to
analyse. Visualization tools allow network operators to picture the normal pattern of traffic
data (e.g., in terms of protocol interactions and traffic Volume), thereby equipping them to
effectiVely find anomalies in network traffic, including zero-day attacks. Although
Visualization approaches can point to anomalous eVents effectiVely, it still requires trained
eyes to find anomalies in the data. Therefore, SOMs were employed as a complementary
tool for detecting cyberattacks.

Since SOMs illustrates data in a 2D or 3D map, it is suitable to Visualize multidimensional

data (e.g., when the data in a table haVe a large number of columns). In other words, SOMs
reduce the dimensionality of data. Although there are other dimensional reduction
techniques (such as Principal Component Analysis and CurVilinear Component Analysis),
they do not Visualize anomalies suitable for interpreting cyberattacks.

Dept. Of CSE, Jyothy Institute Of Technology Page | 15

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

3.6.1. Case Study: Neural analysis of HTTP traffic for Web attack detection

In detecting web attacks [5], the dimensions taken from the HTTP request header were the
protocol, userAgent, acceptEncoding, acceptCharset, and connection. SOMs were
employed to Visualize such multidimensional data to a 2D map, employing colours to
distinguish anomalous web traffic. Similarly, SOMs were employed to detect botnets by
reducing 5D data (i.e., protocol, source/destination IP, source/destination port numbers) to
a 2D map, effectiVely classifying botnets from normal traffic on the map.

So in summary , this is how AI techniques could improVe cybersecurity solutions. The

current trend shows that machine learning techniques seem to be the most popular AI-based
solutions, especially when it comes to detecting network intrusions. HoweVer, as
cyberattacks become more sophisticated and complex, the efficacy and efficiency of other
AI-based solutions discussed here must be further explored to better eValuate their true
potential in the field of cybersecurity.

Dept. Of CSE, Jyothy Institute Of Technology Page | 16

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

Chapter 4

APPLYING AI TO STRENGTHEN
CYBERSECURITY FOR VARIOUS APPLICATION
DOMAINS

Fig. 4.1. Applying AI to cybersecurity in various application domains. Larger bubble

sizes reflect the heightened role of AI.

The Internet continues to eVolVe in terms of the number of users, its size, heterogeneity of
deVices, and the number and type of applications that are being deVeloped to run oVer the
internet. Today, similar to electricity, water, and gas, the Internet has become an important
utility in the daily liVes of people around the world. As more deVices connect to the Internet,
they face increasing risks of being exposed to all kinds of cyberattacks. To protect these
Internet-connected deVices along with their users, cybersecurity has become indispensable.
Fig. 4.1 illustrates the role of AI in assisting cybersecurity in three areas namely, the
Internet, Internet of Things and critical infrastructure.

Dept. Of CSE, Jyothy Institute Of Technology Page | 17

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

4.1. The Internet

From an AI perspectiVe, cyberattacks are malicious patterns that differ from legitimate
Internet traffic. To distinguish malicious traffic from legitimate traffic, intrusion-detection
systems haVe been deVeloped by employing AI techniques because of their capability to
examine a large amount of data and adapt to the changing nature of Internet traffic. Recent
cyberattacks haVe targeted network infrastructure, business logic, and users.

4.2. Network Infrastructure (Botnet)

Most Internet serVices inVolVe client-serVer communications. Attackers can pre-empt

access to serVers or preVent the serVer from serVing client requests, as in DoS attacks. In a
botnet, the attackers first compromise seVeral hosts (using Trojans or other types of
malware), which the attacker then controls and issues specific requests to execute tasks.
For instance, in a DoS attack, these compromised machines can be used to oVerwhelm a
serVer with a large number of requests, leaVing no resources to handle requests from
legitimate users. DoS attacks haVe become an increasingly serious threat as the botnets they
use grow in complexity and run on multiple platforms from computers, mobile deVices, and
IoT deVices.

4.2.1. Case Study: Machine learning DDoS detection for consumer Internet of Things
devices

One study [6] detected DoS attacks launched by IoT deVices by employing features suitable
to characterize IoT network behaViours. They obserVed that IoT deVices communicate with
a limited number of endpoints when running applications, so two features were proposed
to reflect this: a) the number of distinct destination IP addresses, and b) the number of
distinct IP addresses within a 10-second window. Other features proposed were interpacket
arriVals, and the first and second deriVatiVes of interpacket arriVals. This reflects a sudden
influx of packets sent by the IoT deVice. The study showed that decision trees achieVed 99
percent accuracy in detection. Since most IoT deVices must pass a single gateway (such as
a home router), DoS attacks generated from IoT deVices can be preVented when gateways
adopt the proposed detection method.

Dept. Of CSE, Jyothy Institute Of Technology Page | 18

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

4.2.2 DoS attacks within the Software-Defined Network (SDN)

environment

Recent studies focused on detecting DoS attacks within the Software-Defined Network
(SDN) enVironment. Network management through SDN differs from traditional
forwarding protocols. While traditional routers forward traffic according to their routing
tables, SDN collects and programmatically analyses network data before forwarding
network traffic. This makes DoS attack detection in an SDN enVironment a noVel challenge.
Deep Learning is seen as a suitable solution for detecting DoS attacks in an SDN
enVironment.

4.2.2.1 Case Study: Detection and defense of DDoS attack–based on deep learning in
openflow-based SDN

The authors of [7] employed 20 features, such as the protocol, port, and packet size, and so
on. The authors showed that a deriVatiVe of Deep Learning called Long Short-Term
Memory can detect DoS attacks with 99.88 percent accuracy. It showed that DNNs excelled
in other AI techniques, such as SVMs, NaïVe Bayes, and Decision Trees in terms of
accuracy. The work showed that DNNs performed well, although only a small number of
features were defined, because DNNs were able to create hidden/latent Variables that were
considered as additional features, as opposed to other machine learning techniques that do
not create features. SDN employs AI techniques to adapt to changes in the computing
enVironment, and learn from past network data to analyse new traffic patterns and predict
security trends.

4.3. Application Layer

As serVers run the crucial business applications of an organization, attacking serVers is an

attractiVe Venue to assault either the organization running serVices or their users. Until
recently, application-layer attacks haVe focused on protocols such as HTTP, Domain Name
SerVice (DNS), or Session Initiation Protocol (SIP).

Dept. Of CSE, Jyothy Institute Of Technology Page | 19

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

The current application-layer attack landscape has shifted from preVenting information
flow to manipulating information’s meaning. With the adVent of online social networks, a
new breed of cyberattack has emerged that aims to disseminate false information so that
recipients behaVe or make decisions according to what the adVersary intended . Probably
the most influential false information was when fake news influenced the 2016 US
presidential campaign, thereby affecting national security interests . False information can
affect indiViduals, too, because it manifests itself not only in terms of fake news, but also
in cyberbullying and online grooming to control the Victim’s behaViour. False information
can seriously affect both national security and people’s wellbeing; and detecting false
information has become a modern application-layer cybersecurity issue.

4.3.1. Case Studies: Evaluating machine learning algorithms for fake news detection

AI has proVen to be a Versatile technique to detect false information, as it can quickly

analyse a large amount of data. For example, in [8], the authors analysed a corpus of 11,000
articles, including news from Reuters, local news, and blogs, and about 29 percent of
articles of the corpus were labelled as fake. Their work classified fake news with 77.2
percent accuracy using Stochastic Gradient Descent, an iteratiVe optimization algorithm.

The authors of [9] proposed correlation-based classifiers, analysed more than 150,000
tweets, and showed that the proposed classifiers performed with 47 times greater precision
than when the system was not employed in classifying messages.
The authors of [10] analysed 4.4 million Facebook messages and classified them into fake
and legitimate ones. By employing NaïVe Bayes, Decision Trees, AdaBoost, and
RandomForest, fake news was separated from legitimate messages with 86.9 percent
accuracy.

4.4. Human Link And Malware

Probably the weakest link in cybersecurity is the human who is the end user of the Internet.
Humans are focused on their business tasks rather than constantly dealing with the eVer-
increasing number of cyberattacks. While machines can be re-engineered to mitigate some

Dept. Of CSE, Jyothy Institute Of Technology Page | 20

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

of the well-known cyberthreats, humans require constant training based on past and updated
issues. This requirement is one of the main reasons behind the success of malwarespreading
through modern phishing techniques. Malware is software (such as a Virus, Trojan, or
worm) that has malicious intent. Phishing is a method that attempts to trick human users to
perform what an adVersary intends to do, such as clicking a link or an executable file. Such
actions either trigger the spread of malware or induce the Victims to reVeal their sensitiVe
information. Traditionally, phishing techniques leVerage human weaknesses in their
sensory systems, such as through fake emails or websites, causing Victims to be unable to
distinguish them from legitimate ones. Current phishing techniquesare more sophisticated
in that they exploit the human limit in becoming omniscient. To aVoid falling for phishing
hooks, users must assess the target’s legitimacy, and often this can be done by inspecting
the code behind the links, which may require some specialized expertise. This is an area
where AI can be used to augment human intelligence. Instead ofhaVing to learn all the rules
on how to detect phishing, these rules act as the features for AItechniques.

4.4.1. Case Studies: Rule-based phishing detection method

The authors of [11] proposed an approach that uses SVMs to detect links, leading to false
banking websites. The approach uses fiVe features: IP address, Secure Sockets Layer (SSL)
certificate, number of dots in the URL, web address length, and blacklist keywords.
Legitimate banking websites show a legitimate domain name instead of an IP address, haVe
an SSL certificate, haVe relatiVely short URL lengths in the domain, and are not part of a
subdomain (higher number of dots). Furthermore, the method collected a bunch of words
commonly used in phishing websites. The results showed that the method was able to detect
zero-day phishing with 98.86 percent accuracy. This research demonstrates that with AI
training, we can address the human weaknesses in cybersecurity awareness.

Dept. Of CSE, Jyothy Institute Of Technology Page | 21

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

4.5. The Internet Of Things

Fig. 4.5.1. From Internet of Content to Internet of Things

Computers haVe become smaller, portable, and more powerful and affordable. The ubiquity
of mobile deVices such as phones and tablets became the dawn of the IoT era. Today, many
deVices are equipped with networking capabilities and Internet connectiVity that makes the
IoT possible. Fig. 4.5.1 illustrates the eVolution of technologies that haVe led to the
emergence of the IoT. Other paradigms such as cloud computing, big data, and fog
computing are enabling mobile deVices with limited resources to access a wide range of
serVices remotely. Since the demand for higher data rates keeps increasing, researchers
introduced fog computing serVices by proVisioning the platform and application closer to
the user. Fog computing distributes serVers to minimize network roundtrip delays,
especially for Content DeliVery Networks (CDNs). So, fog computing improVes website
performance, and proVides real-time energy and carbon footprint management.

Dept. Of CSE, Jyothy Institute Of Technology Page | 22

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

Chapter 5

FUTURE CHALLENGES AND RESEARCH

OPPORTUNITIES
The future challenges of implementing Artificial Intelligence techniques in cybersecurity
and the research opportunities that can arise from it are described below:

1. The race between defence, offense, and humanity:

AI research adVances in cybersecurity haVe fuelled the race between the white
hat (defenders) and black hat (offenders) hackers. Attackers can employ AI to
mimic human behaViour to achieVe personal pride, power, or financial
adVantage. AI has led to the creation of intelligent agents that automatically
click adVertisements, play online games, and buy and resell best-seller seats for
concerts . AI has also manipulated public opinion in Venezuela by retweeting
political content and has affected the US presidential election by spreading
tailored news . Future research opportunities in cybersecurity are determined by
how diViding lines can be drawn between deVelopments and basic needs. AI’s
use in cybersecurity impacts three major stakeholders: white hat hackers, black
hat hackers, and end users (humanity). The white hat and black hat hackers are
the cohorts who promote the deVelopment of AI techniques. Hence, it is
imperatiVe to inVestigate how AI can be employed for human basic needs and
for deVeloping cybersecurity controls.

2. Infrastructure

The use of AI in cybersecurity is Viewed as a race between law enforcement and

cyberattacks. The leader in the race will be determined by his/her access to
technical knowledge and the supporting computing infrastructure. AI
algorithms are computationally expensiVe, because they are eVolutionary by
nature. Therefore, deVeloping fast algorithms for the AI solutions should be an
actiVe research area. For example, to detect malware, hashing algorithms haVe
been deVeloped to input to the k-means clustering algorithms, to enable fast

Dept. Of CSE, Jyothy Institute Of Technology Page | 23

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

clustering of common data samples . DeVeloping releVant algorithms has

become part of the recent race, but hardware deVelopment is another crucial
part.

3. Hardware and Platform

HaVing access to state-of-the-art computing infrastructure will help solVe AI
problems efficiently and with efficacy. As the number of computing deVices
increases, the Volume of traffic will also increase, thereby making it necessary
to perform data analysis quickly. Consequently, analysing data by using AI
techniques requires high-end computing platforms. To address this challenge,
cluster computing solutions such as Apache Spark and Hadoop haVe been
employed to analyse cyber traffic. At the high end, quantum computing will be
the breakthrough technology that helps solVe complex computing problems.
NASA’s quantum computer has been able to solVe complex problems in a
fraction of time–it is 100 million times faster than traditional computers.

4. Resources
HaVing easy access to the required resources when needed is crucial in
implementing workable computing solutions. Currently, energy is seen as the
scarce resource for many computing needs. For instance, Bitcoin blockchain
consumes an equiValent energy of 29 aVerage Australian households for a full
day, only to commit one block . The adoption of AI in cybersecurity extends the
arguments on how to share scarce resources between intelligent computers and
human. This will in turn motiVate regulators to go back to the drawing board to
justify what serVes as deVelopment and basic needs. Ethical issues will also
remain a future challenge when it comes to how AI can be employed for
cybersecurity.

Dept. Of CSE, Jyothy Institute Of Technology Page | 24

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

CONCLUSION
As the speed and sophistication of attacks increase, AI has become an indispensable
technology in the cybersecurity area. Cyberthreats haVe increased, eVolVed in their
complexities, and haVe broadened their scope. A comprehensiVe reView of cyberthreats and
solutions has been presented in this seminar . In particular, how cyberattacks can be
launched on different network stacks and applications, along with their impact has been
described.

Cyberthreats will continue to rise, eVen as the community identifies cyberthreats and
deVelops solutions using a wide range of technologies and techniques. In contemporary
research, AI techniques haVe demonstrated their promise in combating future cybersecurity
threats. The techniques propose a range of intelligent behaViours—from how machines can
think to act humanly. Recently proposed AI-based cybersecurity solutions largely focused
on machine learning techniques that inVolVe the use of intelligent agents to distinguish
between attack traffic and legitimate traffic. In this case, intelligent agents act as humans
whose task is to find the most efficient classification rules. HoweVer, the cyberattack
landscape today morphs from disrupting computers to sowing disorder in society and
disturbing human wellbeing. This phenomenon includes how adVances in technologies are
transforming the ways cyberattacks can be launched, detected, and mitigated . Through
such adVances, AI’s role in cybersecurity will increase continuously. NoVel AI techniques
must be deVeloped to quickly detect and mitigate threats that impend upon societal and
human wellbeing. In all likelihood, cybersecurity solutions will expand from intelligent
agents acting humanly to thinking humanly .

Dept. Of CSE, Jyothy Institute Of Technology Page | 25

Harnessing AI Capabilities to Improve Cybersecurity 2023-24

REFERENCES
• [1] S. Zeadally, E. Adi, Z. Baig and I. A. Khan, "Harnessing Artificial Intelligence
Capabilities to ImproVe Cybersecurity," in IEEE Access, Vol. 8, Jan.2020
• [2] R. Rajendran, S. V. N. Santhosh Kumar, Y. Palanichamy, and K. Arputharaj,
‘‘Detection of DoS attacks in cloud networks using intelligent rule-based
classification system,’’ Cluster Comput., Vol. 22, no. S1, Jan. 2019.
• [3] K. Ghanem, F. J. Aparicio-NaVarro, K. G. Kyriakopoulos, S. Lambotharan, and
J. A. Chambers, ‘‘Support Vector machine for network intrusion and cyber-attack
detection,’’ in Proc. Sensor Signal Process. Defence Conf. (SSPD), Dec. 2017.
• [4] C. PancheV, P. DobreV, and J. Nicholson, ‘‘Detecting port scans against mobile
deVices with neural networks and decision trees,’’ in Proc. Int. Conf. Eng. Appl.
Neural Netw. Springer, 2014.
• [5] D. Atienza, A. Herrero, and E. Corchado, ‘‘Neural analysis of HTTP traffic for
Web attack detection,’’ in Proc. Comput. Intell. Secur. Inf. Syst. Conf. Springer,
2015, pp. 201–212.
• [6] R. Doshi, N. Apthorpe, and N. Feamster, ‘‘Machine learning DDoS detection
for consumer Internet of Things deVices,’’ in Proc. IEEE Secur. Privacy Workshops
(SPW), May 2018
• [7] C. Li, Y. Wu, X. Yuan, Z. Sun, W. Wang, X. Li, and L. Gong, ‘‘Detection and
defense of DDoS attack–based on deep learning in openflow-based SDN,’’ Int. J.
Commun. Syst., Vol. 31, no. 5, 2018.
• [8] S. Gilda, ‘‘EValuating machine learning algorithms for fake news detection,’’ in
Proc. IEEE 15th Student Conf. Res. Develop. (SCOReD), 2017.
• [9] M. Spitters, P. T. Eendebak, D. T. Worm, and H. Bouma, ‘‘Threat detection in
tweets with trigger patterns and contextual cues,’’ in Proc. IEEE Joint Intell. Secur.
Inform. Conf., Sep. 2014, pp. 216–219.
• [10] P. Dewan and P. Kumaraguru, ‘‘Towards automatic real time identification of
malicious posts on Facebook,’’ in Proc. 13th Annu. Conf. Privacy, Secur. Trust
(PST), Jul. 2015
• [11] M. Moghimi and A. Y. Varjani, ‘‘New rule-based phishing detection method,’’
Expert Syst. Appl., Vol. 53, pp. 231–242, Jul. 2016.

Dept. Of CSE, Jyothy Institute Of Technology Page | 26