In the evolving cybersecurity sector, effective decision-making is vital to protect systems and data against cyber-attacks. More and more attacks, an increasing attack surface to protect, fewer human resources... I won't go over the current situation that leads us to be in need of effective decision-making tools in cybersecurity. And bam, we come back to the subject that is shaking up the cyber world at the moment, artificial intelligence, often forgetting (or confusing it) with other technologies such as deep learning or machine learning. So if I were to talk to you about recommendation systems applied to cybersecurity, have I lost you? However, we are convinced of their immediate relevance in the cyber world, and we offer you a brief comparison with machine learning tools. Let the battle begin!
RS vs. ML: Let's try to see things clearly first
Recommendation Systems (RSs) function as data filtering tools that leverage historical data analysis to generate suggestions for users. These systems collect and analyze user data to predict the optimal option, be it an item, course of action, or other decision, based on the user's preferences within a given context. RSs are already proving their worth in the entertainment and e-commerce sectors. Netflix and Amazon, for example, have very effective recommendation systems when it comes to sifting through large quantities of data to find what will interest the user. Decision-making is then simple to explain and transparent in most cases. However, RSs are not only useful in the e-commerce domain.
The utilization of RSs in the field of Cybersecurity has the potential to assist security teams in analyzing and managing vast volumes of alerts, making predictions, and offering effective response recommendations to mitigate threats. For instance, they can generate prioritized lists for implementing defensive countermeasures against cyberattacks, identify internal vulnerabilities, monitor network security, and perform various other operational tasks.
RSs offer several advantages, including accelerated searches, enhanced accessibility to content, gaining a competitive edge, and various other benefits. However, these systems also face challenges. Attacks and threats are constantly evolving, making it difficult to collect reliable and representative data. Also, the scalability of decision support is tricky because human resources in cyber are limited and it is therefore difficult to cope with the increase in attacks and guarantee rapid and accurate decision-making on a large scale.
If you want to learn more about RSs, a great article lists all the initiatives and developments in cybersecurity: https://link.springer.com/article/10.1007/s10115-023-01906-6#Abs1. And you will find the work of our PhD candidate Romain Brisse ! We are super proud!
As for machine learning (ML), we write about it regularly, but a reminder never hurts. ML refers to the process of automated learning that empowers computers to enhance their performance by leveraging data, without the need for explicit programming. ML employs algorithms and statistical models to examine vast amounts of data, extracting patterns and relationships that may be beyond human perception. It excels in identifying correlations that are challenging to program or significantly reduce time in task execution. One significant advantage is that ML demonstrates immediate effectiveness upon implementation within a company. Furthermore, it delivers highly detailed and specific outcomes, facilitating performance assessment. But machine learning also has a few flaws. It has to process huge amounts of data in order to obtain good results, so you need to have enough of it to make the most of the quality of machine learning. Because of the sheer volume of data involved, it is difficult to make the results transparent and explainable, as the process is highly automated.
So, adversaries or allies?
These are two distinct but closely related concepts. While ML models offer the potential for greater exploration, when it comes to integration with cybersecurity, RSs could be a more fitting choice due to the need of transparency. Given sufficient resources and computational power, ML has the potential to overcome certain challenges of RSs (such as scalability and sparsity) and enhance the quality of recommendations. However, ML models face drawbacks such as interpretability issues and the need for hyperparameter tuning, among others. Nevertheless, they can greatly improve the performance of RSs.
Leveraging the strengths of every technology? That's what we do at Malizen
We have developed a hybrid co-pilot that combines both a recommendation system and machine learning algorithms. As a result, our co-pilot offers seamless recommendations to analysts, guiding them in their data exploration process. We offer three distinct types of recommendations:
Initial Exploration Recommendation. We guide analysts by suggesting a specific type of data as an essential starting point within the context of threat hunting. It effectively directs the analysis towards the most relevant sources of information right from the beginning.
Additional Exploration Recommendation: Once an analyst has identified a specific point of interest, our recommendation engine proposes further exploration by focusing on another type of data. This approach aims to provide better qualification of the ongoing attack or explore previously neglected areas, ensuring a more comprehensive investigation.
Point of Interest Classification Recommendation: When a relevant point of interest is identified, our recommendation engine suggests precise classification in terms of techniques and tactics employed by the attacker, referencing the MITRE ATT&CK framework. This recommendation allows for deeper analysis and a better understanding of the strategies employed by the attacker.
Each recommendation is accompanied by an explanation, enabling informed decision-making for the analyst. Additionally, our co-pilot is trained on analysts' investigation behaviors (and in the future, their analysis intentions), continuously learning and adapting.