Back to the Future: AI's 40 Year History in Cybersecurity
AI in cyber is much older than you might think
Introduction:
It seems like you can’t go anywhere without hearing about AI. From my phone’s Medium push notifications to The Economist and to literally every vendor’s positioning statements, “AI in Cybersecurity” has taken our industry by storm and ad-nauseum.
AI is here to stay, and I believe it provides huge opportunities for enabling teams to do more with the time they have or do what they need to do now in less time. Since Chat GPT’s very public release in November 2022, generative AI has been applied to almost every industry, and cybersecurity is no exception. CrowdStrike’s Charlotte AI and Microsoft’s Co-pilot are but a few examples of how, in this case, generative AI is being put to use. But AI in cybersecurity is not new.
Quick Crash Course:
If you’re still wondering what AI is, here’s a two-sentence overview. AI simulates human intelligence processes by machines, particularly computer systems, which include learning, reasoning, and self-correction. Machine Learning (ML) is a subset of AI that enables systems to learn and improve from experience without being explicitly programmed, using algorithms to identify patterns and make decisions with minimal human intervention. Key sub-components of AI/ML include supervised learning, unsupervised learning, reinforcement learning, natural language processing (NLP), and computer vision.
Still scratching your head?
AI allows machines to perform many tasks that humans would need to manually perform, and it does this at scale (both in terms of data quantity and output speed). It does this across many different task sets and is very effective in security, detecting anomalous behavior, analyzing and stopping known and unknown malware, and allowing network defenders to transform questions they have into Splunk/SQL queries.
To illustrate this, I asked DALL-E to create a graphic that shows the different components of AI/ML, which is shown below.
As you can see, it’s not perfect. I’m pretty sure “Natune Language Pecesing” is supposed to be natural language processing. However, instead of needing to drum up a slide, draw shapes and relationships, and then copy/paste it into this post (~30 minutes of effort), I generated something that’s decent at getting the point across in seconds.
AI in Cybersecurity History Lesson:
When I ran Product for Arctic Wolf Labs, one of my key responsibilities was developing AI capabilities for our SOC and talking to customers about our AI journey. A trope I often used was “AI has been in cybersecurity for decades,” which would receive a mixture of head nods and raised eyebrows from my customers.
That’s understandable. AI is such a buzzword, and terms like “machine learning,” “heuristics,” and “anomaly detection” have been forgotten in the noise of the past two years.
For this week’s analysis, I looked into when, what, who, and where AI has been in cybersecurity. When I was at CrowdStrike and Palo Alto Networks, I referenced our machine learning capabilities for adversary detection and event correlation. Still, I wanted to dig deeper into the history of when AI first came onto the scene for cyber.
While I’d been familiar with machine learning’s application to threat detection in the early to mid-2010s, I was (personally) surprised to discover that we’ve been using machine learning since the Reagan Administration to identify anomalous activity and prevent cyber attacks.
The first three examples of AI in cybersecurity pre-date our current millennium and, in today’s context, serve as the building blocks for what we use AI to do: identify anomalies and evaluate how our ML models should be designed to stop attacks and phishing attacks. Check them out below:
Rule-Based Systems for Anomaly Detection (1980s)
Problem: As computer networks grew, detecting intrusions and unauthorized access became a pressing issue. Cybersecurity was in its infancy, and there was a dire need for systematic methods to identify threats.
Method: Dorothy E. Denning, a cyber pioneer, developed an intrusion detection model using rule-based systems. This model identified deviations from normal behavior patterns and marked them as potential security threats.
Outcome: Denning's groundbreaking work laid the foundation for future anomaly detection techniques, significantly advancing cybersecurity. By providing a systematic way to detect intrusions, she set the stage for more sophisticated systems that would follow.
DARPA’s Benchmark Sets for ML Methods in Cybersecurity (1998-1999)
Problem: With the rise of cyber threats, there was a critical need to develop and evaluate machine learning methods for cybersecurity.
Method: DARPA stepped in, creating benchmark datasets and initiating research focused on applying machine learning techniques to security problems. They explored both supervised and unsupervised learning methods to tackle various cyber threats.
Outcome: While initial results were not immediately practical for operational use, DARPA’s initiative spurred significant research and development. This effort led to more advanced and effective cybersecurity solutions in the following years, laying the groundwork for modern machine learning applications in cybersecurity.
Spam, Phishing, and URL Filtering Systems Based on Supervised Learning (2000)
Problem: The early 2000s saw a surge in spam, phishing, and malicious URLs in emails, creating a need for reliable filtering systems to protect users from these threats.
Method: Developers and researchers implemented supervised learning algorithms to analyze email content and URLs. By comparing these against labeled datasets, they could identify and filter out spam and phishing attempts.
Outcome: These early filtering systems were the precursors to more sophisticated email security solutions. Major email providers like Gmail now employ advanced machine learning models to effectively filter unwanted and harmful emails, protecting millions of users worldwide.
Back to my trope, AI in cybersecurity is not new. We see that it’s quite old, dating back to the pre-DARPA net days. As our world went online and we began to rely on cloud infrastructure and applications to do business, so too did the threat vectors and value of machine learning and AI in solving those problems.
I’ve cherry-picked 13 examples in chronological order of when AI first was applied to cybersecurity, what its capability (function) was, who created it, the problem it was solving (problem-set), the AI/ML function, and a reference for your further reading. Note that a more exhaustive list is included in this post’s appendix. Neither is comprehensive (apologies to folks I’ve omitted), yet the message is clear: AI’s application in cybersecurity has grown exponentially in scope and capability.
What’s this telling us?
The generative AI hype cycle has significantly impacted vendors' capabilities. 2023 and 2024 have been primarily tailored toward supervised machine learning, behavioral analysis, natural language processing, and large language models. Interestingly, AI’s application mirrors vendor problem sets. Cloud security has become a major cybersecurity topic over the past five years and now has an AI capability. Endpoint security, on the other hand, has had machine learning in production for over a decade.
Analyzing the table, we see a consistent trend: as cyber threats have evolved, so have the methods for countering them. The early use of rule-based systems for anomaly detection laid the groundwork for more sophisticated methods that incorporate machine learning and AI. DARPA’s benchmark sets in the late '90s were crucial in pushing the research community toward developing more robust ML techniques. The early 2000s brought about the need to counter spam and phishing, leading to the implementation of supervised learning algorithms in email filtering systems.
Fast forward to the 2010s, we see the rise of AI-powered behavioral analytics and next-generation anti-virus systems that leverage machine learning for detecting malware without relying solely on signatures. Now, entering into the mid-2020s, we’re seeing Natural Language Processing and Large Language Models entering the fray. This is all exciting to see, and with the rise in agentic architectures beginning to gather steam, I can’t help but wonder what we’ll see next.
Concluding Thoughts:
AI is everywhere, but it’s not new. Much like how machine learning models are iteratively improved upon, the capabilities we've explored today will continue to evolve and enhance. The historical journey of AI in cybersecurity shows that from the early days of rule-based systems to today’s advanced behavioral analytics and generative AI, the field has seen remarkable advancements. The application of AI has expanded exponentially, addressing increasingly complex problem sets with more sophisticated solutions.
The explosion of AI in cybersecurity, particularly over the past few years, underscores its critical role in defending against modern threats. As adversaries become more sophisticated, leveraging AI’s capabilities becomes not just advantageous but essential. The trend towards integrating AI in every aspect of cybersecurity, from endpoint protection to cloud security, highlights the industry's acknowledgment of AI’s potential to transform defensive strategies.
However, it's crucial to remember that AI is not a silver bullet. While it provides powerful tools to detect and mitigate threats, human oversight, continuous improvement, and adaptive strategies are vital. The dynamic nature of cyber threats demands that we stay vigilant and continuously learn and adapt our defenses.
Collaboration between human expertise and AI technology will be key to staying ahead of cyber adversaries. Embracing AI’s potential while understanding its limitations will enable us to build more resilient and robust cybersecurity frameworks. AI is here to stay, and its role in cybersecurity will only grow more significant, shaping the future of how we protect our digital world.
Stay secure and stay curious my friends!
Damien
Editorial Notes:
A huge thank you to the Stellar Cyber article, whose context provided many of my data points for today’s Substack. To folks at any of the vendors I called out, feel free to fact-check me by emailing me. My research outputs are restricted to what’s publicly available and my personal experience and opinions. Note that all of these opinions are my own and in no way, shape, or form endorse or discourage any vendor mentioned or not mentioned in this blog post.
References:
1. MDPI. (n.d.). Electronics - Open Access Journal. https://www.mdpi.com/2079-9292/12/11/2355
2. Stellar Cyber. (n.d.). A Brief History of Machine Learning in Cybersecurity. https://stellarcyber.ai/a-brief-history-of-machine-learning-in-cybersecurity/
3. BlackBerry. (n.d.). CylancePROTECT. https://www.blackberry.com/us/en/products/cylance-endpoint-security/cylance-smart-antivirus
4. CrowdStrike. (n.d.). AI-Powered Behavioral Analysis. https://www.crowdstrike.com/cybersecurity-101/secops/ai-powered-behavioral-analysis/
5. Abnormal Security. (n.d.). Home Page.
https://abnormalsecurity.com
6. Orca Security. (2023). Orca Security Generative AI Integration Amazon Bedrock. https://orca.security/resources/press-releases/orca-security-generative-ai-integration-amazon-bedrock/
7. Palo Alto Networks. (2023). Palo Alto Networks Adds "Bring Your Own AI" Capability to Cortex XSIAM AI-Driven Security Operations Platform. https://www.paloaltonetworks.com/company/press/2023/palo-alto-networks-adds--bring-your-own-ai--capability-to-cortex-xsiam-ai-driven-security-operations-platform
8. IEEE. (n.d.). IEEE Xplore. https://ieeexplore.ieee.org/document/6234369
9. Springer. (n.d.). Botnet Detection Using Machine Learning. https://link.springer.com/chapter/10.1007/978-3-540-69209-6_21
10. Splunk. (n.d.). What is UEBA and Why is it Important? https://www.splunk.com/en_us/blog/security/what-is-ueba-and-why-is-it-important.html
11. Darktrace. (n.d.). AI Cyber Security White Paper. https://www.darktrace.com/en/resources/wp-ai-cyber-security.pdf
Awesome writeup!