The persistent humanity in AI and cybersecurity

Even as AI technology transforms some aspects of cybersecurity, the intersection of the two remains profoundly human. Although it’s perhaps counterintuitive, humans are front and center in all parts of the cybersecurity triad: the bad actors who seek to do harm, the gullible soft targets, and the good actors who fight back.

Even without the looming specter of AI, the cybersecurity battlefield is often opaque to average users and the technologically savvy alike. Adding a layer of AI, which comprises numerous technologies that can also feel unexplainable to most people, may seem doubly intractable — as well as impersonal. That’s because although the cybersecurity fight is sometimes deeply personal, it’s rarely waged in person.

But it is waged by people. It’s attackers at their computers in one place launching attacks on people in another place, and those attacks are ideally being thwarted by defenders at their computers in yet another place. That dynamic frames how we can understand the roles of people in cybersecurity and why even the advent of AI doesn’t fundamentally change it.

Irreplaceable humans

In a way, AI’s impact on the field of cybersecurity is no different from its impact on other disciplines, in that people often grossly overestimate what AI can do. They don’t understand that AI often works best when it has a narrow application, like anomaly detection, versus a broader one, like engineering a solution to a threat.

Unlike humans, AI lacks ingenuity. It is not creative. It is not clever. It often fails to take into account context and memory, leaving it unable to interpret events like a human brain does.

In an interview with VentureBeat, LogicHub CEO and cofounder Kumar Saurabh illustrated the need for human analysts with a sort of John Henry test for automated threat detection. “A couple of years ago, we did an experiment,” he said. This involved pulling together a certain amount of data — a trivial amount for an AI model to sift through, but a reasonably large amount for a human analyst — to see how teams using automated systems would fare against humans in threat detection.

“I’ve given the data to about 40 teams so far. Not a single team has been able to pick that [threat] up in an automated way,” he said. “In some ways, we know the answer that it doesn’t take much to bypass machine-driven threat detection. How about we give it to really sophisticated analysts?,” he asked. According to Saurabh, within one to three hours, 25% of the human security professionals had cracked it. What’s more, they were able to explain to Saurabh how they had figured it out.

The twist: The experiment involved a relatively tiny amount of data, and it still took hours for skilled analysts to find the threat. “At that speed, you’d need 5,000 security analysts [to get through a real-world amount of data],” Saurabh said, as literally billions of data points are generated daily.

“Clearly, that doesn’t work either,” he said. “And this is where the intersection of AI threat detection comes in. We need to take the machine[s] and make them as intelligent as those security analysts who have 10 years, 15 years of experience in threat detection.” He argued that although there’s been progress toward that goal, it’s a problem that hasn’t been solved very well — and likely won’t be for decades.

That’s because what AI can do in cybersecurity right now is narrow. Pitched against artificial general intelligence (AGI) — the holy grail of thinking machines that does not yet exist — it’s laughable how far away our current AI tools are from approaching what a skilled security professional can do. “All people have general purpose intelligence,” said Saurabh. “[But] even if you teach an AI to drive, it can’t make coffee.”

Dr. Ricardo Morla, professor at the University of Porto, told VentureBeat that one way to understand the collaboration between humans and machines is in terms of cognitive resources. “As cars get smarter, the human ends up releasing cognitive resources required … to switch on the lights when it’s dark, [control] the clutch on an uphill start, or … actually [drive] the car, and using these resources for other tasks,” he said.

But, he added, “We are not at the point where the human in a security operations center or the human behind a massive botnet can just go home and leave it to the machine to get the job done.” He pointed to tasks like intrusion detection and automated vulnerability scanning that require security pros to supervise “if not during the actual learning and inference, definitely while reviewing results, choosing relevant learning data scenarios and models, and assessing robustness of the model against attacks through adversarial learning.” He also suggested that humans are needed “to oversee performance and effectiveness and to design attack goals and defense priorities.”

There are some security-related tasks for which AI is better suited. Caleb Fenton is head of innovation for SentinelOne, a company that specializes in using AI and machine learning for endpoint detection. He believes that AI has helped software makers develop their tools faster. “Programmers don’t have to write really complicated functions anymore that might take … many months of iteration and trying,” he said. “Now, the algorithm writes the function for them. And all you need is data and labels.”

He said using AI has resulted in a “net win” for approaches to threat detection, whether static (i.e., looking at files) or behavioral (i.e., how programs behave). But he allows that a tool’s a tool, and that “it’s only as good as the person using it.”

Steve Kommrusch is a doctoral candidate at Colorado State University who is currently focused on machine learning but has already spent 28 years as a computer engineer at companies such as HP and AMD. He echoed Fenton’s assertions. “The AI can help identify risky software coding styles, and this can allow larger amounts of safe code to be written quickly. Certain tasks — perhaps initial bug triage or simple bug fixing — might be done by AI instead of humans,” he said. “But deciding which problems need solving, architecting data structure access, [and] developing well-parallelizable algorithms will still need humans for quite a while.”

For the foreseeable future, then, the question is not whether machines will replace humans in cybersecurity, but how effectively they can augment what human security professionals do.

This idea of augmentation versus replacement spans many of the industries AI touches. But it’s notable that it appears to hold true in the complex field of cybersecurity.

Saurabh sees it as simply a specialization of labor — people spending more time doing things only people can do.

“For a different class of problems, you have to pick the right tools,” he said. “If you have a nail, you use a hammer. If you have a screw, you’re going to use a screwdriver. AI is not this homogeneous thing. One technique is patently AI, and another technique is patently not AI, right? There are a lot of different kinds of techniques, and many times it depends on what problem you’re trying to solve.”

Humans are still the weakest link

Ironically, even as human defenders remain crucial to the cybersecurity battle, they make persistently soft targets. It doesn’t matter how hidden a door is or how thick it is or how many locks it has; the easiest way to break in is to get someone with the keys to unlock it for you.

And the keys are held by people, who can be tricked and manipulated, are sometimes ignorant, often make mistakes, and suffer lapses in judgment. If we open a malicious file by accident or foolishly hand over our sensitive login or financial information to a criminal, the cybersecurity defender’s task becomes difficult or nearly impossible.

People will continue to be primary targets, not just because we are often easy marks, but because our metaphorical (and sometimes literal) keys unlock so much. “The human still has control over most goodies — bank accounts, valuable information, and resource-rich systems,” Morla said.

It’s not all bad news, though. Fenton agreed that people are the weakest link and always have been, but he also believes that the cybersecurity industry is getting better at protecting us from ourselves. “I think we’re mitigating that more and more,” he said. “Even if the user does something wrong and they run malware, if it behaves badly, we kill it.”

“We may see a rise of malicious AI-to-human interactions with human targets with text-to-speech and intelligent call center-like AI tools getting appropriated by attackers,” said Morla.

Notably, Kommrusch brought up a similar scenario. “Sadly, I do think that AI chatbots and robocalls have improved and will continue to improve. One could imagine [attacks involving] scammers cold-calling lots of folks with a nefarious AI chatbot that would hand off to a human attacker after the first 20-30 seconds of ‘hook,’” he said.

Both researchers point out that such attacks would need to be extremely convincing to work. “The AI would have to be good enough not only to avoid being detected as an AI in an intrinsic Turing test that the human target would apply — but also to mislead the human target into trusting the AI to the point of having the human provide the goodies (access credentials, etc.) to the AI,” said Morla.

Kommrusch, similarly, said that those sorts of systems could feel less “human” to a cautious target, but he warned that automation could significantly increase the number of attacks. Thus, even if the per-attempt success rate of the attacks was low, they may still be worth the minimal effort attackers put into them.

Morla suggests that one way to reduce the effectiveness of these kinds of attacks is simply to educate people. When people know what a suspicious email looks like, they’re far less likely to open a poisoned attachment or click a bad link.

In addition to education, people can use tools to help stay safe. “What would be beneficial to users would be an automated security quality grader based on AI that could allow users to assess security risk when adding an application to their phone or laptop,” said Kommrusch.

And some advice from the pre-AI cybersecurity days is still applicable, such as using two-step verification for sensitive data like bank accounts and employing off-the-shelf security products. “For example, there will be applications (like McAfee) which add AI to their protections; the end user can download the app to get a quality AI defense,” Kommrusch said.

AI versus AI

None of the above is to say that targets are only human. “There will be cases where access control mechanisms are implemented using AI and where the AI may become a target,” Morla said. He listed examples, such as efficiently finding malignant samples that look benign to a person but force the AI to misclassify it; poisoning a data set and thus preventing the AI from adequately learning from it; reverse-engineering AI to find models; and watermarking the AI for copyright.

“So while the human may still be the weakest link, bringing AI into cybersecurity adds another weak link to the chain.”

Fenton mentioned some of these AI-fooling adversarial techniques, like changing a few pixels in an image to trip up a machine learning model. To the human analyst, the altered picture would clearly be of, say, a panda, but the model may think it’s a school bus. He said some people have adapted that technique to binary files, altering them slightly to make malicious files look benign. The trick may be effective, but he said it doesn’t actually pose a threat yet, because none of the files are executable — thus, such an attack is only theoretical at this point.

And it could remain so for a while, because there may not be sufficient impetus for attackers to innovate. “This will sound weird, but I’m hoping that we’ll start seeing some new attacks soon because that [will mean] we’re putting a lot of pressure on malware authors,” Fenton said. The lack of innovation from the bad actors’ side, in other words, may indicate that what they’ve been doing all along is still sufficiently lucrative. “It would be kind of a shame if I have this AI approach, and we’re getting better at detecting malware, but you don’t see any new attacks. It means we’re not really affecting the bottom line,” he added.

Still, it’s reassuring to think security companies are prepared for the next wave of innovative attacks, whenever they may come.

Simple motivations

Fenton’s comments point to an often overlooked aspect of cybersecurity, which is that attackers are primarily motivated by the same thing that drives all thieves: money.

“Attackers will usually come up with the cheapest, dumbest, most boring solution to a problem that works. Because they’re thinking cost/benefit analysis. They’re not trying to be clever,” Fenton said. That’s key to understanding the cybersecurity world, because it helps show how narrow the scope of it is. Fenton calls it a goal-oriented market, both for attackers and defenders. And for attackers, the goal is largely financial.

“I’ve been consistently disappointed with how attackers actually behave,” he said. “I dream up all these elaborate scenarios that we could look for and find really cool malware. And almost all the time, [the attackers] just pivot slightly, they change one little thing, and they keep going, and it’s successful for them. That’s all they really care about.”

That means they’re likely to use AI to ramp up their attacks only when and if the cost/balance ratio works for them, perhaps by using off-the-shelf attacks. Those cheap and easy tools are likely on their way, and will proliferate. “AI techniques for attackers will get shared, allowing novice attackers to use sophisticated AI algorithms for their attacks,” Kommrusch warned. But even so, most of the use cases will likely be fairly unimpressive, like crafting more convincing phishing emails.

People versus people

People are always at both ends of the attacker-victim dyad. There is no software that becomes sentient, turns itself into malware, and then chooses to make an attack; it’s always a person who sets out to do accomplish some task at the expense of others. And although it’s true that a cyberattack is about compromising or capturing systems — not people, per se — the reason any target is lucrative is because there are humans at the end of it who will cough up ransomware money or inadvertently open a breach into a system that has value for the attacker.

In the end, even as AI enhances some aspects of cyberattacks and some aspects of cyberdefense, the stakes are still profoundly human. The tools and attack vectors may change, but there is still a person who attacks, a person who is a target, and a person who defends. Same as it ever was.


Original post:

63 comentários em “The persistent humanity in AI and cybersecurity

  1. Thanks for the auspicious writeup. It in fact used to be a entertainment account it.
    Glance advanced to more added agreeable from you!

    By the way, how could we communicate?

  2. Howdy! I know this is kind of off topic but I was
    wondering which blog platform are you using for this site?
    I’m getting fed up of WordPress because I’ve had issues with hackers and I’m looking at
    options for another platform. I would be fantastic if you
    could point me in the direction of a good platform.

  3. fantastic publish, very informative. I wonder why the
    other experts of this sector do not understand this. You must continue your writing.

    I’m confident, you have a huge readers’ base already!

  4. Greetings I am so excited I found your site, I really found you by accident,
    while I was browsing on Yahoo for something else, Regardless I am here now
    and would just like to say many thanks for a marvelous post and a all round entertaining blog (I also
    love the theme/design), I don’t have time to look over it all at the minute but I have
    bookmarked it and also added your RSS feeds, so when I have time I will be back to read more, Please do keep up the superb work.

  5. Can I simply just say what a comfort to discover an individual
    who really knows what they’re discussing over the internet.
    You definitely understand how to bring an issue to light and make it important.
    More people should read this and understand this side of your story.
    I can’t believe you’re not more popular given that you definitely have the gift.

  6. Good day I am so grateful I found your website, I really found you
    by mistake, while I was browsing on Aol for something else, Regardless I
    am here now and would just like to say thanks a lot for a
    remarkable post and a all round interesting blog (I also love the theme/design), I don’t have time to read through it all at the moment
    but I have book-marked it and also added your RSS feeds, so when I have time I will be back to read
    a great deal more, Please do keep up the fantastic b.

  7. I am the manager of JustCBD Store brand ( and I am currently planning to broaden my wholesale side of business. I really hope that anybody at targetdomain can help me . I thought that the most effective way to do this would be to reach out to vape stores and cbd retail stores. I was really hoping if someone could suggest a reputable web site where I can buy CBD Shops Business Data I am currently reviewing, and Not sure which one would be the best option and would appreciate any advice on this. Or would it be simpler for me to scrape my own leads? Suggestions?

  8. I’m the manager of JustCBD Store label ( and I am currently aiming to broaden my wholesale side of business. I really hope that anybody at targetdomain give me some advice ! I thought that the very best way to do this would be to reach out to vape shops and cbd retailers. I was hoping if anyone could recommend a trustworthy site where I can buy CBD Shops Marketing Lead List I am currently checking out, and Not exactly sure which one would be the most suitable solution and would appreciate any support on this. Or would it be simpler for me to scrape my own leads? Ideas?

  9. Have you ever thought about writing an ebook or guest authoring on other
    websites? I have a blog centered on the same topics you discuss and would love to have you share some stories/information. I know my visitors would
    appreciate your work. If you are even remotely interested, feel free to shoot me an e-mail.

  10. I really love your site.. Excellent colors & theme. Did you make this website yourself? Please reply back as I’m planning to create my own site and would like to find out where you got this from or exactly what the theme is called. Thanks!

  11. Wow, wonderful weblog structure! How lengthy
    have you been blogging for? you make blogging look easy.
    The entire look of your website is excellent, let alone the content!

  12. Right here is the perfect website for anybody who wants to understand this topic. You understand a whole lot its almost hard to argue with you (not that I personally will need to…HaHa). You definitely put a new spin on a topic that’s been written about for ages. Excellent stuff, just wonderful!

  13. After looking at a handful of the blog articles on your website, I really like your way of writing a blog. I added it to my bookmark website list and will be checking back in the near future. Please visit my web site as well and let me know what you think.

  14. Hi I am so excited I found your website, I really found you by accident, while I was researching on Digg for something else,
    Anyhow I am here now and would just like to say thank you for a fantastic post and a
    all round thrilling blog (I also love the theme/design),
    I don’t have time to look over it all at the moment but I have book-marked it and also added in your
    RSS feeds, so when I have time I will be back to read a lot more, Please do
    keep up the superb work.

  15. Good day! Do you know if they make any plugins to assist with SEO?
    I’m trying to get my blog to rank for some
    targeted keywords but I’m not seeing very good gains. If you know of any please share.
    Thank you!

  16. Howdy! This post couldn’t be written much better! Reading through this article reminds me of my previous roommate! He always kept preaching about this. I will send this article to him. Fairly certain he will have a very good read. Thanks for sharing!

  17. The next time I read a blog, Hopefully it doesn’t fail me as much as this particular one. After all, Yes, it was my choice to read through, nonetheless I really believed you would have something interesting to talk about. All I hear is a bunch of complaining about something you could fix if you were not too busy looking for attention.

  18. I’d like to thank you for the efforts you’ve put in penning this blog. I’m hoping to view the same high-grade content from you in the future as well. In fact, your creative writing abilities has motivated me to get my own, personal blog now 😉

  19. Achieving your fitness goals doesn’t have to require a certified personal trainer or an expensive gym memberships, especially if you have the budget and the space to consider practically every workout machine in the market.

  20. Hi there, I discovered your website via Google whilst looking for a related matter, your site got here up,
    it looks good. I have bookmarked it in my google bookmarks.

    Hello there, simply turned into aware of your
    blog through Google, and located that it’s really informative.
    I am going to watch out for brussels. I’ll appreciate in the event
    you proceed this in future. A lot of other people will
    likely be benefited out of your writing. Cheers!
    cheap flights 31muvXS

  21. Hi there! I could have sworn I’ve visited this site before but after going through some of the posts I realized it’s new to me. Regardless, I’m definitely happy I stumbled upon it and I’ll be bookmarking it and checking back frequently!

  22. This is the right site for everyone who would like to find out about this topic. You know so much its almost hard to argue with you (not that I actually will need to…HaHa). You definitely put a new spin on a subject that has been written about for a long time. Excellent stuff, just wonderful!

  23. An impressive share! I’ve just forwarded this onto a friend who has been doing a little research on this. And he in fact ordered me dinner simply because I stumbled upon it for him… lol. So allow me to reword this…. Thank YOU for the meal!! But yeah, thanx for spending the time to talk about this subject here on your web page.

  24. You are so interesting! I do not suppose I’ve truly read through something like this before. So wonderful to find someone with a few unique thoughts on this topic. Seriously.. thank you for starting this up. This website is one thing that is needed on the web, someone with a bit of originality!

  25. I blog quite often and I seriously thank you for your information. Your article has truly peaked my interest. I will take a note of your website and keep checking for new details about once per week. I subscribed to your Feed as well.

  26. Greetings, I do think your web site could be having web browser compatibility issues. Whenever I look at your web site in Safari, it looks fine however, if opening in IE, it’s got some overlapping issues. I merely wanted to provide you with a quick heads up! Besides that, great website!

  27. Hi there, I do think your blog may be having browser compatibility problems. When I take a look at your website in Safari, it looks fine however when opening in I.E., it’s got some overlapping issues. I merely wanted to provide you with a quick heads up! Aside from that, great site!

  28. The next time I read a blog, I hope that it does not disappoint me as much as this particular one. I mean, I know it was my choice to read, nonetheless I truly thought you would probably have something interesting to talk about. All I hear is a bunch of moaning about something that you could possibly fix if you were not too busy looking for attention.

  29. Having read this I believed it was extremely enlightening. I appreciate you spending some time and effort to put this article together. I once again find myself personally spending a lot of time both reading and leaving comments. But so what, it was still worthwhile!

Leave a Reply

Your email address will not be published. Required fields are marked *