Beyond the Hype: AI, ML, and Deep Learning in Cybersecurity

February 25, 2018 | 9 min read | Security Posture

Recently, I participated in a thought leadership discussion moderated by Izak Mutlu, former CISO of Salesforce, and Gamiel Gran of Mayfield. With a dozen CISOs in attendance, we had a robust Jeffersonian style discussion on a range of cybersecurity topics. One of the first questions the group was asked was how they viewed AI, and if they were using it. Many participants indicated that they were in the middle of projects that employed machine learning, but emphatically proclaimed that there was no AI in cybersecurity.

My curiosity piqued, I asked the group what their definition of AI was, and how they distinguished it from machine learning. In response to my question there were a few ambitious takes (“AI must pass the Turing Test”), some useful descriptions (“AI is the ability to pivot”), and then some contradictory definitions (“AI is a special type of ML”). A lively discussion on this topic ensued within a subset of the CISO group, spilling over into the next days and weeks, finally prompting this piece.

The term Artificial Intelligence is indeed ambitious and anchored to our perspectives of human intelligence, the Turing Test, and memories from Sci-Fi movies. Unconsciously, we compare any new AI technology to the ability of human experts. If Google’s AlphaGo can defeat South Korean Master Lee Se-dol in the board game Go, surely there is something to the growing prowess of Artificial Intelligence. Unfortunately, as was clear at my CISO dinner, there is quite a bit of confusion around exactly what AI is, a situation not helped by outlandish marketing claims about AI from vendors in recent years.

This three-part blog explores the generalized notion of human intelligence vs AI, and attempts to clarify some of the vocabulary in use today including the difference between AI, machine learning, expert systems and deep learning. Finally we will discuss how AI is real in cybersecurity, can help with many workflows and use cases including the basics of security, and why we need it as a strategic tool.

What is Intelligence?

Before we go further down on the topic of AI, let’s define intelligence, as we perceive it in humans. A broad definition of intelligence is naturally quite complex, with many aspects still open to hot scientific and philosophical debate. But for our purposes, I will offer the following definition.



These three aspects of intelligence should feel familiar and intuitive:

  1. Having large amounts of knowledge is generally strongly associated with superior intelligence.
  2. Someone who can acquire knowledge faster will eventually have more knowledge, and we might consider them to be more intelligent.
  3. We appreciate people who can apply their knowledge to solving real world problems over people who cannot, and consider them to be smarter.

I am glossing over many key attributes of people which you might consider essential to intelligence, e.g., empathy, self-awareness, creativity, morality, grit, and consciousness. But, all these attributes are quite consistent with the general definition offered above.

Two key points about intelligence: First, many scientists believe that the human intelligence ultimately stems from how the brain can discover and store co-related hierarchical patterns across multiple different types of sensory data. For instance, when you see the words “GBangas-iPho” as part of an MDNS name in a packet capture or a log file, you intuitively know that this is quite likely the iPhone of your friend Gaurav Banga. You are unconsciously correlating knowledge that you possess about the names of your colleagues with your knowledge of common types of devices. You are also continuously and unconsciously updating both of these models in your head as you go about the business of life and are subject to multimedia sensory input from a variety of sources including Apple’s ads, TV shows, email, blogs such as this, and hallway conversations. Contrast this with the difficulty you will encounter when trying to write a traditional program to use arbitrary substring matches to mimic this simple capability, while preserving similar flexibility on input and accuracy on output.

Second, and this might not be so obvious – intelligence is about prediction as a method of problem solving. Yes, your eye is trying to see everything it can, but simultaneously, your brain is sending predictions down the neural hierarchy and the eyes, on what it expects the eye to see. This predictive mechanism “fills in” for what you don’t sense properly, and is why you are not able to normally perceive the blind spot in your eye. This predictive mechanism is also how you are able to walk in your bedroom in pitch dark at night without stumbling—your brain sends signals to your motor nervous system providing your muscles with a model of what to expect as you walk around. We’ll come back to predictions later.

Exec Guide to AI and ML CTA

General AI vs Narrow AI

The concept of AI or Artificial Intelligence was originally conceived in the 1950s by a few computer scientists who were beginning to think beyond traditional programs. AI pioneers were inspired by the possibility of designing super-smart programs, which would possess intelligence characteristics similar to that of humans— R2D2 and C-3PO in Star Wars, or the supercomputer in Superman III. This is General AI.

General AI does not exist today. We don’t quite know how to mimic the working of the human brain, or even a small fraction of its intelligence. A great book to read on this topic is Jeff Hawkins’s On Intelligence.

What does exist today is what we might call “Narrow AI” or “Weak AI”. There are numerous useful products using Narrow AI that can perform some tasks just as well as, and often even better than humans. An example is Amazon’s Alexa, which operates within a limited input range and combines several Narrow AI techniques to perform some tasks quite well, producing the illusion of intelligence. The current world champions of both Chess and Go are also instances of Narrow AI. These Narrow AI systems do possess all three elements of Intelligence discussed earlier—a store of domain specific knowledge, mechanisms to acquire new knowledge, and mechanisms to put this knowledge to use.

What also exists today are several implementations of Narrow AI that solve important cybersecurity domain problems. While we don’t yet have a security bot that will pass the Turing test and replace one of your security team members, Narrow AI based tools can prioritize threats and vulnerabilities, and measure security posture better than most humans can. Balbix is one of such systems. More on this later.

In the second part of this blog series, we discuss the difference between the terms AI, machine learning, expert systems and deep learning.