Cybercriminals never stop innovating. Their increased use of automated and scripted attacks that increase speed and scale makes them more sophisticated and dangerous than ever. And because of the volume, velocity and sophistication of today’s global threat landscape, enterprises must respond in real-time and at machine speeds to effectively counter these aggressive attacks. Machine learning and artificial intelligence can help deliver better, more effective threat intelligence.

As we move through 2020, AI has started increasing its capacity to detect attack patterns using a combination of threat intelligence feeds delivered by a variety of external sources, ranging from vendors to industry consortiums, and distributed sensors and learning nodes that gather information about the threats and probes targeting the edges of the networks.

This new form of distributed AI relies on something called federated machine learning. Instead of relying on a single, centralized AI system to process data and initiate a response to threats (like in centralized AI), these regional machine learning nodes will respond to threats autonomously using existing threat intelligence. Just as white blood cells automatically react to an infection, and clotting systems respond to a cut without requiring the brain to initiate those responses, these interconnected systems can see, correlate, track, and prepare for threats as they move through cyberspace by sharing information across the network, enabling local nodes to respond with increasing accuracy and efficiency to events by leveraging continually updated response models.

It’s all part of an iterative cycle, where in addition to the passive data collected by local learning nodes, the data gleaned from active responses, including how malware or attackers fight back, will also get shared across the network of local peers. This will let the entire system further refine its ability to identify additional unique characteristics of attack patterns and strategies, and formulate increasingly effective threat responses.

There are many encouraging implications for cybersecurity. Security pros will use this system of distributed nodes connected to a central AI brain to detect even the most subtle deviations in normal network traffic. Examples of this are already emerging in research and development labs, particularly in health care, where researchers are using federated learning to train algorithms without centralizing sensitive data and running afoul of HIPAA. When added to production networks, this technology will make it increasingly difficult for cybercriminals to hide.

Building from there, AI can share its locally collected data with other AI systems via an M2M interface, whether from peers in an industry, within a specific geography, or with law enforcement developing a more global perspective.

Take Threat Intelligence to the Next Level

In addition to pulling from external feeds or analyzing internal traffic and data, federated machine learning will feed on the deluge of relevant information coming from new edge computing devices and environments being collected by local learning nodes.

For this to work, these local nodes will need to operate in a continuous learning mode and evolve from a hub-and-spoke model back to the central AI to a more interconnected system. Rather than operating as information islands, a federated learning system would let these data sets interconnect so that learning models could adapt to event trends and changing environments from the moment a threat gets detected.

That way, rather than waiting for information to make the round trip to the central AI once an attack sensor has been tripped, other local learning nodes and embedded security devices are immediately alerted. These regional elements could then create and coordinate an ad-hoc swarm of local, interactive components to autonomously respond to the threat in real-time, even in mid-attack by anticipating the next move of the attacker or malware, while waiting for refined intelligence from a supervised authoritative master AI node. 

Finally, the systems would share these events with the master AI node and also local learner nodes so that an event at one location improves the intelligence of the entire system. This would let the system customize the intelligence to the unique configurations and solutions in place at a particular place in the network. This would help local nodes collect and process data more efficiently, and also enhance their first-tier response to local cyber events.

Look Forward to More Efficient Threat Intelligence

The security industry clearly needs more efficient ways to analyze threat intelligence. When combined with automation to assist with autonomous decision-making, the intelligence gathered with federated machine learning will help organizations more effectively fight the increasingly aggressive and damaging nature of today’s cybercrime. Throughout 2020 and beyond, AI in its various forms will continue to move forward, helping to level the playing field and making it more possible to fend off the growing deluge of attacks.

Derek Manky, chief, Global Threat Alliances, FortiGuard Labs