Section 2
Challenges and Needs
Addressing Advanced Threats:
AI provides both benefits and disadvantages in terms of security:
Defenders:
We teach machines to detect malware:
Takes a lot of capacity and data for Self Encrypting Drives (SED) to function properly
Large ANNs:
Systems of hardware and/or software patterned after the operations of neurons in the human brain are both required to:
Collect, analyze, and classify millions of threats everyday
Training AI Algorithms involves 3 Different Types of Learning:
Supervised Learning:
Presenting the system with correctly labelled data, which it analyzes and applies to unlabelled data.
Unsupervised Learning:
Providing unknown solution sets, which the system analyzes for patterns from which it can ultimately label the data.
Reinforcement Learning:
Optimizing the systems performance by testing it with unlabelled data and offering grades (rewards) for the results.
How Cyber security Systems are trained to identify malicious files:
Training Process:
System is exposed to billions of examples over the file analysis for features and behaviours.
Feature Analysis:
During training the system, carefully analyze the files to identify patterns, characteristics or behaviours that differentiate safe files from harmful ones.
Result:
System can make quick and accurate decisions when evaluating new files.
Allows system to detect and stop threats in real time.
Attackers:
Malicious AI: Refers to the use of AI/ML to augment cyberattacks that are more powerful than ever
Complexity Complicates Network Security:
A growing attack surface means that the security controls built into last-gen networks are unable to address the:
Volume, Velocity, and Sophistication of the threat landscape
Traditional Signature-based viruses can’t keep up anymore
Countermeasures
AI detects zero-day threats at machine speed.
Use ML to analyze the characteristics of malicious files
Future of cybersecurity:
Automation based on AI-derived intelligence from:
Automatic, signature creation to real time quarantining and remediation.
“About embracing and innovating for the partnership of man and machine- both relaying on each other in the fight against hackers”
Challenges and Perspectvies:
Growing # of advanced threats and zero-day exploits
Adversaries have moved beyond malware
Threat Landscape Overview:
Attackers are attempting to accomplish their objectives without writing malware to their endpoint.
Living of the Land LOTL:
Observed using legitimate credentials and built in tools to avoid detection by legacy antivirus products
Supply Chain Attacks:
Solarwinds Cyberattack:
Hackers stole customer data to spy on other organizations
6 months timeline
Injected malicious code called sunburst
2.1 Probability Theory
Describes random events using:
The Law of Large Numbers
Describes results of performing the same experiment a large number of times
The avg of the results obtained from a large # of trials is close to the expected value, and tends to become closer as more trials are performed.
Guarantees long-term results for the average of some random events
Expected Value
X - random variable with finite number of possible outcomes occurring with probabilities P1, P2, …, Pc respectively
X is defined as the probability weighted average of X
Variance:
The squared deviation from the mean of X, mu = E[x]
Var(X) = E[(x - mu)²]
gives a rough idea of how far the data points are from the mean
Standard Deviation
Square root of variance
Expressed in the same units of OG data
Conditional Probability P(A | B):
Probability of A given B happened
P(A | B) = P(A∩B)/P(B)
Bayes Theorem:
Describes the probability of an event, based on prior knowledge of conditions that might be related to the event:
P(A|B) = P(B | A)P(A) \ P(B)
Bayesian Trap:
Common cognitive error where people misinterpret probabilities, often failing to account for base roles (prior probabilities) when evaluating evidence.
Bayesian Interpretation:
Probability measures a degree of belief then links the degree of belief in a proposition before and after accounting for evidence
P(A): Prior, initial degree of belief in A
P(A|B): The POsterior, the degree of belief having accounted for B
P(A|B)/P(B): represents the support B provides for A
The Central Limit Theorem
Axioms:
Mathematical rules that probability must satisfy
For evert event A, P(A) >= 0
Probability of the entire sample space is 100%
Probability that 2 Disjoint events AB Happen:
P(AUB) = P(A) + P(B)
If Events are not Disjoint:
P(AUB) = P(A) + P(B) - P(AB)
Probability Mass Function
Function that gives the probability that a discrete random variable is exactly equal to soe value
All values must be non-negative and sum up to 1
2.4 Statistical Learning:
Refers to a set of approaches for estimating f
Focus: On supervised and unsupervised modelling and prediction.
Prediction Models:
Input variables: Independent variables, feature, or predictors
Output variables: dependent variable or response
Y: Quantitative response
P: Different Predictors x1, x2,…, xp for a dependent var Y
Relationship: x = (x1, x2, .., xp)
Y = f(x) + e
f - some function of x
Why estimate f?
Connects the input variable to the output var is in general unknown
One can only estimate f based on the observed points
Prediction
Inference
e: random error term. independent of x and has mean zero
2.4.3 Prediction
Inputs X are readily available, but the output Y cannot be easily obtained
Since the error terms averages to zero, we can predict Y using:
Ŷ = ḟ(x)
ḟ represents our estimate for f and Ŷ represents our prediction for Y
Inference: Understanding the relationship between X & Y.
What predictors are associated with the response?
Only a small fraction of the available predictors may be substantially associated with Y
How can the relationship between Y and each predictor be summarized:
Linear
Allow for relatively simple and interpolate interfaced
Not as accurate
Non-Linear
accurate predictions for Y
less interpretable model
Accuracy:
Focus: techniques for estimating f with the objective minimizing the reducible error
Accuracy of Ŷ as a prediction for Y depends on:
In general ḟ will not be a perfect estimate for f
Two types of Error:
Reducible Error
Inaccuracy is potentially reducible by using a more appropriate statistical learning technique to estimate f
Irreducible Error
e
There will always be some error because Y is also a function of e
Will always provide an upper bound on the accuracy of our prediction for Y
2.4.5 Weierstrass Approx Theorem:
The notion of approximating continuous function by polynomial function
Every continuous, real-valued function defined on the interval [a,b] can approximately be represented by a polynomial function
For each e > 0, there exists a polynomial function p with real coefficients such that for all x in [a,b], the property |f(x) - P(x)| < e holds
2.4.6 How do we Estimate f?
Training data:
n data points
Use them to train model for estimating the unknown function f
Goal:
Apply a statistical learning method do the training date. Find a function ḟ such that:
Y ~= ḟ(x) for any observation (X,Y)
Statistical Learning Methods:
Parametric Methods:
2 Step Model-Based Approach:
Assumption
Use a procedure that uses the training data to fit or train the model
Reduce the problem of estimating f down to one of estimating a set of parameters
Simplifies the estimation problem because it’s generally much easier to estimate a set of parameters such as B0, B1, …., Bp then it is to fit an entirely arbitrary function f
Disadvantage:
Model we choose will not usually matter than true unknown form of f
If the chosen model is too far from the true f, then our estimate will be poor
Solution:
Choose a flexible model that can fit many different possible potential forms for f
Non-parametric Methods:
Do not make explicit assumptions about the functional form of f.
Instead they seek an estimate of f that gets as close to the data points as possible without being too rough or wiggly
Avoid the assumption of a particular functional form for f, they have the potential to accurately fit a wider range of possible shapes for f.
Do not reduce the problem of estimating f to a small number of parameters, a very large number of observations is needed to obtain an accurate estimate for f.
2.4.7 Quality of Fit:
We evaluate the performance of a learning method on a given data set, by measuring how well its predictions actually match the observed data
Problem: Quantify the extent to which the predicted response value for a given observation is close to the true response value for that observation
Methods: Mean Squared Error
MSE will be small if most predicted responses are very close to the true responses, and will be large if some of the observations, the predicated and true responses differ substantially
Training MSE:
MSE computed using the training data that was used to fit the model
Test MSE:
The accuracy of the predictions obtained when we apply this method to previously unseen test data
want the LOWEST TEST MSE opposed to the lowest training MSE
Problem: What if no test observations are available
Select a simple statistical learning method that minimizes the training MSE.
There is no guarentee that the method with the lowest training MSE will also have the lowest test MSE.
Many statistical methods estimate coefficients so as to minimize the training set MSE.
Training set MSE can be quite small but test MSE is often much larger
Overfitting Data:
When a given method yields a small training MSE but a large test MSE
Happens because our statistical learning procedure is working too hard to find patterns in the training data, and may be picking up some patterns that are just cuased by random chance rather than by true properties of the unknown function
Test MSE will ve very large because the supposed patterns that the method found in the training data simply don’t exist in the test data
When your performance on the training data is higher than that in the test data (data you haven’t seen before)
memorizing the exact points of data based on the patterns rather than the actual “learning” or data itself.
Underfitting Data:
Too simple to explain the variance
When your performance sucks overall
You don’t learn the pattern