Using AI and ML to Fight Zero-Day Attacks

If it felt like you were asked to download a lot of patches in May and June, it’s because there were a lot of patches in May and June. An increase in zero-day vulnerabilities and exploits led to an increase in attacks. In fact, Mandiant reported that “Zero-day exploitation increased from 2012 to 2021, and Mandiant Threat Intelligence expects the number of zero-days exploited per year to continue to grow. By the end of 2021, we identified 80 zero-days exploited in the wild, which is more than double the previous record of 32 in 2019.” And according to Check Point Software, there are 2,000 zero-day files that are detected daily, with the supply chain the most common entry point for zero-day attacks.

As with so many other cyberattacks, it is easy to become overwhelmed by the high number of alerts and false positives and the steps needed to defend against zero-day attacks. As AI and deep learning capabilities are increasingly used with cybersecurity systems, are these technologies the tipping point in the battle against zero-days? Itai Greenberg, VP of product management with Check Point Software, spoke about AI/ML’s potential as a solution at RSA 2022.

Understanding the Challenges of Zero-Day Attacks

There are three stages to a zero-day event:

  • Vulnerability—A flaw in the software code not realized by the developer or vendor
  • Exploit—Malicious software that takes advantage of the vulnerability to gain access to a target
  • Attack—The exploit in action with malicious intent

Traditional security methods don’t always work on zero-day events. Most security tools are designed to address known problems. Zero-days are by definition unknown, often until after the incident occurs.

Prevention-First Strategy

As Greenberg said in his RSA session, detection alone is not enough; there needs to be a greater focus on prevention, and the best tool for prevention and detection today is powered by AI. With AI-based security, a prevention-first approach can be deployed because the technology can detect unknown threats more efficiently—and do so with fewer of the alerts that normally keep security teams chasing potential false positives.

Policies surrounding zero-day events are designed based on AI and behavioral analysis, according to Greenberg. This allows the technology to automatically detect and protect assets from otherwise unknown threats. With AI’s behavior analysis capabilities, the security system doesn’t rely on the same signature-based tools to find malicious software; rather, it follows the patterns of interactions and detects when something isn’t following typical behaviors. And, of course, the more data that is collected over time, the better AI-based solutions get at finding the anomaly or anomalies. With the anomaly detected, action can be taken to block the zero-day event.

Zero-day events are considered some of the most dangerous types of cyberattacks because of the volume of networks that can be hit and the overall impact and lasting damage caused. AI and adaptive deep learning algorithms offer a dynamic defense to zero-day threats. In similar research, a Penn State University-led team of researchers verified AI’s strength against zero-day events with its own machine learning approach.

“Reinforcement learning is particularly well-suited to defend against zero-day attacks when critical information—the targets of the attacks and the locations of the vulnerabilities—is not available,” Peng Liu, the Raymond G. Tronzo, MD professor of cybersecurity in the College of Information Sciences and Technology at Penn State, told Insurance Journal.

AI as a security approach to zero-day attacks is still in its early stages, but it offers a prevention-first model to tackle one of the most difficult cybersecurity challenges.

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or … Read More