AI capabilities in cyber risk identification: selected evidence
| Second-order themes | Selected quotes on first-order categories |
|---|---|
| Learning from past data for anomaly detection | Learn from past data to detect anomalous users' behaviors |
| “The AI, if it's a specialized engine, tells you, look, I detected, for example, abnormal behavior, so the access occurred at a different time than usual, by a different terminal than usual, you used a different communication channel than usual. So detection and reporting, that's another important aspect.” – Vendor A | |
| Learn from past data to detect anomalous systems' behaviors | |
| “They go and identify precisely anomalies in the behavior of the system and then try to issue alarms, which then go to the operator, who can eventually intervene.” – System Integrator C | |
| Adaptation for anomaly detection | Detect discrepancies in newly generated data |
| “The identification of a malware by deep learning on a huge amount of samples, and then the identification of malware, regardless of how the malware behaves, but simply by a comparison of its own binary code.” – System Integrator D | |
| Web domains' analysis based on always new data | |
| “We have anti-cybersquatting tools that deal with detecting those attacks that use squatting of domain URLs to conduct the attack. We use it to detect new threats that arise on the web. On the internet, domains, websites, etc. are registered continuously, we go and analyze them as they arise, and we have precisely AI tools that do this work for us.” – Vendor C | |
| Identification of zero-day attack | |
| “We go to identify attack vectors through algorithms that not only in a static way go to identify that something is happening that should not be happening, but that also allows, through a series of parameters, to identify zero-day malware based on the interactions that this entity, like an external IP, has with us.” – System Integrator B | |
| Reasoning for threat analysis | Classify the threat |
| “The threat comes, it identifies it, figures out what it is, does the trace, rules out that it’s a false positive, and follows a predefined playbook.” – Vendor D | |
| Correlation analysis in companies' and SCs' threats | |
| “Profiling of the company to make those correlations that maybe we miss, or at any rate that would take too much time for a human being, in assessing all the various relationships that may be there. To have a smart Threat Intelligence tool that goes out and gathers information on the ecosystem as well, so the SC theme.” – Consultancy D | |
| Automate human analysis | |
| “During the detection phase, we use algorithms meaning that once a large volume of data has been collected and normalized into a common schema, the next step is to bring AI into play to replicate the kind of analysis a cybersecurity specialist would perform, if they were able to process such a large amount of data in such a short time.” – Vendor B | |
| Perception for anomaly detection | Text analysis for anomaly detection |
| “We use AI to read what is written in chats. Through the use of keywords, the system can identify relevant content. When the AI encounters specific keywords that we've pre-defined, it raises a flag and signals that a human should review the content more closely.” – Vendor B | |
| Log analysis for anomaly detection | |
| “We realized that this kind of expertise could be used in text analysis and we tried to apply it, we are also applying it on log analysis, with the very intent to recognize patterns and possible dangerous situations.” – System Integrator C |
| Second-order themes | Selected quotes on first-order categories |
|---|---|
| Learning from past data | |
| “The | |
| “They go and identify precisely anomalies in the behavior of the system and then try to issue alarms, which then go to the operator, who can eventually intervene.” – System Integrator C | |
| Adaptation for | |
| “The identification of a malware by deep learning on a huge amount of samples, and then the identification of malware, regardless of how the malware behaves, but simply by a comparison of its own binary code.” – System Integrator D | |
| “We have anti-cybersquatting tools that deal with detecting those attacks that use squatting of domain URLs to conduct the attack. We use it to detect new threats that arise on the web. On the internet, domains, websites, etc. are registered continuously, we go and analyze them as they arise, and we have precisely | |
| “We go to identify attack vectors through algorithms that not only in a static way go to identify that something is happening that should not be happening, but that also allows, through a series of parameters, to identify zero-day malware based on the interactions that this entity, like an external | |
| Reasoning for | |
| “The threat comes, it identifies it, figures out what it is, does the trace, rules out that it’s a false positive, and follows a predefined playbook.” – | |
| “Profiling of the company to make those correlations that maybe we miss, or at any rate that would take too much time for a human being, in assessing all the various relationships that may be there. To have a smart Threat Intelligence tool that goes out and gathers information on the ecosystem as well, so the | |
| “During the detection phase, we use algorithms meaning that once a large volume of data has been collected and normalized into a common schema, the next step is to bring | |
| Perception for | |
| “We use | |
| “We realized that this kind of expertise could be used in text analysis and we tried to apply it, we are also applying it on log analysis, with the very intent to recognize patterns and possible dangerous situations.” – System Integrator C |