“Artificial intelligence doesn’t exist yet, nor will it for at least the next twenty years,” Ilia Kolochenko, CEO of High-Tech Bridge, told Infosecurity without hesitation at Black Hat Europe on November 4 2016. “Artificial intelligence refers to systems that will be able to solve any problems, knowing everything about everything. That technology does not exist, and it’s certainly not appropriate to cybersecurity.”
Machine learning, however, is a technology that Kolochenko is fully on board with. In fact, his company depends on it. “Our vulnerability scanning is based on machine learning technology,” he explained. “We use artificial neural networks (ANN) to implement intelligent automation of vulnerability scanning.”
He was keen to add that machines learn from the human. “We continuously aggregate knowledge and skills of humans to feed into the ANN. You have to teach the network to make the decisions. Our intelligence needs to be very specific, so we use supervised learning.”
Machine learning, according to Kolochenko, is misused by many companies. “It’s difficult to find a start-up that doesn’t claim to use it in some way,” he said. “We should not over-estimate it [machine learning] – we need to understand that it can’t replace humans, instead it can significantly aid human tasks.”
Machine learning is only as good as the intelligence humans put into it, Kolochenko continued. “Machine learning is a human’s attempt to make computers behave like humans. You can use machine learning to detect unknown variations of known types and classes of threats, but it will hardly find unknown classes of threats, or those threats that it was not trained to detect.”
ANN will make decisions closer to that of the human brain, whereas general machine learning has to rely on the parameters you give it. “It will give a score based on the parameters, with unique parameters more heavily-weighted than the less unique parameters. All will be taken into consideration to formulate a score.”
Q1-Q3 Web Security Trends
On November 3, High-Tech Bridge released a report of emerging web security trends and tendencies during Q1-Q3 2016. Kolochenko told Infosecurity that the research revealed no big surprises, and contained “more or less the same.” The problem, he said is “we don’t see improvement despite companies spending more on security.”
He did isolate bug bounty fatigue as one interesting trend discovered in the report. “It’s a relatively new trend, appearing after many companies announced bug bouncy programs. “Researchers are looking for low-hanging fruit, and within 18 months of a bug bounty programs launch, all low-hanging fruit has been cut off.” At this stage, researchers assume all the vulnerabilities have been found and don’t want to spend time digging deeper, it’s a risk for them that their time will go unrewarded, so they then abandon that company and look elsewhere. “New vulnerabilities then appear but the researchers, thinking that everything has been hacked and found, have stopped looking, so new vulnerabilities get left undetected.”
The impact of this, Kolochenko concluded, is that companies then get a false sense of security that they have no new vulnerabilities, leaving them vulnerable to attack.” This is one of the reasons that Kolochenko considers bug bounties to be just “a compliment to all other tools and solutions.”