The Rise and Rise of the Machines

January 2016

2015 marked the beginning of a new era in cyber defense – two fully autonomous artificial intelligences go to war in anger: an attacker and a defender. The battlefield was a corporate network and the prize, control of the company. By Dr Mike Lynch, OBE FREng FRS.

2015 may turn out to have been the beginning of an era, a new era of warfare. In 2015 we probably saw for the first time two fully autonomous artificial intelligences go to war in anger: an attacker and a defender. The battlefield was a corporate network and the prize, control of the company.

For the past two years, the most advanced cyber defence systems have been using machine learning to protect the most sensitive installations and companies. These systems mimic the human immune system in that they first learn self, and then can spot intruders, not by any signature or pre-known information, but by their actions. Such systems are proving extremely effective. When turned on, 80% of the time they detect intruders that have got past the usual stack of defences employed in modern organizations. They are advanced deep learning AI that has to learn autonomously in real time on the job adapting to all the changes of a modern corporate IT technology and its users and then spotting nefarious new actions. These intelligences are more difficult to create than the better-known machine learning in computer vision, or speech recognition, as they don't do their learning in a lab but out there on the job, autonomously.

Cyber defences may be getting more sophisticated, but so are the cyber attackers and most importantly, so are the attacks. The kind of attacks we read about every day: websites being defaced or customer credit card details being put on the web, are actually the least worrying. The real dangers are the quiet, unseen, controlling kill switches and their ability to hijack or kill an organization at will. These attacks are very sophisticated, they use un-signatured custom code, they only cross all the boundary defences once and never send stuff out. They may be active for 20 milliseconds a year. But when commanded to act they are fatal.

Most of what we read about today is the cyber equivalent of coming home after a burglary to find all your drawers tipped out and your iPad stolen so it is pretty obvious. The new threat is more akin to never realising anything has happened yet you are under total surveillance and can be remotely made to have a heart attack at any time.

In 2015 the power of the new deep learning AI defences appears to have spawned a new level of attacker. These black hat machine intelligences enter the organization once and then listen, learning how to behave, how to blend in, how to be more authentic that the real devices, servers and users. These intelligences can model thousands of authentic users and devices and slip their actions buried in their everyday tasks. No more blunt force port-scanning or head-on attacks. Rather, multiple tiny actions buried in the detritus of normal operations.

When the concept of the immune system was first raised, traditional security professionals questioned whether machine intelligence could handle the subtleties of human behaviour and a directed human intelligent attacker. Similar statements were made by fund managers about quant machine intelligent trading algorithms. At the end of last year we saw a number of hedge fund veterans throw in the towel and liquidate their multibillion funds citing the new market run by machines. Every day the battle of AI trading against AI lights up screens in the city, and every day in the shadows, machine intelligences are also fighting each other online. Just like the hedgies, no human cyber analyst can watch so much, so fast, for such subtle traces.

Attackers are using algorithms to learn all about the adversaries, analysing social media posts and messages of employees on big data scales, understanding companies, product divisions and organizations, watching events, hiring, firings, reading news articles and product manuals. This rich background of knowledge is then carried through the usual cyber defences to aid the malevolent learning once inside.

The arms race is on. Just this month new systems have been announced that arm the defenders, the machines now able and authorised to take action, not just to report it. Artificial intelligences have been empowered to kick off network connections, devices and users and wipe code faster than any human cyber analyst can manage.

The defenders are now weapons live.

This is not like the wars of fiction, with hunter killer robots shooting lasers and walking across crushed human skulls, it is quiet deadly stealth war conducted in shadows. Did the drive light on that server in that darkened data centre, or in the airliner avionics bay flash just a moment longer than it should have….?