Machine Learning for Cybersecurity 101: A Quick Overview

As soon as words like machine learning (ML) and artificial intelligence (AI) are used in sales pitches, there’s a lot of doubt in the IT world about them. Because many of the people in charge and the tech department are skeptical about the true value of AI and ML to the business, most of this comes back to that. There is a lot of skepticism about machine learning for cybersecurity as a field. Solutions and service providers have used these two buzzwords a lot in the past few years. The return on investment is usually meager and doesn’t justify the CAPEX.

This article will talk about how machine learning can be used in cybersecurity and the risks and benefits of investing in these new skills. Is there a way to get value out of cybersecurity operations that is real? … or is it just one of those hype cycles that will eventually die out?

Machine Learning for Cybersecurity

Important Definitions

There are many different ways to talk about AI, but Accenture’s definition is the one I like best because it sums up the real meaning in business terms. According to their report, artificial intelligence is a group of technologies that work together to make machines sense, understand, act, and learn like humans. AI and ML often refer to the same thing, but ML is a sub-branch of AI.

From IBM, it’s clear that their definition of ML is “a branch of AI and computer science that studies how data and algorithms can be used to imitate how humans learn, improving its accuracy over time.”

Data scientists are people who work with numbers to solve problems. I’m not a data scientist, but my experience in cybersecurity allowed me to lead multiple projects with talented data scientists to solve some of the operational problems. There is a lot to like about the ML definition above. I especially like that improving accuracy is one of the main benefits of investing in these skills.

Machine Learning in Cybersecurity

The main goal of cybersecurity in an organization is to protect it from current and future threats that could hurt its ability to provide the expected value to its target audience or customers. To protect against cyberattacks, cybersecurity teams always do risk assessments, develop new techniques and tools to find and stop threats, and do many other things.

Over the last few years, the rate of cyber-attacks has gone up so much that most cybersecurity teams today are overwhelmed, so they’re trying to automate as much as possible to cut down on manual work. When people think like this, they believe that ML is the answer. “The more machines can detect and prevent attacks, the less load our people will have to deal with.” Many people think machine learning is only good for cybersecurity or other IT fields. This isn’t true, and it can be very costly for people who think this way.

How Can Machine Learning Help Cybersecurity?

I’m going to talk about many different ways in which I think ML can be beneficial, and I’ll also talk about how these points can be mishandled and lead to a loss of value.

In the end, you’ll always need cybersecurity experts who know your business and can protect it. Use ML to reduce the noise, not get rid of it. A piece of software can never protect you from all threats even if you pay $1,000,000. In this case, maybe your threat case (the conditions and scenarios that, when matched, trigger an alert) isn’t set upright. In this case, machine learning can be beneficial. Instead of relying on if-else conditions, you can use more advanced, in-depth techniques to analyze your raw data and make the right decisions about what needs to be looked at more and what doesn’t.

Use ML to classify events that come from a firewall. Firewalls make a lot of noise because they cover a lot of space. Analysts usually don’t pay attention to them because of the amount of data they generate. In this case, ML can help by learning how the firewall works, setting a baseline, and then highlighting unusual traffic to the security team.

When the environment is very complicated, don’t use out-of-the-box ML tools that can automatically find things. A network inside an organization can be very complex (or messy, in other words). We all know this. An out-of-the-box solution that claims to detect threats and suspicious behavior are likely to cause many false positives and make your security team more work than it helps them. Why? Not everything you have in your network that is made or works the way you want it to is acceptable and in line with the rules.

Sometimes, you will have things in your network because they help your business run better. That new ML solution will not know this. As a result, when it sees unique traffic ports, different file-sharing protocols, remote server access, and so on, it will send out many alerts because it thinks all of these are problems that need to be looked into. Most of the companies that make these solutions say that they need to train the solution for 3–6 months to learn about the traffic and data in the network.

How does it sound? As long as malicious code or people are in your infrastructure, the solution will be trained to see them as usual and eventually become part of the baseline. This means it won’t alert you if it sees the same behavior or presence in the future. A network analyzer solution that uses machine learning could be used to help find threats in the network. It starts working right away. You turn it on, give it a direct feed to your network (pcap traffic or Syslog), and watch the alert dashboard.

You will get many alerts right away, and your security team will be overwhelmed and confused about how they can be attacked so quickly and so many times in just a few seconds. The truth? The solution doesn’t know what your traffic looks like. As a result, anything that doesn’t match what it already knows as programmed by the vendor is terrible.

In the real world, the best way to solve any problem is to break it down into more minor issues and keep doing so until each clearly defined situation can be solved. The silver bullet isn’t always the best way to do this. You will fail if you try to deal with a big problem or challenge all at once. Your implementation will not deliver the value that was promised.

In the context of machine learning, start by figuring out which threats or processes in your cybersecurity operation will benefit the most from noise reduction, classification, clustering, behavioral analysis, and so on so that you can use these tools more. Once you’ve made a list, talk to your stakeholders to make sure they’re on board. In the early stages of making or putting in place an ML solution, there will be a lot of problems, and you will need to get feedback from a lot of different people.

This feedback makes the solution work better and, in the end, provides the value it was meant to. When solving other problems, you might find that one solution can help with more than one. That’s fine, as long as each key is tested and vetted by your stakeholders.

Use playbooks, and try to avoid manual retraining as much as possible. This is a problem I’ve seen repeatedly: Different ML solutions are used for different types of threats, but they don’t all have the same goal. When you don’t plan well or haven’t thought about security, you’ll be surprised how many times you find a solution interfering with the work. To help you with this, playbooks come in very handy. There are now specialized solutions for this, so you can figure out how your team should deal with different threats or do other jobs, and then use your ML tools to give them more information so they can do what they need to do.

In a nutshell, a playbook is a set of steps done in a certain way to deal with a specific threat. As an example, the steps in a brute force detection playbook could look like this:

1. Analyze the user activity in the Windows log.

2. Are there a lot of failed login attempts? (According to EID 4625).

  • Yes, the user has recently changed his password?

– Yes: Analyze whether this is the primary goal of brute force.

– No, it does not. Next, proceed to:

  • [next] No: Did the login attempts come from different workstations simultaneously?

– Yes, send an alert to the security team so that they can investigate.

– No, do something else.

3. Complete the specific reporting action.

Machine Learning for Cyber Security Tutorial

Data Engineering is important

Understanding your data is the best way to use ML in cybersecurity. If you are using a log management tool that can show you events from a lot of different sources, this is where you should start. View the data and play around with it with any specialized data querying tool or scripting if you are confident enough.

Having a Basic Understanding of Cybersecurity

It’s important to know where the real pain is and if ML is the best way to solve it. What can and can’t be done will save you money and time. Also, you can’t ignore the risks that come with using ML, like not being able to find valuable data because you aren’t good at data engineering or don’t know your field well enough.

Upskilling and Recruitment – Machine Learning for Cyber Security Course

You will need to hire the right people or use your resources to learn the basics. Solving problems and getting the most value from cybersecurity machine learning projects will help the business make good decisions. It doesn’t have to be a data scientist to start working with ML. It also needs your whole operation team to know about all the different ways to get, process, etc. Are you going to buy a software package that comes ready to use? If you want to build an open stack with open source technologies, do you want to do that? These methods are very different, and they’ll need a very different business mindset and investment.

Establish a Trial-and-error Mentality in the Workplace

When you start a project, you should not expect to see results right away, and you need to make sure your stakeholders know this. Adopting ML is a long process filled with more failure stories than success stories because it is tough to get the right mix and balance.

Machine Learning Cybersecurity Book

Data Mining and Machine Learning in Cybersecurity

Machine learning and data mining are two fields covered in this book. Sumeet Dua and Xian Du wrote it. It is a single source for specific machine learning solutions to cybersecurity problems and a foundation in cybersecurity basics, including surveys of current issues.

The book talks about some of the most advanced machine learning and data mining techniques that can be used in cybersecurity, like machine learning to solve detection problems, data mining to find intrusions and anomalies, etc.

Find the book here.

Malware Data Science

Joshua Saxe, a security data scientist, talks about machine learning, statistics, social network analysis, and data visualization in his book, Malware Data Science. He shows you how to use these methods to find and analyze malware.

Learn how to analyze malware using static analysis, find out who the bad guys are by looking at shared code, build machine learning detectors to find out if there are flaws, and use data visualization to figure out what’s going on.

Find the book here.

Mastering Machine Learning for Penetration Testing

Toward the beginning of this book, we learn about machine learning and the algorithms used to build AI systems. After you have a good idea of how security products use machine learning, you will learn how to break into AI and ML systems.

With the help of real-life examples, you will learn how to find flaws in a self-learning security system and how to get around them. After reading this book, readers will be able to find the weaknesses in a self-learning security system and will also be able to break into a machine learning system quickly.

Find the book here.

Machine Learning for Cybersecurity Cookbook

Use popular Python libraries like TensorFlow, Scikit-learn, and more to use AI techniques and solve problems machine learning in cyber security research papers face. You’ll learn how to do this in this book.

The book will show you how to classify and look for features in malware, which will help you practice and test on real samples. This will help you learn and practice. You will also build self-learning, reliable systems that can identify malicious URLs, stop spam emails, track user and process behavior, and more.

Find the book here.

Hands-On Machine Learning for Cybersecurity

To read this book, you must be a data scientist, a machine learning developer, a security researcher, or someone who wants to use machine learning to improve computer security. Learn how to use machine learning algorithms with complex datasets to implement cybersecurity concepts in this book. You will also learn how to use machine learning algorithms like clustering, k-means, and Naive Bayes to solve real-world problems, and so on.

You will also learn how to speed up a system with Python libraries like NumPy, Scikit-learn, and CUDA, fight malware, detect spam, and fight financial fraud, among other things.

Find the book here.

Machine Learning for Red Team Hackers: Learn The Most Powerful Tools in Cybersecurity

This book shows you how to use machine learning to find out if your computer is being hacked. In a hands-on and practical way, you will learn how to use machine learning to do penetration tests and how to do penetration tests on machine learning systems. If you go to this class, you will also learn things that only a few hackers or security experts know.

Find the book here.

AI in Cybersecurity

This book shows how AI can improve cybersecurity and cyber threat intelligence. It has strategic defenses against malware, a focus on cybercrime, and a way to look for flaws to develop proactive, rather than reactive, countermeasures.

Find the book here.

Machine Learning for Cybersecurity


There are still many things to talk about in this space, and in future posts, I’ll talk about more techniques, solutions, and ways to do something. People who use machine learning in their cybersecurity operations need to change how they think about things. In the old way, conditions were set, alerts were raised, and dealt with accordingly.

Leave a Comment