The size and scale of cyber attacks has increased in recent years as a result of a number of factors, including the increasing normalcy of cyber operations within international politics, the growing reliance of industry on digital infrastructure, and the difficulties of maintaining an adequate cybersecurity workforce. Many commentators across government, media, academia, and industry have wondered how cybersecurity professionals might be able to adapt machine learning for defensive purposes. Could machine learning allow defenders to detect and intercept attacks at much higher rates than is currently possible? Could machine learning–powered agents automatically hunt for vulnerabilities or engage an adversary during an unfolding attack? Should policymakers view machine learning as a transformational force for cyber defense or as mere hype?
This report examines the academic literature on a wide range of AI-cybersecurity applications to provide a grounded assessment of their potential. It breaks cybersecurity practice into a four-stage model and examines the impact that recent machine learning innovations could have at each stage, contrasting these applications with the status quo. The report offers four conclusions:
- Machine learning can help defenders more accurately detect and triage potential attacks. However, in many cases these technologies are elaborations on long-standing methods—not fundamentally new approaches—that bring new attack surfaces of their own.
- A wide range of specific tasks could be fully or partially automated with the use of machine learning, including some forms of vulnerability discovery, deception, and attack disruption. But many of the most transformative of these possibilities still require significant machine learning breakthroughs.
- Overall, we anticipate that machine learning will provide incremental advances to cyber defenders, but it is unlikely to fundamentally transform the industry barring additional breakthroughs. Some of the most transformative impacts may come from making previously un- or under-utilized defensive strategies available to more organizations.
- Although machine learning will be neither predominantly offense-biased nor defense-biased, it may subtly alter the threat landscape by making certain types of strategies more appealing to attackers or defenders.
This paper proceeds in four parts. First, it introduces the scope of the research and lays out a simplified, four-stage schema of cybersecurity practice to frame the different ways that future machine learning tools could be deployed. Second, it contextualizes recent machine learning breakthroughs and their implications for cybersecurity by examining the decades-long history of machine learning as applied to a number of core detection tasks. The third and most substantial section examines more recent machine learning developments and how they might benefit cyber defenders at each stage of our cybersecurity schema, and considers whether these newer machine learning approaches are superior to the status quo. Finally, a concluding section elaborates on the four conclusions mentioned above and discusses why the benefits of machine learning may not be as transformative in the immediate future as some hope, yet are still too important to ignore.