Unsupervised Machine Learning – The Future of Cybersecurity

Cybersecurity is like Tom and Jerry! While Tom always tries new ways to catch Jerry, he manages to escape in some way or another. Most of the Cybersecurity teams find themselves in the unenviable position of Tom, where they can try whatever methods they like, Jerry always escapes and tries to get the cheese in even more creative ways next time! Today’s cyber-criminals have become even more dangerous because of the variety of tools available online like proxy servers, botnets, and automated scripts. They don’t have just one method of launching a cyber-attack, and they can hide their identities by mimicking real user activity, using spoofing devices, etc. In such a high stakes game where cybercrime costs companies around $2 Trillion each year, Cybersecurity definitely needs to up its performance with Unsupervised Machine Learning.

And that’s definitely happening these days with a surge in the popularity of Unsupervised Machine Learning. According to a study by O’Reilly, the usage of Unsupervised Machine Learning has gone up by 172% in 2019. This will definitely reflect in the domain of Cybersecurity as well with more and more companies adopting this technology.

Cybersecurity in any company mainly focuses on two different facets, namely:

• How to counter attacks that have already occurred on the system or those that are a familiar type of cyber-attacks. How to respond against them and implement preventative measures?
• How to counter attacks that are totally new and never seen before. How to identify such attacks and what are the solutions to dispel them.

While companies can tackle the first facet using traditional Cybersecurity methods, there are no solutions that can handle the second scenario. And the second scenario is becoming more and more important while cyber-attacks evolve and become more unpredictable. That’s where Unsupervised Machine Learning comes in.

So let’s understand Machine Learning and how different types like Supervised, Unsupervised, and Semi-Supervised are used in the context of cybersecurity.

Types of Machine Learning in the Context of Cybersecurity

1. Supervised Machine Learning

Supervised Machine Learning is the most common method in Machine Learning. To understand this type, imagine a student that needs to be taught everything explicitly by the teacher. This student would be excellent in repeating and using the information the teacher has already taught him but wouldn’t be able to learn anything on his own. Unfortunately, that student will only be good in certain situations (like an exam!) but in general, would be quite a poor student. That’s the same case with a Supervised Machine Learning Algorithm. Here, the algorithm learns from a training dataset where the data is labeled and makes predictions about new data based on that dataset.

Now, this method would generally be fine but that is not true for a dynamic and ever-changing field like cybersecurity where Supervised Machine Learning cannot keep up. After all, hackers don’t just stick to the topics that the algorithm has learned! What this means is that a Supervised Machine Learning Algorithm would be able to identify cyber-attacks that it was trained to identify. However, if there are any attacks that are new, then the algorithm will totally fail. It will not be able to cope if the exam is out of the syllabus! In that case, machine learning engineers will have to retrain the algorithm with the data labels based on the new attacks, and by the time it has learned those, there may be even more new attacks created. Clearly, the Supervised Machine Learning Algorithm would be outclassed in this respect. That’s where Unsupervised algorithms enter the fray.

2. Unsupervised Machine Learning

If a Supervised Machine Learning Algorithm is the student that is spoon-fed all the information by the teacher, then the Unsupervised Machine Learning Algorithm is the genius student that does not need much instruction and can learn information by himself. This student is not restricted by being taught only a specific thing, but he learns from whatever comes his way by exploring and understanding the information. So this student is good in many types of situations as he can tackle problems when they arise. This is also the situation with an Unsupervised Machine Learning Algorithm. Here, the algorithm is left unsupervised to find the underlying structure in the data in order to learn more and more about the new situation.

This algorithm is much more suited to Cybersecurity. It can handle many kinds of cyber-attacks no matter if it has seen them before or not because it does not try to identify a cyber-attack based on what it has already learned. Rather, it identifies the abnormalities in the system that occur with a cyber-attack. So this means that an Unsupervised Machine Learning Algorithm will create a baseline for your system where everything is working normally. Then if any suspicious behavior occurs in the system, such as a sudden increase of data transfer in the network or transfer of some file that does not usually occur, this type of behavior will be flagged as abnormal and a sign of a cyber-attack.  

For example, Unsupervised Machine Learning is the best option for identifying IoT based zero-day cyber-attacks. There are many IoT devices connected to the cloud these days which can be used for myriad purposes including zero-day cyber-attacks. These attacks exploit any vulnerability that exists in the system, and so they don’t have any set pattern or context. That’s why Supervised Machine Learning algorithms fail to identify these attacks and Unsupervised Machine Learning can prove to be invaluable.

3. Semi-Supervised Machine Learning

As is obvious from the name itself, Semi-Supervised Machine Learning Algorithm is the student that learns both from his teacher and by himself. This type of Machine Learning represents the best of both worlds where it is a combination of Supervised and Unsupervised Machine Learning. This algorithm uses a little amount of labeled data like Supervised Machine Learning and a larger amount of unlabeled data like Unsupervised Machine Learning to train the algorithms. The labeled data can be used to partially train the Machine Learning Algorithm, and this partially trained algorithm also finds insights organically.

A Semi-Supervised Machine Learning Algorithm may well be the perfect combination for Cybersecurity. This algorithm could use Unsupervised Learning to identify any abnormalities in the system that occur with a specific cyber-attack and then label that cyber-attack as a threat that it can identify using Supervised Machine Learning if it occurs again in the future. In this way, a Semi-Supervised Machine Learning Algorithm embodies the advantages of both types in that it can constantly be on the lookout for any disturbances and deviations from the norm in the system and simultaneously have a provision for quickly identifying cyber-attacks that have already occurred before and eliminating them.

Adoption of Unsupervised Machine Learning in Cybersecurity

There is still some hesitation in the adoption of Unsupervised Machine Learning in the Cybersecurity industry and with valid reasons. This type of Machine Learning is totally based on reactionary performance. Since the data is not labeled beforehand, the Unsupervised Machine Learning Algorithm can only react when the attack occurs and cannot implement any proactive methods. Also, it is impossible to measure its effectiveness against an attack which understandably makes industries hesitant to invest their money in this technology.

However, there is still a lot of hype about Unsupervised Machine Learning in Cybersecurity because this technology is a step in the right direction. Investment in developing this will undoubtedly yield results because Unsupervised Machine Learning is indeed the future of Cybersecurity. While cyber-attacks are becoming more and more creative with different tools and technologies at their disposal, the cyber defense also has to up its game. And in this, Unsupervised Machine Learning can prove to be invaluable as it can identify abnormalities in the system to signal multiple types of cyber-attacks no matter how advanced they become.