The commoditization of technology has reached its pinnacle with the advent of the recent paradigm of Cloud Computing. Infosys Cloud Computing blog is a platform to exchange thoughts, ideas and opinions with Infosys experts on Cloud Computing

« Microservices and Secrets management - How to comply with security must-dos | Main | 5 cloud migration tips for enterprises »

Artificial Intelligence(AI) In Security Landscape

The world is becoming more and more innovative, intelligent with mesh of digitalized people, things and disruptive technologies.

At one end human brain power is being infused into machines making machines artificially intelligent for solving human problems for good; On the other end unethical hackers are instilling their intelligence in malicious worms that attack IT systems posing security threats to one and all. 

In short human brain power is mimicked into machines for both good and evil purpose.  This has given rise to long debate whether AI (Artificial Intelligence) is a force for Good or Evil; threat or opportunity for IT security?  There is no single answer to this debate. Good and Evil are like two sides of a coin; inseparable. Every invention has good and bad potential with it. Ex. be it Fire, Knife, Engine, Fuel, our beloved Internet and on and on. Good wins over Evil when we as humans strive for maximizing the positive potential of the invention and thus automatically weakening the negative potential.

With this worthy intent let's move forward to see how AI can be leveraged to its best for positive use cases. In this blog want to take up one such use case that is "Adaptive Security Model"

Adaptive Security Model is all about real-time combatting of IT security-threats by employing AI technology. It's a transition from traditional detective & preventive security models to NextGen security models which are increasingly intelligent, predictive & adaptive. These scrutinizes the real-time network traffic/activities, continuously learns based on the data patterns , classifies them normal & malicious ,raises alerts on potential attacks and adapts automatically by implementing end-point security.

Enterprises with Adaptive Security Models possesses four key competencies:

o        Preventive: precautionary policies, processes, products (e.g. firewall) to keep-away attack threats

o   Detective:  Detect the attack that bypasses the preventive layer

o   Retrospective: Deep analysis of issues which were not detected at detective layer. Preventive & detective measures would be enhanced to accommodate these learnings.

o   Predictive: Continuously learns and observes the patterns in network traffic. And keeps the security team on alert on potential anomalies/attacks.  

Machine Learning(ML) algorithms and techniques are the core to these predictive competency of adaptive security model. ML field be it in security arena or others, is too vast and continuously evolving with numerous researches. Intention in this blog is to just scratch the surface of this ML field in adaptive security context.

Out of many types of Predictive models in security context most popular ones are Network Intrusion Detection Models. These models focus on anomaly detection and thus differentiate between normal and malicious data.     

Broad two types of machine learning for anomaly detection techniques are Supervised and Unsupervised.  

o    In Supervised Machine Learning method model is trained with the dataset which contains both normal and anomalous samples which are explicitly labelled. These use classification techniques to classify data observations based on the attributes. Key algorithms for adaptive security model are decision tree, na├»ve Bayesian classifier, neural network, genetic algorithm, and support vector machine etc.

o      Unsupervised Machine Learning is not based on the training data. They use clustering technique to group the data of similar characteristics. It differentiates normal and malicious data based on a) based on the assumption that most of the network traffic is normal traffic and only a small amount of percentage is abnormal. b) statistical parameters variations among two clusters.

Most common unsupervised algorithms are self-organizing maps (SOM), K-means, C-means, expectation-maximization meta-algorithm (EM), adaptive resonance theory (ART), and one-class support vector machine.

Theoretically, supervised methods are believed to provide better detection rate than unsupervised methods.

 Main phases in building Predictive Models (assuming supervised ML):



Data Set Building

Creation of rich dataset to be used for Training the model and Testing the model. Data source may range from retrospective network traffic , past malicious attack patterns, audit logs, normal activity profile patterns , attack signatures and so on.

Predictive Attributes Selection

This is popularly known as 'Feature Engineering' for models. Dataset will have numerous attributes. Success of predictive-models depends on impactful combination of attributes or features as called in ML terminologies. Irrelevant and redundant attributes of the dataset have to be eliminated from the feature set. There are many theorems and techniques for this, PCA (Principal Component Analysis) being one of the popular technique. PCA is a common statistical method used in multivariate optimization problems in order to reduce the dimensionality of data while retaining a large fraction of the data characteristic.

Classifier Model Construction

Build and train the model based on one or more algorithms. Test the model with test data. Model should classify the data as Normal Class OR Anomaly(malicious) class.

Test and Optimize the Model


The performance of the model depends on two parameters, malicious activities detection rates (DR) and false positives (FP).

DR is defined as the number of intrusion instances detected by the system divided by the total number of the intrusion instances present in the test dataset.

FP is instances of false alarms raised for something that is not really an attack. Model Optimization should target  to maximize the DR and minimize the FP.

Employ the Model for real-time network traffic

Model performance in production will depend on the accuracy and maturity of the trained model. Model should be maintained to-be up-to-date with repeated re-training of the model. Retraining should accommodate changing attack patterns and activities. 


Multiple industry leaders are striving towards providing solutions for smart adaptive security architecture for enterprises. Infosys too has strong presence in this space.


Whatever is the technology revolution there's no silver bullet to future-proof the security. Security fencing has to be always one level up against some of the most devious minds. Though innovative AI based Predictive-Adaptive Models are gaining momentum, security hackers & predators too are advancing in maliciously attacking these models. We have to wait and watch which intelligence reigns...The Threat or The Protection J.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.