AI and Cybersecurity: combining data with human expertise

Artificial intelligence continues to proliferate and influence our lives. Speech recognition and image recognition rely on AI. The financial sector is moving to AI-based insurance risk analysis, credit scores and loan eligibility. We’re also seeing the emergence of AI-based robot lawyers and AI-based medical diagnostics and prognoses.


But can artificial intelligence be used effectively to combat cyberattacks? AI-influenced cybersecurity capabilities have evolved well beyond AI washing (a derogatory term coined to describe a technology billed as AI but which in reality, as InfoWorld put it, is “an attempt to make dumb products sound smart.”).


But with that said, we have a long way to go before AI can be effective on its own in stopping cyberthreats. The main barriers involve not having enough data and not having enough expertise. But we’re getting there because of continuing advancements in these three categories:


  • Storage: We can now store enormous amounts of data at a fraction of what it used to cost.
  • Computer Power: Modern capabilities let us process mountains of data.
  • Mathematics: math and algorithms drive AI.


Machine learning, deep learning, and Big Data analytics have all seen major breakthroughs in the past several years, letting us mechanize tasks previously only handled by our scarcest resources – the smartest human analysts. They can make sense of our gigantic mountains of data logs, opening our eyes in places where we were previously blind.


As Check Point thinks more and more about AI’s role in cybersecurity, we’ve begun to explore AI-based engines across our threat prevention platform. We’re already using them in three capacities: we call them Campaign Hunting, Huntress, and Context-Aware Detection (CADET).


Campaign Hunting


We’re extremely excited about Campaign Hunting, designed to enhance our threat intelligence. Without AI, a human analyst looking at malicious elements would typically trace the origins of those elements and identify similar instances, such as domains registered by the same person at the same time with the same lexicographic pattern.


By using AI technologies to emulate – and mechanize – an analyst’s intuition, Check Point’s algorithms can analyze millions of known indicators of compromise and hunt for additional similar ones. As a result, we’re able to produce an additional threat intelligence feed that offers first-time prevention of attacks that we’ve never seen before. In fact, more than 10 percent of the cyberattacks we block today are based on intelligence gained solely through Campaign Hunting.




This engine looks for malicious executables, one of the toughest problems in cybersecurity. By nature, an executable can do anything when it’s running, because it’s not breaching any boundaries. This makes it hard to figure out if it is trying to do something bad.


Using a sandbox as a dynamic analysis platform, we let the executables run and collect hundreds of runtime parameters. Then we feed that data to the AI-based engine, previously trained by millions of known good and known bad executables, and ask it to categorize those executables.


The results are astounding: Huntress is capable of detecting malicious executables beyond what antivirus and static analysis would find. In fact, 13 percent of the detected malicious executables are based on findings solely from this engine. If it were not for Huntress, we would not have known to block them.




This Check Point platform gives us access and visibility into all parts of the IT infrastructure: networks, data centers, cloud environments, endpoint devices and mobile devices. Rather than inspecting isolated elements, we can look at the context of the full session and ask, for example, whether the link was sent in an email or a text message on a mobile device, who sent it, when the domain was registered and who registered it.


Essentially, we are extracting thousands of parameters from the inspected element and its context. By using the CADET AI engine, we can reach a single, accurate, context-informed verdict. That’s quite something.


So far, our testing shows a two-fold improvement in our missed detections rate and a staggering 10-fold reduction in the false-positive rate. Keep in mind: These are not just nice mathematical results. In real-life cybersecurity, engine accuracy is crucial.


At Check Point, we combine AI with our other technologies to improve the metrics that actually matter. For now, we believe that AI technologies are still not mature enough to be used on their own and still need a large amount of human input in order to be effective.


But when AI is used as an additional layer, added to a mixture of expert engines designed to cover the entire attack landscape, we’ll be even further along in our efforts to keep our networks and devices safe from attack. No AI washing here.