Machine learning is nothing new; the BIG-IP ASM system has been learning for more than a decade

One of the top trending topics in technology is how to use artificial intelligence (AI) and machine learning (ML) to resolve issues in various technologies. Prime among the technologies is application security (AppSec). AI and ML are poised to fix most issues that occur in AppSec. Specifically, ML Advanced Deep Learning Recurrent Neural Network algorithms are being developed to drastically improve the accuracy of threat detection. AI and ML predict attacks (including zero-day attacks) and stop the attacks before they reach your apps. Simply put, ML consists of training the system (the learning part of ML) to, on its own, detect an attack, and not rely on preconfigured signatures or anomaly-based logic to detect the attack.

The foundational premise is simple: the system (machine) is exposed to data sets and learns to detect threats from legitimate traffic.

Application learning is not ML, but the premise is the same

Enter BIG-IP ASM! For many years, the BIG-IP ASM system has had a learning engine (traffic learning). Like the foundational premise of ML, the BIG-IP ASM learning engine premise is simple: learn from the application traffic to automatically build or refine a security policy that detects threats. This method significantly reduces the complexity and number of signatures that you have to manually configure. In academia, this functionality is sometimes referred to as Adaptive Learning or Application Learning.

The BIG-IP ASM learning game

The BIG-IP ASM learning engine examines ingress and egress web traffic and intelligently learns the intended behavior of the application. That learning feeds the BIG-IP ASM Policy Builder, which can automatically configure the security controls required to protect your application. When using automatic learning, the system continuously learns as traffic is processed and can suggest new security controls as the application’s design or usage evolves. To understand how to leverage the BIG-IP ASM learning engine, refer to K75376155: Creating a security policy automatically (14.x - 15.x).

Areas where AI and ML elevate the learning game

Having the right data set, learning offline and protecting learning are essential when detecting threats and stopping attacks.

The data set issue

Just as it is difficult to learn Geography while being taught Chemistry, learning in AppSec requires the correct data set (consisting of both legitimate traffic and threats). Because of the agile nature of application development (the shorter release cycle) and the dynamic nature of threats, AI and ML can improve the data set quality in terms of scope, context, and retention period (the window of time before you stop analyzing a particular data set).

Offline detection

Offline detection (as opposed to real-time detection) refers to the process of analyzing and learning from a dataset outside of production traffic. AI and ML can learn from a large pool of datasets: internet traffic, honeypot systems, and partners sites, and AI and ML can also detect anomalies that identify attacks. Security controls can, therefore, be proactively developed and implemented on your WAF.

Securing the learning engine

Another thing that AI and ML tackle is protecting learning, itself. If attackers could fool or influence the way the ML-based system operates, they could nullify the core proposition of the AI and ML-based security systems, which is predicting and stopping attacks before they reach your apps.

Overall, advances in AI and ML have exponentially empowered learning by addressing the data set issue and protecting the learning engine. These advances allow AI and ML systems to improve the speed and accuracy of threat detection (including zero-day attacks) while significantly reducing the false positive rate.