When generative AI made its debut, companies started an AI experiment. They have accepted innovations that many of them don’t fully understand or, perhaps, don’t fully trust. However, for cybersecurity professionals, harnessing the potential of artificial intelligence has been the vision for years, and a historic milestone will soon be reached: the ability to predict attacks.
The idea of predicting anything has always been the “Holy Grail” of cybersecurity, and for good reason, it has been met with considerable skepticism. Any claims about “predictive capabilities” turned out to be marketing hype or premature aspiration. However, AI is now at an inflection point where access to more data, better-tuned models, and decades of experience have charted a more direct path toward achieving large-scale predictions.
At this point, you might think I’m seconds away from suggesting that chatbots will turn into computer oracles, but no, you can breathe a sigh of relief. Generative AI hasn’t reached its peak with next-generation chatbots. They are just the beginning and pave the way for basic models and their reasoning ability to assess with high confidence the probability of a cyber attack and how and when it will occur.
Classical artificial intelligence models
To reap the benefit that fundamental models can provide security teams in the near term, we must first understand the current state of AI in the field. Classic AI models are trained on specific datasets for specific use cases to achieve specific results with speed and accuracy, the key benefits of AI applications in cybersecurity. And to this day, these innovations, along with automation, continue to play a critical role in managing threats and protecting user identity and data privacy.
With classic AI, if a model were trained on the Clop ransomware (a variant that has devastated hundreds of organizations), it would be able to identify various signatures and subtleties inferring that this ransomware is in your environment and flag it as a priority over team safety. And it would do so with exceptional speed and accuracy that surpasses manual analysis.
Today the threat model has changed. The attack surface is expanding, adversaries rely on AI as much as businesses, and security expertise is still scarce. Classic AI can’t cover all the bases on its own.
Self-trained AI models
The recent boom in generative artificial intelligence has pushed Large Language Models (LLMs) to center stage in the cybersecurity industry thanks to their ability to quickly retrieve and summarize various forms of information for security analysts using natural language. These models offer human-like interaction to security teams, making the digestion and analysis of complex, highly technical information significantly more accessible and much faster.
We’re starting to see LLMs enable teams to make decisions faster and with greater precision. In some cases, actions that previously took weeks are now completed in days or even hours. Once again, speed and precision remain the key characteristics of these recent innovations. Prominent examples include innovations introduced with IBM Watson Assistant, Microsoft Copilot or Crowdstrike’s Charlotte AI chatbots.
In the security market, this is where the innovation lies right now: materializing the value of LLMs, primarily through chatbots positioned as artificial assistants of security analysts. We will see this innovation translate into adoption and generate material impact over the next 12 to 18 months.
Considering the talent shortage in the industry and the growing volume of threats that security professionals face on a daily basis, they need all the help they can get, and chatbots can serve as a force multiplier in this space. Just consider that cybercriminals have managed to reduce the time it takes to execute a ransomware attack by 94% – they are using time as a weapon, making it essential for defenders to optimize their time to the greatest extent possible.
However, cyber chatbots are only the precursor to the impact that basic models can have on cybersecurity.
Foundation models at the epicenter of innovation
The maturation of LLMs will allow us to exploit the full potential of foundation models. Basic models can be trained on multimodal data: not just text but images, audio, video, network data, behavior, and more. They can build on the simple language processing of LLMs and significantly augment or replace the current volume of parameters to which the AI is constrained. Combined with their self-supervised nature, they become innately intuitive and adaptable.
What does this mean? In our previous ransomware example, a foundation model would not have needed to have ever seen Clop ransomware (or any other ransomware) to detect anomalous and suspicious behavior. The basic models are self-learning. They do not need to be trained for a specific scenario. Therefore, in this case, they would be able to detect an elusive and never-before-seen threat. This capability will increase the productivity of security analysts and speed up their investigations and responses.
These capabilities are close to materializing. About a year ago, we began running a proof-of-concept project at IBM, experimenting with a basic security model to detect never-before-seen threats, predict them, and enhance intuitive communication and reasoning within a company’s security stack. company without compromising data privacy.
In a customer trial, the model’s nascent capabilities predicted 55 attacks several days before they even occurred. Of these 55 predictions, analysts have evidence that 23 of these attempts played out as expected, while many of the other attempts were blocked before they reached radar. This included, among others, numerous Distributed Denial of Service (DDoS) attempts and phishing attacks aimed at spreading different strains of malware. Knowing the opponents’ intentions in advance and preparing for these attempts gave the defenders a surplus of time that they rarely get.
The training data for this basic model comes from different data sources that can interact with each other: from API feeds, intelligence feeds and indicators of compromise to behavioral indicators and social platforms, etc. The baseline model allowed us to “see” adversaries’ intent to exploit known vulnerabilities in the client environment and their plans to exfiltrate data in the event of a successful compromise. Additionally, the model hypothesized over 300 new attack patterns, which is information that organizations can use to strengthen their security posture.
The importance of the extra time this knowledge gave defenders cannot be overstated. By knowing which specific attacks were coming, our security team could perform mitigation actions to prevent them from reaching impact (for example, patch a vulnerability and fix misconfigurations) and prepare the response for those that manifest into active threats .
While it would bring me no greater joy than to say that fundamental patterns will stop cyber threats and make the world cyber-safe, that is not necessarily the case. Predictions are not prophecies: they are well-founded predictions.
Sridhar Muppidi is an IBM researcher and CTO of IBM Security.
Other comments to read posted by Fortune:
The opinions expressed in Fortune.com comments represent solely the views of the relevant authors and do not necessarily reflect the opinions and beliefs of Fortune.