Examine the Artificial Intelligence Techniques Used for Cybersecurity


Through news and marketing materials, we have heard many artificial intelligence technologies have been implemented into the cyber defense system, but what specific AI technologies are used in the systems? Unlike other disciplines that have a single field of study, AI represents various research groups all contribute to machine intelligence. Cybersecurity experts have been applied different pieces of AI into the cybersecurity field. Let’s break down the AI cybersecurity system into components and examine closely on how each element plays a role in fighting against cybercriminals and cyber-attacks.

Expert Systems

The expert systems have been widely used in the AI field for more than four decades. The systems are used to provide information by initially filling with known knowledge of questions and answers.  It consists of two components: the knowledge base and the inference engine, where the knowledge base represents the facts, and the inference engine can deduce new facts based on known facts. For cybersecurity usage, the expert system is used for setting up game rules, guidance for the usage on its limited resources, and keep records on activities including connection/login attempts, usage/access pattern and activity timestamps. Basically, the expert systems are good for storing knowledge about past intrusion, known system vulnerabilities, and security policy. The knowledge component can be used by other AI components to do further analysis.

Intelligent Agents

The Intelligent Agents (IA) act like little agents that have a simple and specialized task to do based on the knowledge base. It is a piece of software that possesses some intelligent and independent behavior, and you can add or customize the agent to the defense system to secure or monitor certain activity.  For example, the IA can be programmed to observe or anticipate an event with a known threshold or predetermined parameters, and once the environment setting has been changed, it triggers the IA to decide whether or not to act upon it. In the end, it can also learn and provide feedback to the defense system. The Intelligent Agents have the following classes: Simple Reflex, Learning, Model-Based, Goal-Based, and Utility-Based, and the detailed descriptions of each IA class are shown here:

  1. Simple reflex agents act on according to current condition and trigger an action when the pre-defined threshold has been met while ignoring any percept history. It is similar to an if/then logic.

  2. Learning agents act on percepts and learn by gathering historical feedback to make decisions based on the learning elements and hope to suggest better actions from experience. This agent is good to deploy in an uncertain environment.

  3. Model-Based agents are similar to simple Reflex agents except its internal model does not ignore percept history but use the percept to determine its actions. It requires memory storage for percept history.

  4. Goal-Based agents are similar to Model-Based agents, but it further expands on the capabilities of the model-based agents, where the actions are goal-based and can choose from a set of possible actions.

  5. Utility-Based agents are similar to Goal-Based agents, but it aims to give the “best” result.

Neural Nets

Neural nets have a long history like the Expert Systems, but unlike Expert Systems that rely on the inputs of knowledge, the neural nets focus on learning and processing the information on their own, which resemble how our nerve system works. The neural nets can consist of a large number of artificial neurons with different types of networks like the CNN (Convolutional neural network). These networks give deep learning ability where it has the ability to learn when it is trained with thousands of samples. This deep learning can be applied in cybersecurity where it can help the defense systems to learn baseline activities and malicious behaviors without human intervention. Another reason for implementing neural nets in cyber defense is their high speed in intrusion detection and intrusion prevention.  With different neural network types to choose from, we can find the optimal way to implement deep learning and add new tricks of neutralizing emerging threats. In fact, the cyber forensic investigation ability is developed from using the neural nets technology. With this ability, the system can also predict exploits and reduce the risks of unknown vulnerabilities.


The search ability is essential for every intelligent program since the amount of data generated within the system is growing tremendously. However, people often pay little attention to search feature as it works quietly behind the scene.  The search function is implemented with various algorithms such as tree search algorithms, αβ-search algorithm, minimax, and stochastic search. The AI-based search techniques give the cyber defense system the ability to search for possible issues and solutions to neutralize the cyber threats. For example, a pattern can be recognized when it uses aggregating statistics analysis against an attack that might have been spanned multiple attempts over time.

Natural Language Processing (NLP)

In the AI field, Natural Language Processing (NLP) can understand natural language like English.  To understand the context of the word, it involves mapping and analyzing different aspects of the language through lexical analysis, syntactic analysis, semantic analysis, disclosure integration, and pragmatic analysis. The NLP was once considered not useful for cyber defense has now been shown helpful in understanding the activities of cybercriminals from dark web vulnerability market or other sources since we have a multilingual Internet.


We have provided a brief description of AI techniques used in cyber defense system or some AI-based Intrusion Detection System (IDS). We also demonstrated how one AI method can benefit the other methods or can be built on top of the other like the expert system can be further used.

The implementation of artificial intelligence in the cyber defense does not limit to what we discussed here because a good defense system requires both technologies and qualified cybersecurity personnel to work together. There are many challenges in building an effective system especially if you need to combine the AI system with the legacy system since it is difficult to coordinate the routine security operation tasks since two systems are very different, and you may be unable to analyze and view the threats from the old system through the new system. At this time, we have not utilized the full potential of AI in the protection of our cyberspace, and the applications of new AI techniques will continue to be developed for the cyber defense.

If you have any thoughts about a specific AI technique being used in defending our cyberspace or want to share other AI techniques not mentioned on the article or you wish to comment on this article, I would love to hear what you have to say. Thank you for reading.