in Blog

June 17, 2021

Machine Learning in Cybersecurity


Artur Haponik

CEO & Co-Founder

Reading time:

13 minutes

The problem of cybersecurity is on the front burner of thousands of companies worldwide. Cybersecurity threats and attacks constantly evolve. Hackers try to get to our computers and companies in order to steal money, obtain valuable data, and even use their computing power (e.g., to mine cryptocurrencies). And since the bad guys don’t ever stop their attempts to hack into yet another company, we need a shield designed for the challenges of the 21st century. And we believe machine learning in cybersecurity has got whatever it takes to become this shield.

When we talk about a specific technology or its specific use, we usually shortly describe the big idea behind it. In many instances, at least when it comes to AI-related technologies and solutions, this big idea is to make things more effective, automated, improved. With machine learning consulting in cybersecurity, it’s no different. The main purpose is to make cybersecurity much, much more effective. And that’s a good thing since the stakes are high. So, what do we need to know about ML in cybersecurity? And is this revolution already happening? Let’s find out!

Cybersecurity threats

Times when Trojans were the most popular type of malicious software are long gone. Today, cyberattacks are common and advanced.

Common types of cyberattacks

There are several types of cyberattacks that are most common, though, and these are:

  • Data breaches: In many instances, the hacker’s main goal is to steal valuable data, for example, personal or credit card information. In such a situation, we talk about data breaches. They happen when an unauthorized person gets access to classified or sensitive data without no one’s consent or authority.
  • Phishing: Most likely, you’ve already come across them. Phishing attacks are all about sending virulent links and emails that look like something attractive (“you’ve just won in a lottery! Click this link and claim your prize!”) or at least safe (“Mr. X, we want to work with you! Go here and fill in the job application”).


  • Malware: Good old Trojans are still in use. In general, malware attacks use malicious software designed primarily to hack into a device or a computer and damage.
  • SQL injection: This attack is based on injecting malicious code to the SQL server to perform a specific action, for instance, reveal classified information.
  • DOS attack: This type of attack uses malicious traffic to flood servers and networks with tens of thousands of requests to become inefficient or unavailable altogether. Hence the attack’s full name: denial of service.
  • APTs: They are particularly dangerous. In the beginning, nothing happens; APT code or application is being installed within a network to gather as much information as possible. When the time is right and defenses are worked out–the attack begins.
  • MITM: This abbreviation stands for man in the middle. And as its name suggests, this type of cyber threat happens when the attacker alters the communication between two users. Hackers can select the entire network or just the specific device to launch the MITM attack.

Other types of cyberattacks

Of course, all of the attacks mentioned above are typically code-based. However, there are also threats that require something more than just malicious code or app. Hackers frequently use social engineering to get what they want. In many instances, they try to convince someone to give up the necessary information. And sadly enough, they frequently succeed.

The next vital threat is related to your employees and contractors. You have to acknowledge that insider attacks happen, and many companies experienced them when employees or subcontractors tried to steal valuable business data.

Cyber attack
Moreover, we have to keep in mind that many modern IT tools are open-source. And that’s both a good thing and a bad thing. Good, because you can use these tools without any costs or limitations. On the other hand, open-source tools don’t always have a developed security layer, which means they are prone to attacks. This also refers to open-source CMS platforms, like, for example, WordPress.

As you can see, there are quite a lot of different threats and attacks your company ought to defend against. Thankfully, there are many ways to do so. Let’s take a closer look at the most effective ones.

Cybersecurity: The most effective defenses

When it comes to cybersecurity, you have to be protected on all fronts. This means that you should opt for a set of solutions that will protect you against every possible attack. This includes several common solutions:

  1. Physical security: Remember what we told you about insider threats? Make sure all the security and access control systems in your company are in place and 100% operational. Never underestimate the gravity of this threat!
  2. Strong passwords: You need to keep two rules in mind here. The first one: Make your passwords as hard to crack as possible (use special characters and numbers). Secondly: Change your passwords frequently, at least 3 times a year.
  3. 2SV: This abbreviation stands for two-step verification. Whenever possible, ask the user to confirm their identity or request in two different ways (for example, with a password and a second unique code sent to email).
  4. SSL and encryption: Both these solutions have but one purpose–encrypt data packages so that no third party can see them. With SSL, you can switch to a secure type of hosting with high-level encryption, but you can do even more. Your encryption mechanisms should work with every database in your company.
  5. Multi-level security: It’s the best way to protect your company. Multi-level security mechanisms come with features that protect your computers, emails, Wi-Fi, LAN, and mobile devices.


Machine learning in cybersecurity

As you know from our other blog posts, machine learning is a subset of AI allowing computers and machines to learn themselves and improve their operation over time. The question is, how can this be used in cybersecurity? For starters, intelligent algorithms have the ability to search through millions of files and identify potentially malicious ones. This means that threats can be discovered much quicker before they become really dangerous.

In general, the whole idea of machine learning in cybersecurity is simple. Every year, we have more and more data available. We can analyze it much more effectively with machine learning algorithms and use it to devise new defense mechanisms. That’s why ML-based antiviruses can quickly discern any potentially hazardous activity–they are simply looking for anything that differs from everyday use.

Machine Learning techniques in cybersecurity

The vast majority of machine learning techniques can be used to improve cybersecurity programs and solutions. For example:

  • Classification: This ML model can be used to divide programs into specific categories, such as malware, spyware, and ransomware
  • Clustering: It can be used for malware protection, for instance, on email gateways (to separate harmless attachments from malicious ones)
  • Regression: This technique can be used to predict users’ actions and detect potential deviations, like, for example, credit card fraud
  • Dimensionality reduction: DR is frequently used in face detection solutions, such as these available in modern smartphones.

However, you have to understand that all of the aforementioned techniques are usually just a part of the larger cybersecurity infrastructure, not a standalone solution.

You may find it interesting – Machine Learning Techniques – Which one is the best for your project?

Machine learning in cybersecurity

Two examples of companies using machine learning in cybersecurity

In early 2018, there was a high-profile case of a malicious cryptocurrency mining code that hackers used to attack 400,000 computers within just 12 hours. The attack was thankfully stopped thanks to Microsoft Defender–antivirus software development that uses machine learning.

The next example we want to tell you about is the American company Darktrace. Their product, Cyber AI, uses unsupervised machine learning techniques to protect their clients against diverse types of cyberattacks. As the company claims, although rule and signature-based solutions offer some protection against pre-identified threats, the reality is that attacks consistently evade these tools. That’s why Darktrace had to come up with a more advanced and smart solution.

Today, their so-called Darktrace Immune System is the world’s leading autonomous cyber-defense platform. Thanks to machine learning, their systems continually learn how normal users behave, so they can immediately spot potentially dangerous anomalies and deviations.

Read more about Machine Learning Software Tools

How Kaspersky using machine learning[1]

Kaspersky is one of the leading antivirus and online security companies. They also use machine learning in their cybersecurity systems. Kaspersky uses both supervised and unsupervised machine learning, as well as deep learning in order to achieve three major objectives:

  • Low false positive rate
  • Interpretability of a model
  • Robustness to a potential adversary

Machine Learning based techniques

And these are ML-based techniques they use to achieve them:

  1. Decision tree ensemble: Kaspersky uses a set of decision trees that analyze each file and its features and, based on that, decide whether the file is malicious or benign. According to Kaspersky’s knowledge base: “During the test phase, the model traverses the tree by answering the questions in the nodes with the corresponding features of the object under consideration.”
  2. Similarity hashing: This ML-based method allows Kaspersky’s software to detect malicious files that were only slightly changed to avoid detection. The system extracts file features and uses orthogonal projection learning to choose the most important features of the specific file. Then, ML-based compression is applied, so that value vectors of similar features are transformed into similar or identical patterns. As a result, every malicious file, even slightly altered, can be discovered on time.
  3. Behavioral model: Sometimes, malicious activity can be observed in log data. This is where the behavioral model comes into play, compresses the specific sequence of events to a set of binary vectors, and trains the deep neural network to distinguish clean and malicious logs.
  4. Stream clustering: Kaspersky’s clustering algorithms allow them to efficiently separate large volumes of unknown files into a reasonable number of clusters, some of which can be automatically processed based on the presence of an already annotated object inside it.

Now, let’s take one step further and see how deep learning, a more advanced version of machine learning, can be used in cybersecurity.

Deep learning in cybersecurity

Although, in general, deep learning works similarly to ML, it’s far more complex, operates based on a neural network (or even networks), and doesn’t require extensive initial training. So, how can this technology be used in cybersecurity?

Applications of deep learning in cybersecurity

Let’s take a look at some possible applications:


  • Intrusion detection systems: Deep learning is used to build more effective intrusion detection systems with a lowered number of false positives. ID systems are designed to detect malicious activity and prevent hackers from breaking into the network. However, in the past, typical ID systems were prone to false positives. Deep learning should deal with this problem effectively.
  • Detecting advanced threats: Because deep learning does not operate based on signatures, it can detect more advanced threats and attacks that cannon be ascribed to specific signatures or common types.
  • Spam detection with NLP: NLP is yet another technology that allows machines and algorithms to understand human language and interpret it. As a result, NLP algorithms teamed with deep learning can offer improved spam and social engineering detection. As a result, once a malicious email is sent, the user quickly gets information that this email is potentially harmful and should be immediately deleted.
  • Network traffic analysis: Remember when we told you about SQL injections, MITM, and DOS attacks? All of them can be prevented thanks to deep learning algorithms, which are capable of scanning the entire HTTPS network to look for potentially hazardous activity. Again, the rule is simple – DL algorithms look for anything that differs from normal activity.
  • UEBA: This abbreviation stands for user and entity behavior analytics. It proves effective, especially when it comes to insider threats. UEBA algorithms are frequently based on deep learning, and they thoroughly analyze every user’s activity by comparing it with normal employee behavior. For example, if your employee suddenly logs into the system in the middle of the night, UEBA will raise an alert and even block further actions.

You may also find it interesting – Machine Learning and Deep Learning – Comparison

Examples of companies using machine learning in cybersecurity

So far, we’ve told you about three such companies. However, let’s dig a bit deeper, because some of these companies have some really amazing projects going on concerning machine learning in cybersecurity. Here we go:

Microsoft [2]

As you already know, Microsoft Defender uses machine learning features to be more effective. However, there’s more, as Microsoft has a whole product called Microsoft Defender Advanced Threat Protection (ATP). In short, ATP is a preventative and post-detection, investigative response feature to Windows Defender, and it comes with several interesting capabilities:

  • Threat and Vulnerability Management (ATP detects, prioritizes, and mitigates security vulnerabilities related to installed applications and missing patches)
  • Attack Surface Reduction (only trusted applications are allowed to run on a computer protected by ATP)
  • Automated Investigation and Remediation (eliminates so-called noise alerts and allow your cybersecurity specialists to focus on pertinent ones)
    Next-Generation Protection (ATP constantly scans the network to detect and block threats)

Chronicle (Google Cloud) [3]

Chronicle offers a threat detection solution built on the power of Google’s infrastructure to help enterprises identify threats at unprecedented speed and scale. Chronicle analyzes large amounts of security data and uses machine learning to condense it into more easily digestible insights.

Google Cloud


It’s an American company founded by ex-NSA employees in 2012. Today, SQRRL produces software for big data analytics and cybersecurity. The company helps analyze a variety of sources to track and understand security threats quickly using machine learning. In 2018, SQRRL became a part of the Amazon Web Services family[4].

Naturally, the list of companies using machine learning in cybersecurity is much longer and will extend over time. This technology has everything it takes to become the next game-changer in the cybersecurity sector. Of course, it’s not a flawless solution, and hackers are not going to lower their guard. But frankly, today, it’s the best solution we have to deal with diverse cyber threats. Undoubtedly, in the near future, this technology will grow and more frequently base not just on machine learning but also on deep learning.

Addepto is an advanced AI consulting company. Every day we work with machine learning and deep learning algorithms to up our clients’ game. If you’re looking for a trusted partner who can help you with AI-related challenges, also in cybersecurity, we are at your service. Just drop us a line and show us your project or idea. Surely we will find a way to build something great together. With our help, you have the entire AI world at your service!


[1] Machine Learning in Cybersecurity. URL: Accessed June 10 2021.
[2] TechTarget  Windows Defender Advanced Threat Protection (ATP). URL: Acessed June 10, 2021.
[3] Google Modern detection for modern threats: Changing the game on today’s threat actors. URL: Accessed June 10, 2021; Machine Learning Cybersecurity. How it works and companies to know. URL: Accessed June 10, 2021.
[4] AWS beefs up threat detection with Sqrrl acquisition. URL: Accessed June 10, 2021.


Machine Learning