- Posted on
- • Artificial Intelligence
Artificial Intelligence Cybersecurity Case Studies
- Author
-
-
- User
- linuxbash
- Posts by this author
- Posts by this author
-
Artificial Intelligence Cybersecurity Case Studies (for Linux/Bash Users)
When the pager goes off at 03:14 and a file server starts encrypting itself, seconds matter. AI can give Linux admins and security engineers a head start—surfacing anomalies, ranking alerts, and cutting through noise. This post walks through practical, bash-friendly case studies where AI added real defensive value, with step-by-step commands you can run on a Linux box. You’ll get the “why,” the “how,” and concrete examples you can adapt immediately.
Why AI for Cybersecurity is Worth Your Time
Scale: Modern environments generate log volumes that outpace manual triage. AI sifts signals from terabytes of logs and traffic.
Speed: Unsupervised models flag “weird” before signatures exist (useful for zero-days and novel ransomware).
Consistency: Models don’t fatigue at 4 a.m.; they enforce the same scrutiny every time.
Limits to respect: False positives, model drift, and adversarial inputs are real—so you’ll see how to deploy AI as decision support, not a magic bullet.
What follows: four case studies with ready-to-run Linux commands and minimal Python, plus installation instructions for apt, dnf, and zypper where tools are used.
Case Study 1: AI-Assisted Phishing Detection for Email Triage
Goal: Build a lightweight classifier to score emails as phishing or benign using text features. Useful for SOC inboxes, abuse@ mail, or incident triage queues.
Tools:
- Python 3 with scikit-learn, pandas, numpy
Install:
apt:
sudo apt update && sudo apt install -y python3 python3-pip python3 -m pip install --user scikit-learn pandas numpy beautifulsoup4 tldextractdnf:
sudo dnf install -y python3 python3-pip python3 -m pip install --user scikit-learn pandas numpy beautifulsoup4 tldextractzypper:
sudo zypper install -y python3 python3-pip python3 -m pip install --user scikit-learn pandas numpy beautifulsoup4 tldextract
Minimal demo (train + predict) you can paste into a terminal:
python3 - <<'PY'
import re, sys
import numpy as np
from bs4 import BeautifulSoup
from sklearn.feature_extraction.text import TfidfVectorizer
from sklearn.linear_model import LogisticRegression
# Tiny toy dataset: replace with your labeled CSV later
train_subjects = [
"Reset your password immediately",
"Invoice attached",
"Team lunch next week",
"Unusual login attempt detected",
]
train_bodies = [
"Click here to reset: http://bad.example/",
"Please review invoice: https://vendor.example/inv.pdf",
"Menu options for Friday lunch",
"We blocked a login; verify now: http://phish.example/verify",
]
train_labels = [1, 0, 0, 1] # 1 = phishing, 0 = benign
def clean_html(text):
return BeautifulSoup(text, "html.parser").get_text(" ")
X_text = [s + " " + clean_html(b) for s, b in zip(train_subjects, train_bodies)]
vec = TfidfVectorizer(ngram_range=(1,2), min_df=1, stop_words='english')
X = vec.fit_transform(X_text)
clf = LogisticRegression(max_iter=500)
clf.fit(X, train_labels)
# Score new samples passed via stdin or defaults
samples = sys.stdin.read().strip().split("\n\n")
if not samples or samples == ['']:
samples = [
"Subject: Action required\nBody: Verify account at http://login-verify.co",
"Subject: Daily report\nBody: Attached is your routine metrics report."
]
def prep(sample):
subj, body = "", ""
for line in sample.splitlines():
if line.lower().startswith("subject:"):
subj = line.split(":",1)[1]
elif line.lower().startswith("body:"):
body = line.split(":",1)[1]
return (subj + " " + clean_html(body)).strip()
X_new = vec.transform([prep(s) for s in samples])
probs = clf.predict_proba(X_new)[:,1]
for s, p in zip(samples, probs):
verdict = "PHISH" if p >= 0.7 else ("SUSPICIOUS" if p >= 0.4 else "BENIGN")
print(f"{verdict}\t{p:.2f}\t{s.splitlines()[0]}")
PY
How to use:
Pipe samples from your intake mailbox or a file for spot checks.
Replace the toy dataset with your labeled email dataset to train a better model.
Integrate into a mail gateway quarantine workflow as a second-opinion scorer.
Notes:
Expect false positives; calibrate thresholds.
Periodically retrain—attackers change templates frequently.
Case Study 2: Network Anomaly Detection on Zeek Logs (Isolation Forest)
Goal: Find unusual flows that deviate from normal behavior—handy for spotting exfiltration, lateral movement, or beaconing.
Tools:
Zeek (NIDS) to produce connection logs
Python 3 with scikit-learn, pandas
Install Zeek:
apt:
sudo apt update && sudo apt install -y zeek python3 python3-pip python3 -m pip install --user pandas scikit-learndnf:
sudo dnf install -y zeek python3 python3-pip python3 -m pip install --user pandas scikit-learnzypper:
sudo zypper install -y zeek python3 python3-pip python3 -m pip install --user pandas scikit-learn
Generate logs from an interface or a pcap:
# From live interface (adjust -i)
sudo zeek -i eth0
# Or from a pcap
zeek -r sample.pcap conn
Score anomalies from conn.log:
python3 - <<'PY'
import pandas as pd
import numpy as np
from sklearn.ensemble import IsolationForest
from pathlib import Path
log = Path("conn.log")
if not log.exists():
raise SystemExit("conn.log not found. Run Zeek first.")
# Zeek conn.log is TSV with '#' comments; parse minimal fields
rows = []
with open(log, "r", errors="ignore") as f:
cols = []
for line in f:
if line.startswith("#fields"):
cols = line.strip().split("\t")[1:]
elif line.startswith("#") or not line.strip():
continue
else:
parts = line.strip().split("\t")
if len(parts) != len(cols):
continue
rows.append(dict(zip(cols, parts)))
df = pd.DataFrame(rows)
for c in ["duration","orig_bytes","resp_bytes"]:
if c in df.columns:
df[c] = pd.to_numeric(df[c], errors="coerce").fillna(0.0)
else:
df[c] = 0.0
# Simple feature set; extend as needed
feat = df[["duration","orig_bytes","resp_bytes"]].astype(float).values
iso = IsolationForest(n_estimators=200, contamination=0.01, random_state=42)
scores = iso.fit_predict(feat) # -1 = anomaly
df["_anomaly"] = scores
suspicious = df[df["_anomaly"] == -1].copy()
out_cols = [c for c in ["ts","id.orig_h","id.resp_h","id.resp_p","proto","duration","orig_bytes","resp_bytes"] if c in df.columns]
print("Top anomalies:")
print(suspicious[out_cols].head(20).to_string(index=False))
PY
Tips:
Tune contamination to your environment (e.g., 0.005–0.02).
Feed labeled anomalies back into a supervised model for improved accuracy over time.
Case Study 3: Faster Malware Triage with YARA + ClamAV + Simple ML Ranking
Goal: Use signatures to detect known threats, then apply a tiny ML ranker to prioritize which hits deserve immediate attention.
Tools:
YARA for rule matching
ClamAV for AV signatures
Python 3 for simple scoring
Install:
apt:
sudo apt update && sudo apt install -y yara clamav python3 python3-pip sudo freshclam || true python3 -m pip install --user pandas scikit-learndnf:
sudo dnf install -y yara clamav python3 python3-pip sudo freshclam || true python3 -m pip install --user pandas scikit-learnzypper:
sudo zypper install -y yara clamav python3 python3-pip sudo freshclam || true python3 -m pip install --user pandas scikit-learn
Run scans:
# ClamAV (recursive)
clamscan -r /path/to/samples | tee clamscan.out
# YARA (recursive) with your rules
# Example: rules in ./rules/index.yar
yara -r ./rules/index.yar /path/to/samples | tee yara.out
Rank hits with a simple heuristic model:
python3 - <<'PY'
import re, sys
from collections import defaultdict
clam = defaultdict(int)
with open("clamscan.out","r",errors="ignore") as f:
for line in f:
if ": " in line and "FOUND" in line:
path = line.split(": ",1)[0]
clam[path] = 1
yara_hits = defaultdict(list)
with open("yara.out","r",errors="ignore") as f:
for line in f:
parts = line.strip().split(None, 1)
if len(parts) == 2:
rule, rest = parts
# rest often contains the file path after a space
m = re.search(r"\s(/.*)$", line.strip())
if m:
yara_hits[m.group(1)].append(rule)
def score(path):
# Simple explainable scoring:
# +0.6 if AV hit, +0.1 per YARA rule, capped at 1.0
s = 0.6*clam[path] + min(0.4, 0.1*len(yara_hits[path]))
return round(min(1.0, s), 2)
rows = []
for path in set(list(clam.keys()) + list(yara_hits.keys())):
rows.append((score(path), path, clam[path], ",".join(yara_hits[path])))
for s, path, av, rules in sorted(rows, key=lambda x: -x[0])[:30]:
verdict = "HIGH" if s >= 0.8 else ("MEDIUM" if s >= 0.5 else "LOW")
print(f"{verdict}\tscore={s}\tAV={av}\tYARA={rules}\t{path}")
PY
Notes:
This is deliberately simple and explainable—ideal for first-pass prioritization.
Keep YARA rules up to date; segment rules into families to improve triage context.
Case Study 4: Ransomware Early Warning via inotify + One-Class Modeling
Goal: Detect rapid, unusual spikes in file modifications that may indicate ransomware behavior.
Tools:
inotify-tools for filesystem events
auditd (audit) optional for broader system monitoring
Python 3 with scikit-learn
Install:
apt:
sudo apt update && sudo apt install -y inotify-tools auditd python3 python3-pip python3 -m pip install --user scikit-learndnf:
sudo dnf install -y inotify-tools audit python3 python3-pip sudo systemctl enable --now auditd python3 -m pip install --user scikit-learnzypper:
sudo zypper install -y inotify-tools audit python3 python3-pip sudo systemctl enable --now auditd python3 -m pip install --user scikit-learn
Stream change events from a watched directory:
# Replace /data with your high-value directory (ideally in a lab first)
inotifywait -m -r -e create,modify,move,delete --format '%T %e %w%f' --timefmt '%s' /data \
| python3 - <<'PY'
import sys, time, collections
from statistics import mean, pstdev
from sklearn.svm import OneClassSVM
# Aggregate events per second, learn baseline, then alert on spikes
bucket = collections.Counter()
baseline = []
learn_seconds = 60 # learn normal for 1 minute
model = None
last_ts = None
def fit_model(counts):
X = [[c] for c in counts]
oc = OneClassSVM(gamma='scale', nu=0.05) # ~5% outliers
oc.fit(X)
return oc
start = time.time()
for line in sys.stdin:
try:
ts_s, ev, path = line.strip().split(None, 2)
ts = int(ts_s)
except ValueError:
continue
bucket[ts] += 1
# Once per second, evaluate the last second
if last_ts is None:
last_ts = ts
if ts != last_ts:
count = bucket[last_ts]
if time.time() - start < learn_seconds:
baseline.append(count)
if len(baseline) >= 10:
model = fit_model(baseline)
print(f"LEARN\t{last_ts}\t{count}")
else:
if not model and len(baseline) >= 10:
model = fit_model(baseline)
if model:
pred = model.predict([[count]])[0] # -1 = anomaly
status = "ALERT" if pred == -1 else "OK"
print(f"{status}\t{last_ts}\tchanges={count}")
last_ts = ts
PY
Tips:
Point the watcher at honeypot folders to reduce noise.
Combine with file extensions entropy/rename heuristics for better precision.
Use systemd to run the pipeline and syslog for alerts.
Actionable Checklist to Succeed with AI Defenses
Start small: Pick one log source (email, Zeek conn.log, EDR events) and one anomaly model.
Make data quality non-negotiable: Normalize timestamps, handle missing values, deduplicate logs.
Calibrate thresholds: Begin conservative, review alerts with humans, then tighten.
Plan for drift: Schedule periodic retraining and compare model performance month-over-month.
Keep it explainable: Prefer simple, interpretable features where possible to speed incident response.
Conclusion and Next Steps (CTA)
AI won’t replace your security instincts—but it will supercharge them. Pick one case study above and run it in a controlled lab: 1) Get the tool installed (apt/dnf/zypper commands included). 2) Point it at real but non-sensitive data (pcaps, test mailboxes, sample directories). 3) Iterate on thresholds and features until the signal is useful. 4) Only then, integrate into production with logging, alerting, and rollback plans.
Have a favorite dataset or a twist on these pipelines? Package your bash/Python glue into a gist or repo and share it with your team. The faster we turn AI experiments into repeatable playbooks, the safer our systems become.