Posted on
Artificial Intelligence

Artificial Intelligence Cybersecurity Case Studies

Author
  • User
    linuxbash
    Posts by this author
    Posts by this author

Artificial Intelligence Cybersecurity Case Studies (for Linux/Bash Users)

When the pager goes off at 03:14 and a file server starts encrypting itself, seconds matter. AI can give Linux admins and security engineers a head start—surfacing anomalies, ranking alerts, and cutting through noise. This post walks through practical, bash-friendly case studies where AI added real defensive value, with step-by-step commands you can run on a Linux box. You’ll get the “why,” the “how,” and concrete examples you can adapt immediately.

Why AI for Cybersecurity is Worth Your Time

  • Scale: Modern environments generate log volumes that outpace manual triage. AI sifts signals from terabytes of logs and traffic.

  • Speed: Unsupervised models flag “weird” before signatures exist (useful for zero-days and novel ransomware).

  • Consistency: Models don’t fatigue at 4 a.m.; they enforce the same scrutiny every time.

  • Limits to respect: False positives, model drift, and adversarial inputs are real—so you’ll see how to deploy AI as decision support, not a magic bullet.

What follows: four case studies with ready-to-run Linux commands and minimal Python, plus installation instructions for apt, dnf, and zypper where tools are used.


Case Study 1: AI-Assisted Phishing Detection for Email Triage

Goal: Build a lightweight classifier to score emails as phishing or benign using text features. Useful for SOC inboxes, abuse@ mail, or incident triage queues.

Tools:

  • Python 3 with scikit-learn, pandas, numpy

Install:

  • apt:

    sudo apt update && sudo apt install -y python3 python3-pip
    python3 -m pip install --user scikit-learn pandas numpy beautifulsoup4 tldextract
    
  • dnf:

    sudo dnf install -y python3 python3-pip
    python3 -m pip install --user scikit-learn pandas numpy beautifulsoup4 tldextract
    
  • zypper:

    sudo zypper install -y python3 python3-pip
    python3 -m pip install --user scikit-learn pandas numpy beautifulsoup4 tldextract
    

Minimal demo (train + predict) you can paste into a terminal:

python3 - <<'PY'
import re, sys
import numpy as np
from bs4 import BeautifulSoup
from sklearn.feature_extraction.text import TfidfVectorizer
from sklearn.linear_model import LogisticRegression

# Tiny toy dataset: replace with your labeled CSV later
train_subjects = [
  "Reset your password immediately",
  "Invoice attached",
  "Team lunch next week",
  "Unusual login attempt detected",
]
train_bodies = [
  "Click here to reset: http://bad.example/",
  "Please review invoice: https://vendor.example/inv.pdf",
  "Menu options for Friday lunch",
  "We blocked a login; verify now: http://phish.example/verify",
]
train_labels = [1, 0, 0, 1]  # 1 = phishing, 0 = benign

def clean_html(text):
    return BeautifulSoup(text, "html.parser").get_text(" ")

X_text = [s + " " + clean_html(b) for s, b in zip(train_subjects, train_bodies)]
vec = TfidfVectorizer(ngram_range=(1,2), min_df=1, stop_words='english')
X = vec.fit_transform(X_text)

clf = LogisticRegression(max_iter=500)
clf.fit(X, train_labels)

# Score new samples passed via stdin or defaults
samples = sys.stdin.read().strip().split("\n\n")
if not samples or samples == ['']:
    samples = [
      "Subject: Action required\nBody: Verify account at http://login-verify.co",
      "Subject: Daily report\nBody: Attached is your routine metrics report."
    ]

def prep(sample):
    subj, body = "", ""
    for line in sample.splitlines():
        if line.lower().startswith("subject:"):
            subj = line.split(":",1)[1]
        elif line.lower().startswith("body:"):
            body = line.split(":",1)[1]
    return (subj + " " + clean_html(body)).strip()

X_new = vec.transform([prep(s) for s in samples])
probs = clf.predict_proba(X_new)[:,1]
for s, p in zip(samples, probs):
    verdict = "PHISH" if p >= 0.7 else ("SUSPICIOUS" if p >= 0.4 else "BENIGN")
    print(f"{verdict}\t{p:.2f}\t{s.splitlines()[0]}")
PY

How to use:

  • Pipe samples from your intake mailbox or a file for spot checks.

  • Replace the toy dataset with your labeled email dataset to train a better model.

  • Integrate into a mail gateway quarantine workflow as a second-opinion scorer.

Notes:

  • Expect false positives; calibrate thresholds.

  • Periodically retrain—attackers change templates frequently.


Case Study 2: Network Anomaly Detection on Zeek Logs (Isolation Forest)

Goal: Find unusual flows that deviate from normal behavior—handy for spotting exfiltration, lateral movement, or beaconing.

Tools:

  • Zeek (NIDS) to produce connection logs

  • Python 3 with scikit-learn, pandas

Install Zeek:

  • apt:

    sudo apt update && sudo apt install -y zeek python3 python3-pip
    python3 -m pip install --user pandas scikit-learn
    
  • dnf:

    sudo dnf install -y zeek python3 python3-pip
    python3 -m pip install --user pandas scikit-learn
    
  • zypper:

    sudo zypper install -y zeek python3 python3-pip
    python3 -m pip install --user pandas scikit-learn
    

Generate logs from an interface or a pcap:

# From live interface (adjust -i)
sudo zeek -i eth0

# Or from a pcap
zeek -r sample.pcap conn

Score anomalies from conn.log:

python3 - <<'PY'
import pandas as pd
import numpy as np
from sklearn.ensemble import IsolationForest
from pathlib import Path

log = Path("conn.log")
if not log.exists():
    raise SystemExit("conn.log not found. Run Zeek first.")

# Zeek conn.log is TSV with '#' comments; parse minimal fields
rows = []
with open(log, "r", errors="ignore") as f:
    cols = []
    for line in f:
        if line.startswith("#fields"):
            cols = line.strip().split("\t")[1:]
        elif line.startswith("#") or not line.strip():
            continue
        else:
            parts = line.strip().split("\t")
            if len(parts) != len(cols): 
                continue
            rows.append(dict(zip(cols, parts)))

df = pd.DataFrame(rows)
for c in ["duration","orig_bytes","resp_bytes"]:
    if c in df.columns:
        df[c] = pd.to_numeric(df[c], errors="coerce").fillna(0.0)
    else:
        df[c] = 0.0

# Simple feature set; extend as needed
feat = df[["duration","orig_bytes","resp_bytes"]].astype(float).values
iso = IsolationForest(n_estimators=200, contamination=0.01, random_state=42)
scores = iso.fit_predict(feat)  # -1 = anomaly
df["_anomaly"] = scores

suspicious = df[df["_anomaly"] == -1].copy()
out_cols = [c for c in ["ts","id.orig_h","id.resp_h","id.resp_p","proto","duration","orig_bytes","resp_bytes"] if c in df.columns]
print("Top anomalies:")
print(suspicious[out_cols].head(20).to_string(index=False))
PY

Tips:

  • Tune contamination to your environment (e.g., 0.005–0.02).

  • Feed labeled anomalies back into a supervised model for improved accuracy over time.


Case Study 3: Faster Malware Triage with YARA + ClamAV + Simple ML Ranking

Goal: Use signatures to detect known threats, then apply a tiny ML ranker to prioritize which hits deserve immediate attention.

Tools:

  • YARA for rule matching

  • ClamAV for AV signatures

  • Python 3 for simple scoring

Install:

  • apt:

    sudo apt update && sudo apt install -y yara clamav python3 python3-pip
    sudo freshclam || true
    python3 -m pip install --user pandas scikit-learn
    
  • dnf:

    sudo dnf install -y yara clamav python3 python3-pip
    sudo freshclam || true
    python3 -m pip install --user pandas scikit-learn
    
  • zypper:

    sudo zypper install -y yara clamav python3 python3-pip
    sudo freshclam || true
    python3 -m pip install --user pandas scikit-learn
    

Run scans:

# ClamAV (recursive)
clamscan -r /path/to/samples | tee clamscan.out

# YARA (recursive) with your rules
# Example: rules in ./rules/index.yar
yara -r ./rules/index.yar /path/to/samples | tee yara.out

Rank hits with a simple heuristic model:

python3 - <<'PY'
import re, sys
from collections import defaultdict

clam = defaultdict(int)
with open("clamscan.out","r",errors="ignore") as f:
    for line in f:
        if ": " in line and "FOUND" in line:
            path = line.split(": ",1)[0]
            clam[path] = 1

yara_hits = defaultdict(list)
with open("yara.out","r",errors="ignore") as f:
    for line in f:
        parts = line.strip().split(None, 1)
        if len(parts) == 2:
            rule, rest = parts
            # rest often contains the file path after a space
            m = re.search(r"\s(/.*)$", line.strip())
            if m:
                yara_hits[m.group(1)].append(rule)

def score(path):
    # Simple explainable scoring:
    # +0.6 if AV hit, +0.1 per YARA rule, capped at 1.0
    s = 0.6*clam[path] + min(0.4, 0.1*len(yara_hits[path]))
    return round(min(1.0, s), 2)

rows = []
for path in set(list(clam.keys()) + list(yara_hits.keys())):
    rows.append((score(path), path, clam[path], ",".join(yara_hits[path])))

for s, path, av, rules in sorted(rows, key=lambda x: -x[0])[:30]:
    verdict = "HIGH" if s >= 0.8 else ("MEDIUM" if s >= 0.5 else "LOW")
    print(f"{verdict}\tscore={s}\tAV={av}\tYARA={rules}\t{path}")
PY

Notes:

  • This is deliberately simple and explainable—ideal for first-pass prioritization.

  • Keep YARA rules up to date; segment rules into families to improve triage context.


Case Study 4: Ransomware Early Warning via inotify + One-Class Modeling

Goal: Detect rapid, unusual spikes in file modifications that may indicate ransomware behavior.

Tools:

  • inotify-tools for filesystem events

  • auditd (audit) optional for broader system monitoring

  • Python 3 with scikit-learn

Install:

  • apt:

    sudo apt update && sudo apt install -y inotify-tools auditd python3 python3-pip
    python3 -m pip install --user scikit-learn
    
  • dnf:

    sudo dnf install -y inotify-tools audit python3 python3-pip
    sudo systemctl enable --now auditd
    python3 -m pip install --user scikit-learn
    
  • zypper:

    sudo zypper install -y inotify-tools audit python3 python3-pip
    sudo systemctl enable --now auditd
    python3 -m pip install --user scikit-learn
    

Stream change events from a watched directory:

# Replace /data with your high-value directory (ideally in a lab first)
inotifywait -m -r -e create,modify,move,delete --format '%T %e %w%f' --timefmt '%s' /data \
| python3 - <<'PY'
import sys, time, collections
from statistics import mean, pstdev
from sklearn.svm import OneClassSVM

# Aggregate events per second, learn baseline, then alert on spikes
bucket = collections.Counter()
baseline = []
learn_seconds = 60  # learn normal for 1 minute
model = None
last_ts = None

def fit_model(counts):
    X = [[c] for c in counts]
    oc = OneClassSVM(gamma='scale', nu=0.05)  # ~5% outliers
    oc.fit(X)
    return oc

start = time.time()
for line in sys.stdin:
    try:
        ts_s, ev, path = line.strip().split(None, 2)
        ts = int(ts_s)
    except ValueError:
        continue
    bucket[ts] += 1

    # Once per second, evaluate the last second
    if last_ts is None:
        last_ts = ts
    if ts != last_ts:
        count = bucket[last_ts]
        if time.time() - start < learn_seconds:
            baseline.append(count)
            if len(baseline) >= 10:
                model = fit_model(baseline)
            print(f"LEARN\t{last_ts}\t{count}")
        else:
            if not model and len(baseline) >= 10:
                model = fit_model(baseline)
            if model:
                pred = model.predict([[count]])[0]  # -1 = anomaly
                status = "ALERT" if pred == -1 else "OK"
                print(f"{status}\t{last_ts}\tchanges={count}")
        last_ts = ts
PY

Tips:

  • Point the watcher at honeypot folders to reduce noise.

  • Combine with file extensions entropy/rename heuristics for better precision.

  • Use systemd to run the pipeline and syslog for alerts.


Actionable Checklist to Succeed with AI Defenses

  • Start small: Pick one log source (email, Zeek conn.log, EDR events) and one anomaly model.

  • Make data quality non-negotiable: Normalize timestamps, handle missing values, deduplicate logs.

  • Calibrate thresholds: Begin conservative, review alerts with humans, then tighten.

  • Plan for drift: Schedule periodic retraining and compare model performance month-over-month.

  • Keep it explainable: Prefer simple, interpretable features where possible to speed incident response.


Conclusion and Next Steps (CTA)

AI won’t replace your security instincts—but it will supercharge them. Pick one case study above and run it in a controlled lab: 1) Get the tool installed (apt/dnf/zypper commands included). 2) Point it at real but non-sensitive data (pcaps, test mailboxes, sample directories). 3) Iterate on thresholds and features until the signal is useful. 4) Only then, integrate into production with logging, alerting, and rollback plans.

Have a favorite dataset or a twist on these pipelines? Package your bash/Python glue into a gist or repo and share it with your team. The faster we turn AI experiments into repeatable playbooks, the safer our systems become.