Note: This is an edited version of an article I wrote for RT Insights.
I’m convinced we are entering the Golden Age of artificial intelligence (AI); with so much promise and potential in front of us, I am feeling a little like Neo in The Matrix as he swallows the red pill. (Alert: more Matrix analogies ahead.)
However, rather than science fiction, my recent work at FICO to make AI better has drawn upon my background in theoretical physics to create what we call defensive AI. This is needed, because AI-based attacks are not science fiction — they are happening today.
Why We Need Defensive AI
Businesses have relied on AI to fight fraud and financial crime for more than 25 years. Before these neural network defenders came along, banks used rule-based systems to try to prevent fraud.
Today, AI is considered “superhuman” at executing certain tasks, fraud detection being one of them. Criminals have had a harder time testing and understanding the complex inter-relationships between all the data elements that the anti-fraud neural networks combine, compared to the fraud rules they used to test and then evade.
But fraudsters, like New York City, never sleep. As business and society, overall, become more and more dependent on AI, we must assume that criminals will want to reproduce the AI models. Once learned, criminals find the secret paths to commit fraud without detection, based on the unique behaviors of the AI system.
To find those paths, fraudsters are again testing and attacking, targeting the bank’s AI defenders with their own offensive AI systems. But now, instead of trying to figure out the thresholds that would trigger an anti-fraud rule set to stop the transaction—such as a new grocery store, for an amount greater than $250 dollars, between the hours of 3-6 p.m.—the attackers are trying to learn the AI model.
If the attackers can learn the AI defender and how it responds, they have the ability to anticipate its move, like a fight scene from The Matrix. The attacker will learn the model and determine what they can get away with. The fraudster could then run millions of transaction perturbations in a cloud testing environment, find those that look the most likely to succeed, and launch attacks based on expert, learned knowledge of the likely AI system.
We’ve long understood this risk. As such, FICO models incorporate adaptive components that adjust scores, making it harder for offensive AI systems to learn the neural network response.
How Fraudsters Create an AI Attack Model
Criminals can learn the AI we rely on by directing fake test data at banks’ AI systems. They could get access by pretending to be a new merchant, and/or by compromising a merchant system to gain access to a payments channel, as well as banks’ testing and governance partitions.
Criminals may even try to steal the AI models outright through cyber breaches. If stolen, these obfuscated and encrypted models may still respond to testing transactions.
Once they have access to the defender AI, fraudsters would likely send batches of testing transactions, millions at a time. The criminals would get a fraud score for each transaction and attempt to map out likely transaction sequences, monitoring the behaviors of the model.
In other words, using AI of their own, criminals can create an AI model to produce the same score response to their testing. This is the offensive AI model, constrained by the quality and effectiveness of the criminals’ testing and the volume of testing transactions.
With their offensive AI tech nailed down, the criminals could steal expertly, working to circumvent the bank’s AI model response with unique transactions that the bank’s anti-fraud system might have not been seen before. Banks that depend on anti-fraud AI systems need to keep them protected, and monitor data streams that may be pointed at the model to ensure that they are legitimate.
But what can the AI do itself to prevent being learned? This is defensive AI, and FICO has recently applied for a patent for this technique.
Defensive AI Outsmarts Criminals
Defensive AI models selectively deceive or return incorrect outputs, if the models believes they are being monitored. They might return scores that are backwards, or create patterns that make the adversary modeling data set inaccurate and consequently the attacker’s AI less effective. Clever score responses could even guide the defensive AI to create artificial patterns in a learned offensive AI, making the criminal’s use of the offensive AI model easier for the bank to detect.
The defensive AI system could also bias the responses for the attacker AI to be misled, to generate data of a particular form. For example, the AI may decide it will give much reduced (non-fraud) scores to the attacker’s test data for electronic purchases between $300-$500. Later, in production, the defensive AI system can determine if the attacker took the bait, and then rapidly isolate the new transactions of this behavior and the sources, to turn over to law enforcement.
Just Like Neo
Defensive AI thwarts criminals’ attempts to measure it. As such, criminals and their AI will find it much harder to determine which responses from defensive reactions are legitimate. The criminals will wonder, “Is it real, or is it The Matrix?”
I’m going to catch up with my old friend Neo now, on Netflix. Send me your favorite Matrix moments on Twitter, where I’m @ScottZoldi.