chat
expand_more

How Abnormal Security Leverages NLP to Thwart Cyberattacks

Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
July 16, 2024

With the emergence of new technology like generative artificial intelligence (Gen AI), cyber threats are growing more sophisticated and more challenging to detect. Traditional security measures often fall short in defending against these advanced attacks. In response, AI is being harnessed for good—utilizing tools like natural language processing (NLP) to revolutionize the cybersecurity landscape.

At Abnormal Security, we harness this technology to provide our customers with robust email protection. By analyzing the vast amounts of text data within emails and other communications, the Abnormal platform can identify subtle signs of malicious intent that might otherwise go unnoticed. Here we’ll dive deeper into how we use NLP to detect small nuances in language and defend against even the most sophisticated threats.

Harnessing the Power of NLP for Threat Detection

NLP plays a pivotal role in modern cybersecurity by enhancing the ability to detect and mitigate sophisticated threats. Abnormal leverages advanced NLP techniques like sentiment analysis and context understanding to uncover phishing attempts, fraudulent communications, and other forms of cyberattacks. Let’s dive into some of these concepts to explain how they work.

Tokenization: The Building Block of Text Understanding

One critical aspect of text understanding is tokenization. Over the past few years, computers have significantly advanced in their ability to understand text. This progress is evident to anyone who has used search engines or AI chatbots. However, it’s important to recognize that computers inherently understand numbers—not text. Therefore, when we input text into a computer, we must represent it numerically.

Tokenization is the process of breaking down text into smaller chunks and assigning numerical values to these chunks. For example, the phrase "click here" can be tokenized as a single phrase, as a list of 11 characters, or as a list of two words. The chosen method of tokenization can significantly impact how the computer processes and understands the text.

If an attacker knows that a system uses word-level tokenization (one token per word), they can exploit this by misspelling words. For example, adding an extra "K" to "click" to form "clickk" can disrupt word-level tokenization but not character-level tokenization. At Abnormal, we employ a defense-in-depth approach by deploying multiple models with different tokenization strategies. For example, we maintain models that use each character-level, subword-level, and phrase-level tokenization. This ensures that if an attacker manipulates input to break one tokenizer, a model using a different tokenizer will still catch the malicious text.

MKT622 NLP Blog

Spotting Malicious Text Signals

Abnormal also utilizes neural networks to analyze all text fields in email messages, including the body, header, attachments, and links. One popular architecture for text models is the transformer, which powers models like BERT, LLaMA, and GPT-4. Transformers connect each word in the text to every other word, allowing them to understand long and complex texts. However, this also makes them slow, due to the numerous connections they need to maintain.

An alternative text model that we use at Abnormal is the Convolutional Neural Network (CNN). This model is extremely efficient at processing short sequences of text. Unlike the transformer, the CNN forces words that are close together in the text, such as words in the same or adjacent sentences, to be relevant to each other. This simple assumption makes the model much faster to run. At Abnormal, we run CNNs on every message we process, which enables us to better spot malicious text and optimally defend our customers.

MKT622 NLP Blog AI Innovation Updates 5

Adapting Text Models to Evolving Attacker Tactics

Cybercriminals are continually evolving their strategies, often using ‌email text as the initial (but not only) attack vector. For example, in callback phishing messages, attackers urge victims to call a phone number by sending fake purchase confirmations. Attackers may change the brands they impersonate, the structure of fake receipts, the presentation of phone numbers, or the placement of malicious text, but the objective remains the same: to get someone on the phone.

MKT622 NLP Blog AI Innovation Updates 4 1

Abnormal combats these tactics by designing our system to run text models on all text extracted from any part of a message—even if the words themselves aren’t inherently malicious. This comprehensive approach ensures there are no structural bottlenecks in recognizing malicious text. Additionally, we automatically retrain our text models with every message processed. Inbound messages, user-reported submissions, and Detection 360 customer reports all contribute to updates in the neural network models. This continuous retraining keeps the models up-to-date with the latest attack patterns, enhancing our ability to protect customers in a dynamic threat landscape. Abnormal also uses advanced AI to parse and analyze text within images and attachments, detecting hidden threats that traditional security measures might miss. This capability enhances the overall security posture by identifying malicious content embedded in various file formats, ensuring comprehensive protection against sophisticated cyberattacks.

An Abnormal Commitment to Customer Protection

In an era where cyber threats are becoming increasingly sophisticated, the role of NLP in cybersecurity cannot be overstated. Ultimately, Abnormal's commitment to leveraging this technology translates to better protection for our customers. The use of multiple tokenization strategies, efficient text analysis models, and adaptive learning processes work together to create a key component of formidable defense against sophisticated cyberattacks. By continuously innovating and refining our techniques, Abnormal stays one step ahead of attackers, providing our customers with peace of mind and robust security.

Interested in learning more about how Abnormal can protect your organization with NLP? Schedule a demo today!

Schedule a Demo
How Abnormal Security Leverages NLP to Thwart Cyberattacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More