Malware-free cyber attacks are on the rise and artificial intelligence in cyber security is still far from replacing humans, according to a large poll of cyber security researchers conducted by security firm Carbon Black.

Non-malware attacks pose a greater risk to business than commodity malware, according to 93% of more than 400 cyber security researchers polled.

Nearly two-thirds of respondents said they had seen an increase in non-malware attacks since the beginning of 2016, according to the research report.

These non-malware attacks are increasingly using native system tools, such as Microsoft’s Windows PowerShell, to conduct nefarious actions, researchers reported.

Some researchers believe non-malware attacks will become so widespread, targetting even the smallest businesses that many users will become familiar with them.

The survey also revealed that 87% of cyber security researchers do not yet trust artificial intelligence (AI) and machine learning (ML) to replace human decision making in security.

Some 87% of the researchers said it was likely to take at least three more years of refinement before AI could be trusted to lead cyber security decisions.

Three-quarters said AI-driven cyber security solutions were still flawed, while 70% said security systems driven by machine learning (ML) could be bypassed by attackers. Nearly a third said attackers could “easily” bypass ML-driven security.

Cyber security talent, resourcing and trust in executives continue to be top challenges plaguing many businesses, the research report said.

“Based on how researchers perceive current AI-driven security solutions, cyber security is still very much a ‘human vs human’ battle, even with the increased levels of automation seen on both the offensive and defensive sides of the battlefield,” said Michael Viscuso, Carbon Black co-founder and CTO.

“The fault with machine learning exists in how much emphasis organisations may be placing on it and how they are using it,” he said.

While static, analysis-based approaches relying exclusively on files have historically been popular, Viscuso said they had not proven sufficient for reliably detecting new attacks. “Rather, the most resilient ML approaches involve dynamic analysis, which evaluates programs based on the actions they take.”

The research findings have come as a surprise to some analytics firms.

Jennifer Roubaud, UK country manager for the all-in-one advanced analytics platform Data-Iku, said in their experience leveraging machine learning for cyber protection had led to better fraud detection rates in every case.

“I’m surprised they’re saying it’s still safer to use humans,” she said.

“The idea of using machine learning is scary for a lot of people. But we believe machine learning is not going to reduce the need for data scientists.”