To counter modern cyberattacks, which are increasingly complex, antivirus or simplified solutions are no longer enough. Still, cutting-edge cyber defense technologies such as those based on artificial intelligence must be exploited. Here are the current scenarios and possible technological solutions.
In the world of IT security, we have always witnessed a concurrent evolution in the methods of conducting cyberattacks, increasingly targeted and devastating, and in the ways of cyber defence, which increasingly adopt artificial intelligence solutions to counter such attacks. Now indispensable to ensure the necessary speed of response.
Artificial Intelligence, Between Cyber Defence and Cyber Attack: The Scenario
As with the chicken and the egg, one could argue at length about what was first invented by humanity, whether the idea of attack or the concept of defense. However, it began, history shows us a parallel evolution of defence and data protection on the one hand and a dark and insidious side on the other.
If at the dawn of the first home computers just any antivirus was enough to protect your hardware and your data from unwanted onlookers and the latter often did spying out of pure whim, today the scenario is quite different.
The purpose of viruses since the early 70’s has always been to destroy PCs, steal sensitive data, multiply across networks. The former circulated via floppy disks and needed a host to do their job; then came the worms that could replicate themselves across networks; Trojans followed, able to create backdoors and for the more advanced ability to remotely take control of PCs.
The next evolution was the creation of viruses that spread through macros from other software. In 2000 “ILOVEYOU” appeared, starting from a project for a thesis and applied as an e-mail attachment; a new era began.
From 2000 to today, the spread of the internet, the increase in connection speed and the number of connected devices have created an increasingly wide variety of viruses including ransomware and the famous Cryptolocker. Consequently, it is one of the most critical IT activities: cybersecurity. A quick search on the net allows you to revisit the history of the worst viruses from 1970 to today for those interested.
But viruses are only one of the means used for hacking purposes; the tools to defend themselves today go far beyond simple antivirus even if this remains a fundamental protection component. To cope with the most insidious computer scam techniques, increasingly intelligent software has been developed to detect threats in time to deal with them to limit or altogether avoid damage.
Protection Software, from Antivirus to the Most Advanced Techniques
Hacker attacks are structured, organized, leverage on various aspects such as new vulnerabilities, different social and digital channels to reach the victims.
When the type of attack has evolved, it is essential to detect the threat in a minimum time and at any time of 24 hours, which makes it impossible to entrust such an intensive activity that requires continuous attention to a human being.
The best global security software for a company uses real-time analysis of all network traffic and monitors every user’s activities, every device connected to the network and every element that makes up the network. The detection of a threat occurs in different ways of which we list some without pretending to be exhaustive:
- Detection of the presence of a virus, a classic method that is sometimes not fast and effective enough to contain damage;
- Recognition of spam emails, the most advanced systems are developed using Machine Learning algorithms;
- Recognition of alteration of email messages even if they are not attributable to spam or detection of suspicious attachments not yet identifiable as phishing or containing malware ;
- Detection of abnormal activity within the network such as unusual data transfers, outbound connections made to unique URLs, email attachments that deviate from business normality;
- MAC Address changes, port scan detection, ARP protocol level spoofing detection, DNS spoofing detection.
This shortlist does not exhaust all types of possible scenarios but traces the evolution and innovation in defence techniques that are increasingly based on Machine Learning algorithms and in some cases, also on Deep Learning.
The current speed and computing power allow the execution in good time for several operations sufficient for real-time. Artificial intelligence algorithms on a notebook, which has been possible for a few years, since 2014 they appeared on the market the first software for the protection of a computer system developed with the use of algorithms based on artificial intelligence and able to distinguish regular operation from abnormal behaviour within the system.
Artificial Intelligence and Cyber Defence: Products on the Market and their Evolution
The products available are not listed not to make preferences or wrongs, but market leaders can now offer software systems capable of acting as guardians of a computer system and intervening at the slightest suspicion of threat immediately upon detection.
Such systems can produce false positives and the blocking of a course due to false alarms, but certainly, this is a way of operating that does not leave the necessary time for a cyber attack. The use of ML (Machine Learning) algorithms in “cyber defence” systems marked a turning point in protecting digital infrastructures.
When the attacks are more and more advanced, and due to the volume and complexity there are no longer enough people, the effective response to threats is a system that detects the attack autonomously and blocks it.
Some manufacturers of this software install a pre-trained neural network at the customer and complete the training on-site (training is the technical term).
The exciting thing is that security managers in the enterprise have various tools to investigate, analyze and counter threats. The turning point of cyber attacks did not take long to develop; attacking these “intelligent” systems requires tricks and an equally “intelligent” technology.
Artificial Intelligence and Machine Learning for Security Assessment and Hacking
The same technology based on artificial intelligence is to create cyber defence products can be used to perform vulnerability tests (VAPT) of digital infrastructure and establish a protection system’s overall security degree.
In general, artificial intelligence and machine learning can be used in cyber defence, to create valid “security assessment” tools. Unfortunately, the exact mechanisms are equally useful for the massive gathering of information on victims and planning a state of the art attack.
In machine learning, the “supervised” algorithms allow to detect known threats for which the defence system is previously “trained”; the “training” is performed on a dataset consisting of examples of negative situations and examples of safe conditions.
This provides classifiers that can recognize currently known threats and behaviours of both users and software within a system based on the criteria provided and classified as malicious.
The “unsupervised” algorithms allow the detection of threats that are not known to cope with attacks even an attempt is made to evade the protection system.
The use of these algorithms is not based on examples already correctly classified. Still, it can work on similarity characteristics and identify activities that differ from the computer system’s usual functioning.
- An example of a supervised algorithm for detecting malware is XGBoost which is considered among the most flexible and accurate for many problems handled with ML and is sometimes preferred over more recent algorithms due to its ease of use.
- An example of an unsupervised algorithm widely used for detecting anomalies (outliers) is Isolation Forest. Instead of working on illustrations of normality, it directly isolates anomalous points of a system by identifying potentially threatening actions.
- In some solutions, a “sandbox” is used which on the one hand misleads the attacker, on the other hand, allows dynamic analysis of the malware. Static malware analysis is now hardly applicable due to obfuscation and evasion techniques while dynamic analysis, i.e. with the malware running, can be successfully performed in the sandbox.
- After a sufficient period, some cyber defence software allows studying the historical series of detected events.
- In the most technologically advanced products, we arrive at the use of Deep Learning models, based on neural networks, to recognize in real-time known threats and strange activities of a suspicious nature that may constitute new threats.
Seen from this point of view seems like an endless game of “cops and robbers” where there is a continuous run-up to the best way to defend oneself and the more innovative way to evade a defender.
Here are some attack techniques, always without pretending to be exhaustive and underlining that they are not secret and you can find references online.
- The ML can be used for the massive collection of information on companies and their employees, partners, customers, suppliers; all these can become the victim of the attack even if the target company is the most targeted. The information can be searched on social networks and collected with crawling and scraping software; gathering information about the victim is a preliminary step in the strategy. It provides the essential elements on which to develop a subsequent plan.
- Social posts about the victim, emails and voice messages can be used to train systems that reproduce the writing style and voice of a person and then create very real and ever closer spam and phishing campaigns to the originals.
- Markov chains are very effective in generating fake texts.
- Other methods of mimicking writing style and voice are neural networks, particularly GANs (Generative Adversarial Networks). These are also useful for generating evasive malware and ransomware that adapt to the defence system and are increasingly invisible.
- Steganography, a technique of inserting hidden contents into a media that acts as a container, can be used to hide malicious codes in apparently harmless images and documents; the activation of the contents occurs later following a specific action of the victim.
- Even the CAPTCHA of a web page can be bypassed: the screen is captured as an image, and a neural network recognizes the field’s presence and the related encoding to be entered.
Many of the techniques described and others can be combined to architect and conduct structured attacks, coordinated and guided by suitably parameterized “bots”; the use of artificial intelligence is facilitated by the computing power available at low cost.
By now the complexity, volume and speed of conducting a cyber attack are such that they cannot be countered with a simple antivirus or with simplified and small-scale solutions, both for the need for continuous updates and for the possibility of consistently exploiting innovative technologies. Vanguard.
Even without relying on market leaders, it is essential that a company or an entity, both private and public, choose a cyber defence solution developed using the most modern technologies, based on artificial intelligence algorithms and above all that is continuously updated.
Simultaneously, every entity that operates with computer systems should have a vulnerability analysis (VAPT) performed; this activity is usually performed with the same attack tools or similar but with the pure purpose of discovering vulnerabilities and reinforcing the protections.
In the continuous race between cyber attack and defence, the weak point that cannot correct with Artificial Intelligence algorithms is the human factor that must be adequately trained.
Human intelligence must always be vigilant even in the presence of the most sophisticated cyber defence software.