Machine learning, defined as “the ability of a computer to learn on its own without being explicitly programmed,” is a concept that has significant implications for the information security industry. It has the potential to be helpful to security analysts, from analyzing malicious codes and logs to early detection and correction of vulnerabilities. It also improves endpoint security, automates repetitive tasks, and reduces the likelihood of attacks that lead to data exfiltration.
It leads to the belief that these intelligent security solutions with machine learning will detect and stop the next-generation WannaCry attacks much faster than traditional legacy tools. Jack Gold, president, and chief analyst at J.Gold Associates, said in a recent interview with Awake! “It’s still in its infancy, but it’s definitely a road ahead. Artificial intelligence and machine learning are going to make a big difference in security will,” he said.
“With the explosion of fast-moving data and apps, there is virtually no other way to secure it other than through an automated system that uses AI to analyze network traffic and user interactions,” Gold asserts. The problem is that hackers know this too, and they’re going to build AI and machine learning tools for hacking.
How cybercriminals are using machine learning
Criminals who are more organized and offer a broader range of services on the dark web innovate at a rate that security defenders can’t keep up with. Given the potential of technologies such as machine learning and deep learning, this is an area of great concern.
“Even if technologies like machine learning, deep learning and AI are the cornerstones of future cyber defenses, attackers are also busy implementing and innovating these technologies,” said Steve Groveman, McAfee‘s chief technology officer, in a recent press interview. “As we see every time in cybercrime cases, human intelligence amplified through technology will be the deciding factor in the arms race between attackers and defenders.”
Such concerns naturally lead to fear of AI vs. AI confrontation. “This is the first year of AI versus AI in cybersecurity,” said Nick Sabides, Symantec CTO. Attackers can more effectively discover infiltrated networks, and security developers must build more automated and intelligent solutions to counter this.
“Autonomous response is the future of cybersecurity,” said Damer Palmer, technology director at Darktrace, late last year. It is an algorithm that allows normal business activities to continue.”
Although few examples of real-world attacks based on machine learning are known to date, criminal groups are already using some machine learning techniques.
- Malware that is increasingly difficult to catch
The process of creating malicious code by cybercriminals is mostly manual. Write scripts to create computer viruses and Trojan horses, and use auxiliary tools for distribution and execution, such as rootkits and password scrapers.
What if an attacker could speed up this process? How can machine learning help create malware?
The first known case of using machine learning to create malicious code was introduced in a paper titled <Production of Adversary Malware Example for GAN-based Black Box Attack> in 2017. In this report, the researchers disclose how to build a generative adversarial network based on an algorithm that generates a sample of adversarial malware that bypasses machine learning-based detection systems.
Also at the 2017 DEFCON conference, security firm Endgame revealed how it uses Elon Musk’s OpenAI framework to create custom malware that security engines cannot detect. Endgame took a malicious binary and changed some parts. The antivirus engine determined that the code was harmless and trusted.
Meanwhile, some researchers predict that machine learning could ultimately be used to modify code on the fly based on methods and what they detect in the lab. This is an extended form of polymorphic malware.
- Smart botnets for flexible attacks
Fortinet predicts that 2018 will be the year of self-learning ‘hivenets’ and ‘swarmbots’. This projection is essentially driven by the belief that ‘intelligent’ IoT devices can be used to attack vulnerable systems at scale.
“IoT devices communicate with each other and perform tasks based on shared local intelligence,” said Derek Mankey, global security strategist at Fortinet. As Hivenet grows rapidly as a swarm, it will strengthen its ability to simultaneously attack multiple targets and significantly delay mitigation and countermeasures.”
Mankey said these attacks don’t yet use swarm technology. Using swarm technology, Hivenet can autonomously learn from its past behavior. As a subfield of AI, swarm technology is defined as “the collective action of naturally or artificially distributed self-organizing systems” and is already being used in drones and early robotic devices (future fiction, but in some cases Black Mirror). He even hints at the criminal potential of swarm technology in Hated in The Nation, which features thousands of automated bees tampered with for surveillance and physical attack (Editor’s Note).
- Advanced spear-phishing emails getting more sophisticated
One obvious application of adversarial machine learning is the use of algorithms such as text-to-speech, speech recognition, and natural language processing (NLP) for more intelligent social engineering. After all, phishing emails could theoretically become more sophisticated and crafty, as iterative neural networks could already teach such software a writing style.
In particular, machine learning can power intelligent spear-phishing emails that target large-scale targets while automating the entire process. The system can learn from normal emails and make persuasive sentences.
In its 2017 outlook, McAfee Labs says criminals will be able to use machine learning to analyze large amounts of stolen records, identify potential attack targets, and create detailed, contextually detailed emails that effectively attack these individuals.
Also at Black Hat USA 2016, John Seymour and Philip Tully presented a paper titled The Weaponization of Data Science for Social Engineering: Automated E2E Spearfishing on Twitter. This paper presented a neural network training method that repeatedly learns phishing posts targeting a specific user on Twitter. In this paper, the SNAP_R neural network, trained on spearphishing pen testing data, dynamically inputs topics from the targeted user’s timeline posts to increase their clickability.
As a result, the system has shown tremendous effectiveness. In a test with 90 users, the success rate was 30-60%, and the results of manual spear phishing and mass phishing were significantly improved.
- Threat intelligence is going out of control
Arguably, threat intelligence is an area that will benefit when it comes to machine learning. In the age of false positives, machine learning systems can help analysts identify real threats from multiple systems.
Recorded Future co-founder and CTO Stefan Truvet said in a recent white paper, “The application of machine learning provides two benefits in the field of threat intelligence.”
First, processing and structuring huge amounts of data, including analyzing complex relationships, is a problem that is almost impossible to solve with human nature alone. Machine learning can arm itself more effectively than it can by augmenting its skilled workforce and equipment to respond to new threats.
The second is automation. Machine learning can do anything a human can do without problems, and can even scale to much larger data that humans cannot process.
But there is also the belief that criminals will adapt to this introduction. McAfee’s Steve Grobman had previously pointed out that “(machine learning) is a noise-increasing technology.” Hackers can use this technique to create environments that lead to false positives for common machine learning models. When the target recalibrates the system to filter out false information, the attacker can launch a real attack through the machine learning system.
- UNAUTHORIZED ACCESS
Researchers Claudia Cruz, Fernando Wiseda, and Leobardo Reyes published early examples of machine learning for security attacks in 2012.
They used a Support Vector Machine (SVM) to break systems running on reCAPTCHA images, with an accuracy of 82%. Since then, all CAPTCHA mechanisms have improved, but are broken again by researchers who used deep learning to break CAPTCHA. In 2016, an article was published detailing how to break simple captchas with 92% accuracy using deep learning.
Separately, in last year’s “I am Robot” study at Black Hat, researchers uncovered how various machine-learning algorithms can break modern semantic image captchas. The paper claimed to be 98% accurate in breaking Google’s recaptcha.
- Machine Learning Engine Poisoning
A much simpler and more effective way to use machine learning in attacks is to poison the machine learning engine used to detect malware. In the past, it was inefficient because there weren’t many criminals who could tamper with the antivirus engine.
But this method seems simple enough. Machine learning models learn from input data, and when the data pool is poisoned, the output is also poisoned. Researchers at New York University have demonstrated how to operate CNNs as backdoors to yield false (but controlled) results via Convolutional Neural Networks (CNNs) such as Google, Microsoft, and AWS.
For More Articles Visit: Info Cabin
