Feb 2
A Brief Study on the Applications of Deep Learning in the Field of Information Security.
With the tremendous advancement and increase in dependability on the IT sector after the invention of the commercial computer, internet and the cloud, the need for securing our sensitive data online is a matter of prime concern. Due to the availability of cheap internet and mobile devices, the number of internet users has risen exponentially in the last ten years. This has led to tremendous strain on traditional rule-based security engines. That is where Deep Learning algorithms come in. Deep Learning, a subset of Machine Learning, emulates human intelligence to a certain extent by employing extensive/multiple layers of artificial neurons forming a neural network model. This model can be used to learn extensive historical patterns and behaviour of legitimate entities on the network, and then making intelligent decisions/predictions, hence preventing unauthorized access, external attacks. We will study the types of cyber security attacks, some Deep Learning models that can be deployed in such scenarios and some challenges faced in this field as well.
Simple Assessment Methodology:
Types of Attacks
These are eavesdropping attacks where attackers try to establish a new connection between an already existing connection. Then the attacker proceeds to receive all the information through their system, which the original user is communicating to the cloud/internet, without the user’s knowledge. This is a prime example of a passive attack. The attacker can use this information for their own nefarious purposes.
Possible points of entry for such attackers are:
- Unsecure connections like public Wi-Fi networks.
2. Malware, once installed on a device, can provide gateway to the attacker to gain all the information.
Type of Attacks
Denial-of-service attack(DDoS)
In this kind of attack, the attacker floods the server with bots/multiple connections/requests, and it becomes impossible for the server to parse so many requests and as a result the server usually crashes. It is called denial of service because due to the server being overwhelmed, all the legitimate connections and requests are also not able to go through. To execute this attack, the attacker can employ botnet, which is a network of devices that has already been infected by some virus and can be used without the knowledge of the device owners to flood the target servers.
Malware
Malware, short for malicious software, includes a large host of dangerous entities like spywares, ransomware, viruses, worms and trojan horses. Malware usually installs on a device through network vulnerabilities (unsecured websites, emails) or through human error. Once installed, a malware can cause a lot of problems based on its design and purpose:
1. Makes certain parts of the network pay-to-unlock which was free before(ransomware)
2. Allow other malwares to automatically install on the system.
3. Can corrupt storage disks or boot sectors, rendering the system useless.
4. Collect private and day-to-day information in the background (like key taps) and send it to external sources (spyware).
Phishing
Luring unsuspecting users through lucrative, too good to be true and seemingly legitimate schemes/offers, usually sent through emails or phony websites, is called phishing. The perpetrator’s aim can vary but the most common reason is to gain personal information, especially payment information (most of these emails are money scams). Phishing is one of the most common cyber security issues.
SQL injection
This type of attack occurs on websites using the Structured Query Language (SQL) on their server and having poor filtration of the information submitted through their websites.
The attacker can simply submit the malicious code through the website and the code infects the whole server, allowing the attacker complete access to the server by opening up some vulnerabilities.
Zero-day exploit
This is a time sensitive attack. It usually occurs in the time period between the announcement of a security vulnerability in a system and the release of the security patch/solution that fixes it.
There are many approach and solutions available in the market since long time which mainly can be categorised in two parts.
Traditional Security Algorithms which is mainly Rule based engine.
1.It is very efficient and suitable in performing the usual and basic checks to authenticate users.
2.But sometimes, usually in banking portals or government portals, it is brought down by a high false-positive rate or not having enough sensitivity to fruitfully block unauthorized login attempts.
3.A rule-based engine can’t profile/reason the attacks, correlate and record their histories, to catch similar patterns in future.
4.It can’t tell if a single failed login attempt is a part of a group of attacks or just an individual event, hence, degree of seriousness of threat can’t be assessed.
5.It can’t put attacks or genuine attempts in their respective contexts (some legitimate user might use different computers to try and enter, or may have mistyped password many times unknowingly, if an attacker will continue or not, can’t check for main reason of attacks like data leakage).
AI Model based on previous type of attacks.
There are many ML algorithms available now which can be used not only to prevent attacks but also would learn itself. We will discuss some of the techniques here and in next part of this series where we will see more on modeling technique for preventing attacks.
Clustering Algorithms
It is one of the best ways to contextualize/eliminate the various attacks a system faces when using traditional rule-based engine.
The clustering algorithm groups together the various access attempts (credentials) based on known parameters like: same IP address cluster, same username cluster, same hashed password cluster.
This way the system starts to analyze the clusters and learn from the past, blocking known clusters of malicious Ips or bot usernames and allowing access to legitimate users swiftly.
It can also help identify source or reason of attack, like data leakage etc.
Single Convolutional Neural Network (CNN)
This model is usually used in deep security attack detection method, and it is trained using supervised method for security image recognition (usually in ninth hidden layer). Performance is improved by using features like fusion (of features), biased feature learning, loss function construction etc.
In complex systems, multiple CNNs can be used to combine the extracted features from a large number of environmental sources.
Recurrent Neural Network (RNN) and Bidirectional RNN
The difference between CNN and RNN is that RNN has a path from output layer back to the hidden layer(s) , essentially forming and activating a feedback loop. This looping structure makes it excellent for receiving and analyzing a stream of data (time related flow of information), like speech, hence, making it a solid choice for natural language processing (audio/video based security systems).
Bidirectional RNN adds extra features to the RNN, hence increasing its usability (bidirectional RNN can take from past and future stream of data).
Another model based on RNN is Long Short Term Memory (LSTM), to deal with the vanishing gradient problem in neural networks (as neural network adds more layers having activation functions (like sigmoid function) and becomes more complex, the gradient of loss function (determines error/loss in model) tend to zero, which makes the network very difficult to train)
Some real-world examples are tabulated below:
I have tried to cover various type of attacks that usually occur in the cyber system and highlighted the various ways in which the current Rule-based security engines are unable to cope up with the rising popularity of the cloud/internet. Some light was shed on some Deep Learning models that can be deployed to drastically improve the security/accessibility of the entities on the internet and cloud. Corruptibility of the Deep Learning models was also signified by showing the advanced challenges faced by these models today.
Only by striking the perfect balance between traditional security methods, newer intelligent methods and awareness on the part of the user, can we build a really well performing cybersecurity system.
next we will go more on how model can be created to prevent the attacks.
References
1.Dixit, P. (2020), Deep Learning Algorithms for Cybersecurity Applications: A Technological and Status Review, Computer Science Review 39
2.Armbrust Michael, Fox Armando, Griffith Rean, Joseph Anthon D., Katz Randy, Konwinski Andy, Lee Gunho, et al.
A view of cloud computing
Commun. ACM, 53 (4) (2010), pp. 50–58
3. Chen M., Mao S., Liu Y.
Big data: A survey
Mob. Netw. Appl., 19 (2) (2014), pp. 171–209
4.Deep Learning, IBM Research Publications.
5.Paar, C. (2012), Understanding Cryptography, Springer Science + Business Media
