Deep Learning techniques for Cyber Security

Author: ajit jaokar

 

For the first time, I taught an AI for Cyber Security course at the University of Oxford.

 

I referred to this paper from Johns Hopkins which covered Deep Neural networks for Cyber Security (A Survey of Deep Learning Methods for Cyber Security) – references below where you can download the full paper for free.

 

The paper covers various deep learning algorithms in Cyber Security

I summarise from the paper below, the problems in Cyber Security and the deep neural networks algorithms that can address them

 

Cyber Security problems

Detecting and Classifying Malware: The number and variety of malware attacks are continually increasing, making it more difficult to defend against them using standard methods. DL provides an opportunity to build generalizable models to detect and classify malware autonomously. There are a number of ways to detect malware.

 

Autonomously classifying malware can provide important information about the source and motives of an adversary without requiring analysts to devote significant amounts of time to malware analysis. This is especially important with the number of new malware binaries and malware families growing rapidly. Classification means assigning a class of malware to a given sample, whereas detection only involves detecting malware, without indicating which class of malware it is.

 

Domain Generation Algorithms and Botnet Detection (DGA): DGAs are commonly used malware tools that generate large numbers of domain names that can be used for difficult-to-track communications with C2 servers. The large number of varying domain names makes it difficult to block malicious domains using standard techniques such as blacklisting or sink-holing. DGAs are often used in a variety of cyber-attacks, including spam campaigns, theft of personal data, and implementation of distributed denial-of-service (DDoS) attacks.

 

Drive-By Download Attacks: Attackers often exploit browser vulnerabilities. By exploiting flaws in plugins, an attacker can redirect users away from commonly used websites, to websites where exploit code forces users to download and execute malware. These types of attacks are called drive-by download attacks.

 

Network Intrusion Detection: Network intrusion detection systems are essential for ensuring the security of a network from various types of security breaches. A number of machine learning and deep learning algorithms are used in network detection.

 

File Type Identification: Generally, humans are not very effective at identifying data that is being exfiltrated once it has been encrypted. Signature-based approaches are similarly unsuccessful at this task. Therefore, a number of ML/DL techniques can be applied to detect file types

 

Network Traffic Identification: A set of techniques used to detect network level protocol types.

 

SPAM Identification: ML and DL algorithms used to detect SPAM

 

Insider Threat Detection: One of the major cyber security challenges today is insider threat, which results in the theft of information or the sabotaging of systems. The motivations and behaviors of insider threats vary widely; however, the damage that insiders can inflict is significant. A number of ML and DL algorithms are used in the detection of insider threats.

 

 Border Gateway Protocol Anomaly Detection: The Border Gateway Protocol (BGP) is an internet protocol that allows for the exchange of routing and reachability information among autonomous systems. This capability is essential to the functioning of the internet, and exploitation of BGP flaws can result in DDoS attacks, sniffing, rerouting, theft of network topology data, etc. It is therefore essential to identify anomalous BGP events in real time to mitigate any potential damages.

 

Verification If Keystrokes Were Typed by a Human: Keystroke dynamics is a biometric technique that collects the timing information of each keystroke – this information can be used to identify people or anomalous patterns.

 

User Authentication: The ability to detect users based on various signals – behavioral and physiological features based on their  activity patterns

 

False Data Injection Attack Detection: Cyber-physical systems play an important role in critical infrastructure systems, because of their relationship to the smart grid. Smart grids leverage cyber-physical systems to provide services with high reliability and efficiency, with a focus on consumer needs. These smart grids are capable of adapting to power demands in real time, allowing for an increase in functionality. However, these devices rely on information technology, and that technology is susceptible to cyber-attack. One such attack is false data injection (FDI), whereby false information is injected into the network to reduce its functionality or even break it entirely.

 

 

Deep learning detection techniques

The following techniques are used to address Cyber Security problems as per the paper

 

Autoencoders

Malware Detection

Malware Classification

Intrusion Detection

Autoencoder Intrusion Detection (IoT)

File Type Identification

Network Traffic Identification

Spam identification

Impersonation Attacks

User Authentication

 

CNN

Malware detection

Drive-by Download Attack

Malware Detection

Intrusion Detection

Traffic Identification

Drive-by Download Attack

 

RNN

Malware Detection

 

DNN

Malware Classification

Intrusion Detection

Insider Threat

 

GAN

DGA

 

RBM

Intrusion Detection

Malware Detection

Spam Identification

 

 

RNN

Malware Detection

DGA

Intrusion Detection

Intrusion Detection (Vehicles)

Border Gateway Protocol

Anomaly Detection

Keystroke Verification Custom

Intrusion Detection (IoT)

 

Source: A Survey of Deep Learning Methods for Cyber Security

Go to Source