Author: ajit jaokar
For the first time, I taught an AI for Cyber Security course at the University of Oxford.
I referred to this paper from Johns Hopkins which covered Deep Neural networks for Cyber Security (A Survey of Deep Learning Methods for Cyber Security) – references below where you can download the full paper for free.
The paper covers various deep learning algorithms in Cyber Security
I summarise from the paper below, the problems in Cyber Security and the deep neural networks algorithms that can address them
Cyber Security problems
Detecting and Classifying Malware: The number and variety of malware attacks are continually increasing, making it more difficult to defend against them using standard methods. DL provides an opportunity to build generalizable models to detect and classify malware autonomously. There are a number of ways to detect malware.
Autonomously classifying malware can provide important information about the source and motives of an adversary without requiring analysts to devote significant amounts of time to malware analysis. This is especially important with the number of new malware binaries and malware families growing rapidly. Classification means assigning a class of malware to a given sample, whereas detection only involves detecting malware, without indicating which class of malware it is.
Domain Generation Algorithms and Botnet Detection (DGA): DGAs are commonly used malware tools that generate large numbers of domain names that can be used for difficult-to-track communications with C2 servers. The large number of varying domain names makes it difficult to block malicious domains using standard techniques such as blacklisting or sink-holing. DGAs are often used in a variety of cyber-attacks, including spam campaigns, theft of personal data, and implementation of distributed denial-of-service (DDoS) attacks.
Drive-By Download Attacks: Attackers often exploit browser vulnerabilities. By exploiting flaws in plugins, an attacker can redirect users away from commonly used websites, to websites where exploit code forces users to download and execute malware. These types of attacks are called drive-by download attacks.
Network Intrusion Detection: Network intrusion detection systems are essential for ensuring the security of a network from various types of security breaches. A number of machine learning and deep learning algorithms are used in network detection.
File Type Identification: Generally, humans are not very effective at identifying data that is being exfiltrated once it has been encrypted. Signature-based approaches are similarly unsuccessful at this task. Therefore, a number of ML/DL techniques can be applied to detect file types
Network Traffic Identification: A set of techniques used to detect network level protocol types.
SPAM Identification: ML and DL algorithms used to detect SPAM
Insider Threat Detection: One of the major cyber security challenges today is insider threat, which results in the theft of information or the sabotaging of systems. The motivations and behaviors of insider threats vary widely; however, the damage that insiders can inflict is significant. A number of ML and DL algorithms are used in the detection of insider threats.
Border Gateway Protocol Anomaly Detection: The Border Gateway Protocol (BGP) is an internet protocol that allows for the exchange of routing and reachability information among autonomous systems. This capability is essential to the functioning of the internet, and exploitation of BGP flaws can result in DDoS attacks, sniffing, rerouting, theft of network topology data, etc. It is therefore essential to identify anomalous BGP events in real time to mitigate any potential damages.
Verification If Keystrokes Were Typed by a Human: Keystroke dynamics is a biometric technique that collects the timing information of each keystroke – this information can be used to identify people or anomalous patterns.
User Authentication: The ability to detect users based on various signals – behavioral and physiological features based on their activity patterns
False Data Injection Attack Detection: Cyber-physical systems play an important role in critical infrastructure systems, because of their relationship to the smart grid. Smart grids leverage cyber-physical systems to provide services with high reliability and efficiency, with a focus on consumer needs. These smart grids are capable of adapting to power demands in real time, allowing for an increase in functionality. However, these devices rely on information technology, and that technology is susceptible to cyber-attack. One such attack is false data injection (FDI), whereby false information is injected into the network to reduce its functionality or even break it entirely.
Deep learning detection techniques
The following techniques are used to address Cyber Security problems as per the paper
Autoencoders
Malware Detection
Malware Classification
Intrusion Detection
Autoencoder Intrusion Detection (IoT)
File Type Identification
Network Traffic Identification
Spam identification
Impersonation Attacks
User Authentication
CNN
Malware detection
Drive-by Download Attack
Malware Detection
Intrusion Detection
Traffic Identification
Drive-by Download Attack
RNN
Malware Detection
DNN
Malware Classification
Intrusion Detection
Insider Threat
GAN
DGA
RBM
Intrusion Detection
Malware Detection
Spam Identification
RNN
Malware Detection
DGA
Intrusion Detection
Intrusion Detection (Vehicles)
Border Gateway Protocol
Anomaly Detection
Keystroke Verification Custom
Intrusion Detection (IoT)
Source: A Survey of Deep Learning Methods for Cyber Security