How Machine Learning Helps Protect Against Cyber Attacks

We are all familiar with spam, phishing attacks or ransomware and have probably encountered some of them. But there are also types of attacks causing us to lose access to our favourite website, for example. Attackers seek to gain financial gain, damage reputation, obtain sensitive information or disrupt competition. In this article, we will focus primarily on network attacks and the way we can detect them using machine learning.

Even in Slovakia (with no surprise), we are not completely protected from cyber attacks (DoS attacks in Slovakia, imitating the behavior of banks, attack on a hospital in Nitra). Like everyone else, we need to know how to defend ourselves. For this purpose, classifying attackers’ activity into four basic categories can help:

Each of the above attacks is specific in some way, making it possible to detect them. Even today, there are multiple ways to identify most of the commonly known attacks (e.g., via the Suricata tool). However, the ways in which an attack can take place are not fixed. If this were the case, only those companies and users who were very negligent about their cybersecurity would be at risk.

Cybercriminals are constantly coming up with new ways to compromise a system, so it is important to be constantly alert. More than 55 billion password cracking attempts have been recorded in 2021 alone (you can read a report on the threats intelligence, for example). Standard methods include constant monitoring of network communications and looking for anomalies. If an anomaly is found, it can mean we have encountered a new and previously unknown type of attack and we can respond to it. 

However, not every anomaly may be regarded as an attack. You be the judge:

Thus, we see that not every anomaly has to represent an attack, but every attack is an anomaly with respect to the normal and expected behavior of network communication. As a result, anomaly detection approaches exhibit a higher false alarm rate and it remains up to dedicated security specialists to check if this is indeed a malicious anomaly (attack).

Internet access providers, which are the companies that allow us to connect to the Internet, can also help to improve security to some extent. They are used by ordinary people, but also by large companies. They can monitor their network and react in the event of an attack, either by alerting the user or by actively intervening (e.g., using DDoS attack defences). They may not be able to prevent all types of attacks, as by default only network activity is monitored and not the contents of the data being transmitted.

VNET is one of the Internet access providers that employ proactive protection and monitor what is happening on their network, ultimately seeking to increase their ability to identify suspicious patterns and correlations (i.e., anomalies) in network traffic and thereby enhance the security of their customers. 

In a joint industry project with VNET, we are leveraging their expertise in this domain and our expertise in anomaly detection. We are developing approaches to use machine learning to detect malicious anomalies (attacks). We have been able to identify suitable approaches and datasets applicable for designing methods tailored to the needs of providers such as VNET. We have also already conducted initial experiments to better understand the benefits and limitations in existing network activity monitoring. The applicability of existing datasets used in research is proving to be a major challenge, as they show several problems when used in real-world environments. 

We are looking forward to see how our joint solution, based on machine learning features, will improve the protection of clients and we believe that our published outputs will also enrich the knowledge of the global scientific and professional community.