How Machine Learning Helps Protect Against Cyber Attacks
We are all familiar with spam, phishing attacks or ransomware and have probably encountered some of them. But there are also types of attacks causing us to lose access to our favourite website, for example. Attackers seek to gain financial gain, damage reputation, obtain sensitive information or disrupt competition. In this article, we will focus primarily on network attacks and the way we can detect them using machine learning.
Even in Slovakia (with no surprise), we are not completely protected from cyber attacks (DoS attacks in Slovakia, imitating the behavior of banks, attack on a hospital in Nitra). Like everyone else, we need to know how to defend ourselves. For this purpose, classifying attackers’ activity into four basic categories can help:
- Probe is the initial activity of cybercriminals, discovering the infrastructure of a potential victim’s network and the services (or ports) running there. Overall, this is an effort to gain as much knowledge as possible in preparation for an attack.
- A denial of service (DoS) attack is a type of attack caused by a malicious event where unusual and usually excessive requests are sent to a device, causing a depletion of its computing resources.
- Remote to local – an attacker is able to communicate with a device even without a user account and is able to gain access to that system.
- User to root – by exploiting a vulnerability on the target system, an attacker can increase their privileges on the system to superuser.
Each of the above attacks is specific in some way, making it possible to detect them. Even today, there are multiple ways to identify most of the commonly known attacks (e.g., via the Suricata tool). However, the ways in which an attack can take place are not fixed. If this were the case, only those companies and users who were very negligent about their cybersecurity would be at risk.
Evolution of network attacks
Cybercriminals are constantly coming up with new ways to compromise a system, so it is important to be constantly alert. More than 55 billion password cracking attempts have been recorded in 2021 alone (you can read a report on the threats intelligence, for example). Standard methods include constant monitoring of network communications and looking for anomalies. If an anomaly is found, it can mean we have encountered a new and previously unknown type of attack and we can respond to it.
However, not every anomaly may be regarded as an attack. You be the judge:
- If we monitor bank account activity and pay for window replacement with a credit card, there may be an unusually high withdrawal from the account. This is a one-time anomaly in terms of our normal spending.
- If we manage to create an extremely successful marketing campaign, a sudden “flood” of customers can bring down our e-shop, although this was certainly not their goal.
- If we are making payments on an account worth €1,000 every month and suddenly it’s €1,500 in December, we might regard this as a suspicious anomaly. However, when we consider the context, we see that this is the Christmas period and therefore this sudden change is fine. We would approach it differently if such a jump had occurred in March, for example.
Thus, we see that not every anomaly has to represent an attack, but every attack is an anomaly with respect to the normal and expected behavior of network communication. As a result, anomaly detection approaches exhibit a higher false alarm rate and it remains up to dedicated security specialists to check if this is indeed a malicious anomaly (attack).
Internet access providers, which are the companies that allow us to connect to the Internet, can also help to improve security to some extent. They are used by ordinary people, but also by large companies. They can monitor their network and react in the event of an attack, either by alerting the user or by actively intervening (e.g., using DDoS attack defences). They may not be able to prevent all types of attacks, as by default only network activity is monitored and not the contents of the data being transmitted.
Innovative industrial project for higher cyber safety
VNET is one of the Internet access providers that employ proactive protection and monitor what is happening on their network, ultimately seeking to increase their ability to identify suspicious patterns and correlations (i.e., anomalies) in network traffic and thereby enhance the security of their customers.
In a joint industry project with VNET, we are leveraging their expertise in this domain and our expertise in anomaly detection. We are developing approaches to use machine learning to detect malicious anomalies (attacks). We have been able to identify suitable approaches and datasets applicable for designing methods tailored to the needs of providers such as VNET. We have also already conducted initial experiments to better understand the benefits and limitations in existing network activity monitoring. The applicability of existing datasets used in research is proving to be a major challenge, as they show several problems when used in real-world environments.
We are looking forward to see how our joint solution, based on machine learning features, will improve the protection of clients and we believe that our published outputs will also enrich the knowledge of the global scientific and professional community.