CYB. Defensive AI (part 4) - Master's in Artificial Intelligence 2024/25

Summary

This document covers defensive AI, specifically focusing on user behavior analytics, authentication methods, and content analysis techniques within a cybersecurity context. It provides detailed information about UEBA solutions, their data collection methods, and how to identify and mitigate potential threats.

Full Transcript

CYB. Defensive AI (part 4)

Master in Artificial Intelligence
2024/25
ESEI – University of Vigo
AI/ML in User Behavior,
Authentication, and Content
Analysis
UBEA: User and Entity Behavior Analytics

UEBA solutions: Monitor and analyze the behavior of users and entities
(servers, laptops, applications, mobile devices, IOT devices)

UBEA ≈ UBA (User Behavior Analytics) + EDR Endpoint Detection Response

ˆ Detect abnormal or potentially malicious activities (insider threats,
compromised accounts, cyberattacks)
ˆ Similar to HIDS/HIPS, but with in-depth analytics (IA/ML/statistical
analysis backbone)
ˆ Usually integrated with/complementary to EDR, XDR, SOAR, and SIEM
solutions
ˆ to provide a integral view of security events across an organization
ˆ to allow for correlation with other security data

Examples: Gurucul UBEA, Exabeam Platform, UBA in Rapid7 InsightIDR

1
UBEA: User and Entity Behavior Analytics (II)

Typical subtasks

(a) Behavioral Analysis. Patterns of behavior exhibited by users/entities over
time

ˆ User/Entity profiling: Normal/typical behavior profiles for users or
entities based on their historical vs. anomalies (⇒ security
incidents: unauthorized access, account compromise, etc)
ˆ Aspect to monitor/measure:
ˆ for users: patterns of login (login times and locations), data access
patterns, file transfers, application usage patterns, frequency of user
interactions, typical working hours, network communication
behaviors,...
ˆ for endpoint: patterns of file access, application usage, system
processes and system calls, network traffic (protocol usage, data
transfer, destinations),...

2
UBEA: User and Entity Behavior Analytics (III)
(b) Data Collection UEBA solutions collect and aggregate data from various
endpoint and user sources
ˆ Authentication and Authorization Logs: information about user
authentication, account activity, group memberships, changes to user
attributes
ˆ Logs from Active Directory, Single Sign-On (SSO) solutions,
Identity and 
Access Management (IAM)  systems

 user access patterns 


 login frequencies 

ˆ Understand → detect suspicious user

 privileged account usage 


 

roles and permissions
behavior (failed login attempts, unusual access pattern)
ˆ Endpoint Logs: activities occurring on individual devices (process
executions, file access, system events, network connections)

3
UBEA: User and Entity Behavior Analytics (IV)

ˆ Network Traffic Logs: information about communication between devices
on the network
ˆ Firewall logs (information about incoming and outgoing network traffic)
ˆ VPN logs (information about remote access)
ˆ Proxy server logs (info. about web traffic, URLs visited)
ˆ DNS logs (communication with malicious domains or unusual DNS activities)


 communication with unusual IP addresses
→ To identify unusual patterns excessive data transfer volumes

ˆ Application Level Logs network level IoCs (black-listed IP/URL/DNS)


ˆ Email logs (info. about sender and recipient details, timestamps, attachments) →
(phishing attempts, SPAM, suspicious attachments)
ˆ Database logs (info. about database access, queries, changes to data) → (identify
abnormal data access patterns, potential data exfiltration, unauthorized database
activities)
ˆ Business-critical applications logs (interactions, transactions,
application-specific activities) → (anomalies in how users interact with business processes)

ˆ Physical Access Control records (anomalies in physical access patterns)
ˆ Biometric systems (additional context about user interactions)

4
UBEA: User and Entity Behavior Analytics (V)

(c) Risk Scoring. Assign risk scores to users/entities based on observed
behavior (security events and anomalies) and context

ˆ Based on severity and context of observed behavior
ˆ Higher risk scores → trigger alerts, prioritize further investigation

(d) Incident Response. When anomalies
 are detected, UEBA provide features

 generating alerts and/or isolation actions
to support incident response providing context for the detected behavior

 info. for further forensic analysis

5
UBEA: User and Entity Behavior Analytics (VI)
Commonly employed ML and AI techniques in UEBA
ˆ Unsupervised ML
ˆ Clustering Algorithms (group users/entities based on similar behavior)
ˆ Autoencoders (anomalies detected by measuring the reconstruction error)
ˆ Anomaly Detection Algorithms (identifying outliers or unusual patterns,
Isolation Forests, One-Class SVM)
ˆ Supervised ML
ˆ Classification Algorithms (train models on labeled data to classify
behavior as either normal or potentially malicious)
ˆ Deep Learning (RNNs to capture complex patterns and dependencies in
sequential data)
ˆ Time-Series Analysis (trend detection, seasonal patterns, forecasting)
ˆ NLP techniques (user activities involving text data → text pattern
detection, sentiment, language usage)
ˆ Other: Bayesian network for risk scoring, Feature engineering
(dimensionality reduction)

6
Authentication in Cybersecurity

Verifying the identity of users, systems, or entities attempting to access
resources or services
ˆ Goal: Ensure only authorized individuals/entities gaining access to
sensitive information, systems or applications
Authentication Factors
ˆ Knowledge-Based Authentication (Something You Know ) Relays on
information that the user knows (passwords, PINs, security questions)
ˆ Possession-Based Authentication (Something You Have) Involves
something (physical or virtual) the user possesses (security tokens, mobile devices)
ˆ Biometric Authentication (Something You Are) Involves unique
biological and/or behavioral characteristics of the user (fingerprints, iris patterns,
facial/voice recognition)

Multi-Factor Authentication (MFA) combines two or more authentication
factors to enhance security

7
Authentication in Cybersecurity (II)

Related topics

ˆ Single Sign-On (SSO) and Session Management (SSO allows users to log in
once and gain access to multiple applications or systems without having to
authenticate separately for each)

ˆ Password Policies (requirements for password length, complexity, regular
password changes, password storage best practices)

ˆ Authentication Protocols (standardized methods for secure authentication
[OAuth, OpenID])

ˆ Account Lockout and Brute Force Protection (implementing account
lockout mechanisms and protection against brute force attacks)

8
Authentication in Cybersecurity (III)

ˆ Risk-Based Authentication (assess the risk associated with a particular login
attempt [based on location, time-of-day, device, user behavior])
high risk login attempt ⇒ additional authentication measures

ˆ Behavioral Authentication (patterns of user behavior establish a baseline +
deviations trigger additional authentication checks)

ˆ Continuous Authentication (ongoing verification of a user’s identity
throughout the entire duration of a session or interaction with a system)

9
Biometric authentication
Verifying the identity of individuals based on unique physical or
behavioral characteristics [Examples (types of biometrics) ]

Fingerprint Recognition. Unique patterns of ridges and valleys on an
individual’s fingertips
Facial Recognition. Facial features (distance between eyes, shape of the nose)
Iris Scans. Unique patterns in the iris of the eye.
Voice Recognition. Unique characteristics of an individual’s voice (pitch, tone)
Hand Geometry. Physical structure of the hand (length and width of fingers)
Retina Scans. Blood vessel pattern at the back of the eye
Other. Vein Recognition (vein patterns in the palm), Ear Shape Recognition
(unique shape and structure of the ear), Gait Recognition (unique way
individuals walk or move)

Some tools: LexisNexis BehavioSec, Mitek ID R&D (human verification)

10
Biometric authentication (II)

Practical aspects and considerations

ˆ Accuracy: False acceptance (authenticating an unauthorized user) vs. False
rejection (rejecting an authorized user) rates

ˆ Robustness against physical changes (aging, changes in voice due to illness)
and spoofing (fake fingerprints or facial images, Deepfakes)

ˆ User acceptance: preference for non-intrusive mechanisms, respect to
privacy concerns

ˆ Template Storage and Security: Biometric templates (digitized
representations of biometric characteristics) should be securely stored and
protected (compliance with privacy and data protection regulations)

ˆ Deployment costs and scalability

11
Biometric authentication (III)

ML/AI approaches in biometric authentication
Many ML/AI approaches to analyze and recognize patterns in biometric
data for accurate identification or verification

ˆ Supervised Learning → trained on a labeled dataset: input data
(biometric features) is paired with the corresponding correct output
(known identity)

ˆ Unsupervised Learning → clustering and grouping similar biometric
patterns without prior knowledge of identities

ˆ Other/complementary approaches: Semi-Supervised Learning, Ensemble
Learning, Transfer Learning

12
Continuous authentication

Verification of a user’s identity throughout the entire duration of a
session or interaction with a system (vs. one-time authentication)
Goal: enhance security by continuously monitoring and verifying the
user’s identity

ˆ Useful in dynamic/evolving scenarios where the risk of unauthorized access
change over time

ˆ Involves real-time monitoring of user behavior, activities and interactions with
the system or application

ˆ Dynamic risk assessment → continuously assess the risk associated with the
user’s behavior (context of access, device used, location, user’s typical patterns)

ˆ Allows adaptive security levels (in the event of suspicious behavior, prompt the
user for additional authentication factors)

13
Continuous authentication (II)

Key aspects to monitor

ˆ Behavioral Biometrics. Analyze the user’s behavioral biometrics
(keystroke dynamics, mouse movements, typing patterns, touchscreen
interactions) to create a continuous profile

ˆ Device Context. Context of device usage (type of device, its location,
network being used) establish a baseline for normal behavior and
identify suspicious activities

ˆ Biometric Monitoring. Biometric re-authentication (by facial
recognition, fingerprint scanning) ⇒ provide an additional layer of
security

14
Continuous authentication (III)

Example
Daniel Garabato (UDC) et al., AI-based user authentication
reinforcement by continuous extraction of behavioral interaction features,
Neural Computing and Applications (2022)

ˆ Continuous authentication by monitoring user’s mouse activity

ˆ Feature extraction from raw mouse activity data

ˆ Deep Learning models (CNN+LSTM)

15
Content Analysis

Examination and interpretation of various forms of digital content (text,
images, audio, video) to identify and respond to security threats
→ Typically modeled as a classifiction task

Content Analysis in Mail Security
Examining the content of emails to identify and mitigate potential
security threats

ˆ Spam Filtering: Identify and filter out unwanted spam emails
ˆ Content-based filtering using NLP, ML classifiers trained on spam patterns

ˆ Phishing Detection: Identify and block phishing attempts by analyzing
the content of emails
ˆ NLP for text analysis, link analysis to identify malicious URLs, ML
classifiers trained on phishing patterns

16
Content Analysis (II)

ˆ Attachment Analysis: Scan email attachments for potential malware or
malicious content
ˆ Known malware signatures, behavioral analysis ⇒ suspicious file behavior,
ML models trained on features indicative of malicious attachments

ˆ Social Engineering Detection: Detect social engineering tactics in email
content
ˆ NLP for sentiment analysis, language pattern extraction

ˆ Data Loss Prevention (DLP): Prevent unauthorized sharing of sensitive
data through emails
ˆ Identify and classify sensitive information, ML models and regular
expression matching for pattern recognition

17
Content Analysis (III)

Content Analysis in Web Security
Analyzing web content to block access to malicious websites or content
ˆ Content Filtering: Analyze web content to block access to malicious
websites or inappropriate content (spam, hate speech,...)
ˆ URL categorization, ML-based content-based filtering
ˆ Example: OpenAI moderation API
ˆ Content Reputation Analysis: Assess the reputation of web content to
identify potentially harmful websites
ˆ Ad and Tracker Blocking: Block unwanted advertisements and tracking
scripts
ˆ Script and Code Analysis: Examine scripts and code within web content
for potential threats
ˆ ML models for code analysis, behavior analysis of scripts
ˆ Web Application Firewall (WAF): Protect web applications by analyzing
and filtering HTTP traffic
ˆ Pattern matching, anomaly detection of HTTP traffic

18