samenvatting-e-book-AI-cybersecurity.docx

Full Transcript

Artificial intelligence & cybersecurity Chapter 1: Understanding cybersecurity: Cybersecurity is multifaceted. It is your only defense in of one of the longest wars the world has ever known. This chapter gives you an overview of the diverse parts of cybersecurity and an introduction to threat response. Looking at the various aspects of cybersecurity: Social engineering and phishing: Social engineering = a confidence scam that convinces unsuspecting people to provide information to bad people trying to steal their information. It is usually the first step in a complex attack. Between 66 and 84 percent of all network intrusion contains a social engineering factor. The answer to protect against social engineering is education and awareness. Phishing = the further attempt to collect sensitive information about you that may not be readily available online. They tend to fall into specific categories usually involving an urgent request. Spear phishing = more targeted attack (more than normal phishing) based on research specific to the victim. The information used to create these kinds of attacks come from stolen information. Example: If you’ve done business with a retailer that has had its data stolen, the bad guys know where you shop. So, you might receive what appears to be a friendly email warning you that your information has been stolen and to «click this link to verify your account.» More data is stolen every day, and that information is being used to create spear phishing attacks. Introducing ransomware: public key cryptography = ability to communicate safely with banks, securely sending credit card information, communicate privately with peers… and also the foundation of cryptocurrency. Public key cryptography is only as safe as your ability to keep private keys safe. Keys = longs strings of numbers and letters. With this type of encryption: Public keys are shared Private keys are kept close to the vest. How it works: encrypted message: give your public key to whomever you want people send you an encrypted message with your public key in it only you can decrypt the message with your private key. Encrypted text: Encrypt text with private key can only decrypt the text with copies of the corresponding public key. Also known as a digital signature because decrypting something signed with your private key, proves you’re the one that encrypted/signed it. Cryptovirus = This virus infects a computer and uses public key cryptography to encrypt the files on the computer that can only be decrypted with a private key. The hacker then holds your files ransom and asks to be paid some amount to decrypt your files. Thus the name ransomware. = cryptolocker = a form of ransomware and infects mostly PC’s. spreading malware by sending infected files with social engineering. Files include Microsoft Word documents and when people try to open them, the pc gets infected and spreads to other operating systems like Linux and macOS. Worst example is locky virus in 2016 infecting thousands of computers and 23 million infected emails sent. Malware intrusion: Roughly 6 kinds of malware can infect computer systems. Types of malware: Computer viruses = Small programs that, once they infect a PC, will replicate and attempt to send the replicated version to another PC. They destroy and alter data. Computer worm = Replicates, spreads and does damage like a virus, but unlike a virus (= which needs a host program to spread), worms can spread completely on their own. Trojan = disguised as legitimate software programs, tricking people to download them via social engineering. Once installed it gives access to a malicious third party. They don’t replicate. Trojan downloader = downloading malicious programs from remote servers to create botnets. Botnets = network of infected PC’s controlled by a central computer. Often used to conduct distributed denial of service (DDoS) against websites and Internet Infrastructure. thousands of infected pc’s begin hammering an IP-address impossible to communicate with that web service. Non-malware intrusion: Non-malware intrusion= security breaches not caused by a program that has breached your defenses. Not using malware, but software you trust like Microsoft Office on all different operating systems. Secure socket shell (SSH) = it provides remote command-level access to whatever operating system. Most common way into an SSH account is by guessing the password with modern brute force password-guessing tools. Steps of an SSH brute force attack: Find an SSH server to attack use a brute force tool like Hydra, NCrack and Medusa methods to fight off an SSH attack: running SSH on a non-start port ( standard port = 22) block the SSH login for the root user. Limit the number of tries a user can make to guess the password SQL injection = malicious instructions embedded into an SQL database, which will return the content of the entire database. solution: parameterized SQL statements = pulls user input information out of the actual SQL statement and places it into parameters that are passed along. NoSQL databases = data distributed across the Internet, making data access to mobile apps more efficient. A querry language is not used to retrieve data from a NoSQL database. Not proven immune to injection attacks. Credential theft: the least technical, but the most difficult to defend. mostly done by phishing and social engineering taking the username and password. Solutions: longer password and regularly change them; password management services; two-factor authentication, facial recognition, fingerprinting … Detect, respond and mitigate Ways to monitor network intrusions: Anomaly-based detection = system monitoring programs that alert you when something is out of the ordinary. Problem: high rate of false positives Deception= setting a trap either by luring or disguising yourself. Honeypots = luring intruders away from the good stuff. They are computer systems on a network appearing with a lot of data, but actually only contain bait. a low interaction honeypot: lightweight honeypot high interaction honeypot: the real deal, but also more effort to maintain. Honeytokens = tracking where the attack originated with email addresses, fake data and fake accounts in the network with a record of where they are kept. Responding to and recovering from cyberattacks and security events It is important to handle the intrusion in a fast manner. Meeting the challenges of cybersecurity Making software smarter: Security Information and Event Management (SIEM) = software that provides analysis of security events, storage & correlation of information and structured thread intelligence. Making software application development more secure: Integrating cyber-security Chapter 2: Fathoming Artificial intelligence: Seeing the big picture: Pattern recognition = branch of machine learning; finding patterns in data by using supervised (training data) and unsupervised (training data) (zie infra), either textual or visual. Visual = mostly supervised learning algorithms by providing training images to learn patterns. Data mining = pattern recognition in text data. Example Gmail: suggestions to auto response to emails. Fuzzy logic = often used by pattern recognition where answers are close enough but not exact matches. Teaching machines to be smarter: Singularity = theoretical future date when a super intellect is born/made that is smarter than humans and this will become the age of machines, replacing the age of man. Artificial General Intelligence (AGI) = the goal of having machines as smart or even smarter than humans with a set of ethics that follows the betterment of mankind (“friendly” AI). But we are not there yet in terms of computer hardware (cf. human brain: 38 000 trillion operations per second) Solution: Narrow AI = AI computer specializing in only one particular field of study. e.g. chess playing: Reactive AI = computer responding to challenges in the present to reach goal Learning Algorithms: Learning algorithms = programs that extrapolate insights/intelligence based on data provided to the computer. Supervised learning: Supervised learning = input of information is supervised upon which the algorithm will arrive at a conclusion. Most basic supervised learning algorithm: Expert system = a series of yes and no questions to get to an answer. Foundation of expert system = decision tree. More advance type of learning: The use of training data. Feeding the computer lots of cat pictures so eventually it will be able to recognize a cat by itself. This is based on probability 2 common types of this type of learning algorithm: Logistic regression Back propagation neural network Unsupervised learning: Using unlabeled and unclassified data with the use of special algorithms that allow AI to learn on its own rather than being spoon fed by humans. 2 common unsupervised algorithms: apriori K-means Being smarter: Becoming smarter: not only better software, but also advances in machine technology. Incredible databases e.g. Open Mind Common Sense project at MIT: collects millions of facts like “fire is hot” and “logs can catch fire”. Inference can be drawn from these facts “burning log is also hot”. Problem: most world’s information is unstructured. Natural language processing (NPL): Natural language processing= computers understanding human language as it is spoke. It’s the heart of modern AI input/output system. Provides ability to 1) comprehend unstructured data and 2) to talk to a computer and have it understand our natural language requests. Chapter 3: Discovering Machine Learning and Deep Learning: Algorithms = process data based on rules derived from insights making machines more powerful. Deep learning and deeply layered neural networks: Deep learning = branch of artificial intelligence and a subset of machine learning; allows computer to learn on their own, unsupervised, using neural networks. It reads unstructured data form patterns and clusters of patterns (similar to human brain). How neural network works: Input layer: accepts input Hidden layer: output is summed and sent here + transformation functions Output layer: outputs are summed again into this layer Cf. drip coffee maker: You mix the inputs, hot water and coffee grounds, filter the output of this mixing, and then mix it all together into the stream that ends up in the carafe. Deep blue plays chess: 1985 Carnegie Mellon University: computer playing chess called “ChipTest”. hired by IBM next generation chess playing computer “Deep Thought”. The first to beat a grandmaster (human) in chess. Renamed it to “Deep Blue” or “Big Blue”. After some upgrades it beat a world champion. Deep Blue didn’t use what we might currently consider AI and no deep learning. One Gigaflops = one billion math operations as second Introducing cognitive computing: Tasks performed by AI and the very nature have changes over time. Cognitive computing is the next step in AI, because previously it didn’t learn from its path to a specific answer. If you ask the same question 15 times, you would get the same answer 15 times. Cognitive computing simulates the thought process of a human brain. It learns, collects information (data mining), understands patterns and able to communicate using human language. It uses “humans-first” approach (less scary approach). Structured and unstructured data: Structured data = tagged in some way to make it easily understood by a machine. e.g. self-driving cars. Unstructured data = tends to be the result of human intelligence applied in a human readable written format. (cf. researchers presenting their insights and the level of confidence in those insights after their work in the field). Cognitive search and discovery uses AI in the form of 1) NPL 2) pattern recognition and 3) machine learning to understand and organize information it collects for a body (corpus) of knowledge. The body of knowledge is not only huge, but continuously increasing both structured and unstructured data. AI systems are plugged into the data using API’s (= Application Programming Interfaces). It must derive semantic information from text it reads by: extracting relationships between entities deriving keywords from content determining sentiment of the content (cf. positive or negative content). NLP breaks sentences into components such as subject, action verb and direct object. Detecting entities such as people, places, things and geographical features along with content’s keywords and ranks them based on importance. Cognitive computer will take what it learns from the text and correlate it to what it already knows. Chapter 4: Applying machine learning and deep learning to cybersecurity AI applied to cybersecurity provides security professionals with a better ability to protect endpoint, data and networks by predicting problems on prior solutions and by using NPL. Predictive analytics: Usage of analytics for cybersecurity: detect anomalies in network patterns, network traffic and normal user activities. Exploits are identified by their signatures (= known patterns of attack). Cybersecurity has moved from: a complete reaction activity networks managed based on risk. Predictive analytics = gives you a fuzzy look into the future. “on the doorstep” scenario: being able to identify an intrusion without having a prior signature. Machine learning has begun to have a “gut feeling” or predictive ability about what might be an attack by analyzing all kinds of previous attacks. Advanced Persistent Threats (APT) = malware program that sit on the network appearing innocent because damage is long term. Taught not programmed: URL (=/= “URL” from world wide web): Understand: examine the mass of prior research using NLP. Reason: insights based on analysis that include what type of attack may occur, has occurred and the type of threat entities involved in the attack. Learn: constantly add new findings to the corpus of knowledge. Uncovering the needle in the haystack: False positives: great time waster and money sink in the world of network security. Humans, machines and software can cause them. Better with implementation of AI: Human security researcher examines alerts provided by the smart security system. He determines which are and aren’t false positives. results are fed back to the AI, making it smarter. Introducing cognitive computing: In cybersecurity, cognitive computing gains ability to identify threats by investigating security incidents compiled by security events from a variety of inputs (=structured data , unstructured data and human insight from “human-machine relationship”). Doing this all much faster, more accurate and much smarter with less fatigue from the human security researchers. Identifying root cause: Root cause: better to find the overarching cause rather than pointing a finger at an individual troublemaker + better to take an enterprise-wide approach to find problems across the whole company. One method to determine root cause is a technique found within the Six Sigma DMAIC (= Define, Measure, Analyze, Improve, Control) methodology, called 5 whys = asking 5 “why” questions like : “why did our database fail?”. 5 is considered the minimum amount of questions. AI analyzes solutions by determining a host of factors that not only includes expected results but also the cost of achieving those results. A smarter adversary: AI can also be used by bad people to penetrate (hihihi :p) a network making it almost impossible to detect: malware and signatures, in the future. They can analyze the weakest places to attack with smart phishing and social engineering. Besides that, cybersecurity intelligence is primarily open so the bad people can use this same data but with different intentions. Chapter 5: Using the cognitive capabilities of Watson to investigate security incidents Watson: IBM’s computer that won the game jeopardy! In 2011, has taken larger challenges since then. Taking intelligent action: Cybersecurity analysts can only keep up with 8% of newly published information according to IBM. Watson is able to analyze billions of data points gathered from network security analysis programs. It gives insight into possible threats (60 times faster). It returns a list and ranks the threats on likelihood. The synthesis includes collaboration with human engineers to perform analyses. The end result is 10 times more actionable data than before. This is fighting something called “cyber blindness”. Understand, reason and learn (= URL) (supra): Watson embodies this concept (= URL) by finding connections & causality and learning which provides important insights to a security operations center (SOC) to shut down an intrusion. Using the URL concept, cognitive computing appears to be the way forward in the cybersecurity war. Applying Watson and Qradar: Security intelligence and Event Management (SIEM) = software used to analyze security information and event in an enterprise. It has 2 goals: Managing events (SEM) = software that receives real-time security alerts from software apps and smart software equipment. Managing information (SIM) = log data, security records and other information generated by a security event is stored and analyzed here. Qradar = IBM’s security analytics platform. Teamed with Watson’s capabilities, it creates an adaptive and constantly learning SIEM. Winning with threat intelligence: Threat intelligence = collected evidence about cyberattacks that include context, mechanisms of the attack, actionable advice… to augment the intelligence of the SOC analyst. It is a mix of structured (= names of the hack, signature…) and unstructured (= shared comments, analyst notes…) data. Chapter 6: Ten trends in cybersecurity Responding to ransomware Combining application development and cybersecurity Using deep learning to detect DGA-generated domains: Domain Generation Algorithms (DGA) = create pseudo-random domain names like: “oqxisduvcfk.com “ to try to remain anonymous when “malware phones home” = attempts connection to a remote network for the purpose of command and control. Trying to blacklist them all is pretty much impossible, because DGA algorithms produce thousands of these names. However neural networks may be the answer and can handle this fairly easy. Detecting non-malware threats Adaptive honeypots and honeytokens: instead of non-changing/adapting ones because hackers don’t fall for this trick anymore. Adaptive ones change their behavior based on the attack (high vs. low skill level of attack) Gaining a better understanding of how neural networks work Employing capsule networks: Neural networks process large amounts of data, it is so big that it became computationally impossible. Solution: Convolutional neural networks = revolutionized image recognition. Convolutional layers filter the data flowing between layers in a neural network in order to reduce the amount of data processed by each subsequent layer. Capsule network = a network where the neurons in each layer are divided into capsules that represent the different properties of the same entity. Is better than conventional neural networks because it’s better in identifying entities no matter what orientation the images may appear. Deep reinforcement learning: = Reinforcing good behavior and punishing wrong behavior with points. The best way to solve complex problems is to add more layers (deep) to the neural network making it deep learning networks. Deep learning networks use a process called Q-learning with terms involving “state” and “action” to find an optimal solution. e.g. rats run a maze attempting to get the cheese. Each chamber of the maze is a state, and the direction a rat takes between states is the action. The rat remembers all its attempts. This builds up a matrix of success possibilities and allows the determination of the best route. Protecting the IoT Predicting the future