What can be detected?
- Viruses (needs to be executed by user)
- Worms (can spread themselves)
- Ransomware (requires viruses, locks the computer)
- rootkits: infect operating system ( can observe key log)
- backdoors: remote control the compute
- spyware: toolbar collects Browser behavior
- Trojans: pretend to be something it is not and executes malicious code locking computer
- Active content: javascript background download watching a video
detection mechanisms
intrusion detection prevention system IDS IPS
- > systems capable of automatically detecting preventing an intrusion into an organizations network or host systems and notifying a designated authority
- > prevent an attack or mitigate losses or damage to information assets
Firewalls:
- > Network security device used to restrict access to assets such as data and systems
- > based on a defined set of rules
- > acts as filter
IT based detection mechanism
Security information and event management SIEM
- > uses data form servers and other network devices
- > purpose: interpreting, filtering, correlation, analyzing, storing, reporting, and acting on the sculpting information
Trap and trace systems
- > based on honeypots and honey nets to track attackers through a network
- > honeypot honey net: a system/network designed to lure attackers while notifying administrators of the intrusion (learn from attackers)
Anti-malware software (essentially IDS and SIEM)
AI
anything that can be viewed as perceiving its environment through sensors and acting upon that environment through actuators
Intelligent behavior is based on an agent function that connects data inputs with actions executed by the agent
the agent function can be realized using different technical approaches (e.g. static sets of human defined rules, patterns derived from data through algorithms)
Machine Learning
learning from experience with algorithms that are trained on data to create models that capture patterns in the data
SL: an algorithm is trained based on input and corresponding output data to learn a function that matches a given input and output to predict outputs for new inputs ( detection of spam e-mail)
UL: based on input data only, an algorithm detects patterns in the data such as groups or cluster that show some kind of similarity (detection of network anomalies)
AI-based Detection
Spam e-mail identification based on supervised learning
- traditionally based on pre defined rules (e.g. blacklists)
- classification algorithms e.g. SVM learn to identify spam e-mails based on large sets of training data
- the model that is learned can be used to classify future e-mail
Intrusion detection based on UL
- > traditionally based on signature detection (i.e. applying predefined rules, based on known attack patterns)
- > anomaly detection: detection unnormal instances within datasets using clustering algorithm here deviations from normal network usage
- > Advantage over supervised learning: ability to identify unknown attacks
Issues with AI -based detection
Quality of training data determines result quality
- false positives/ false negatives can be extremely costly
- danger of model inversion attacks that allow inferences to sensible training data
- Data Poisining to manipulate machine learning
- > Attackers try to get their inputs accepted as training data
- > microsoft twitter chat bot
