Machine learning: curse or blessing for IT security?
Artificial Intelligence (AI) and Machine Learning (ML) are among the most discussed topics in IT security. Some people are hoping for the ultimate liberation from malware, others fear the increase in more sophisticated cyberattacks. Both sides are right.
Artificial Intelligence is not Machine Learning
The expression “artificial intelligence”, or more correctly “machine learning”, has been on everyone’s lips for a long time now but only a few people really understood the real potential. Only one thing is certain: we are still a long way far from the development of an actual artificial intelligence as we encounter it on the big screen.
The terms Artificial Intelligence and Machine Learning are often and incorrectly used synonymously. AI is about the idea that a machine could learn and act independently and intelligently without human intervention and solely on the basis of input from the environment. With the help of algorithms for data processing, Machine Learning is able to handle certain tasks independently. The solution is based on the ability of the computer to quickly identify structures and anomalies in large amounts of data and to break down to the essential points for the question (model generation). Nevertheless, ML is mostly traded as the central foundation of AI.
ML ensures more IT security
Machine learning and one of its methods (Deep Learning) on the other hand, are technically mature and have been part of our IT security world for decades. However, both have only received increased attention in recent years. They help to uncover cases of fraud and to analyze criminal activities. In doing so, they make a significant contribution in finding new solutions to existing problems.
The Machine Learning trend has not only arrived in the decision-makers’ minds, it has become reality for a long time. A study carried out by OnePoll on behalf of ESET showed that:
- 82% of those surveyed believes that their company already uses an IT security product with ML components.
- 80% of those surveyed also believes that ML will help their company or will help them to react faster to dangers in the future.
- 76% of respondents does not believe that ML will help compensate for a lack of appropriately trained IT security staff in their company.
Cybercriminals also adopt “AI & ML”
Word has got around about the benefits of ML in the cybercrime industry. More and more hackers are using them to find and exploit potential victims or to steal valuable data. At the same time, Machine Learning can identify gaps and weaknesses before they can be closed. Last but not least, criminals use ML algorithms to protect their own IT infrastructure (e.g. botnets).
Companies that use Machine Learning on a larger scale can become particularly attractive for hackers. For example, by contaminating input data sets, they ensure that systems that actually work properly produce incorrect results and images of the data situation do not correspond to reality. Chaos, malfunction and sometimes irreparable damage are the result.
Malware driven by ML engine: Emotet
A practical example that appears to be based on Machine Learning is the malware Emotet, which is currently circulating. This is used for other unwanted applications, e.g. Banking Trojans to automatically download to the victim’s computer. Thanks to ML, Emotet is able to select its victims in a targeted manner. At the same time, it is surprisingly good to avoid discovery by researchers, botnet trackers, and honeypots.
For its attacks, Emotet collects telemetry data from potential victims and sends them to the attacker’s C&C server for analysis. In return, it receives commands or binary modules from the server. Based on this data, the software only selects those modules that correspond to its task. It also appears to be able to distinguish real human actors from virtual machines and automated environments used by researchers and investigators.
Emotet’s ability to learn the difference between legitimate and artificial processes is particularly striking. The latter are initially accepted, but they will be blacklisted within a few hours. While “real” victims send data from computers, the malicious code on computers / bots on the blacklist falls into a kind of sleep mode and stops any harmful activity.
Such processes would hardly be possible without automation. The hackers behind Emotet would have to use massive resources to control the malware. The ESET experts therefore assume that Emotet works with Machine Learning algorithms – the behavior of the malware could be implemented with a fraction of the resources and much faster.
Even hackers cannot do magic – not even with the help of Machine Learning. Malicious applications also have limits. This can be seen in the example of the Stuxnet worm, which even penetrated strongly in secured networks and was able to spread very quickly. However, it was precisely this aggressive behavior that ensured that security experts became aware of the worm, analyzed its functioning and were able to strengthen protective solutions accordingly.
A similar situation could occur for malware based on ML. With an increasing number of successful attacks, such pests become more and more noticeable and can be more easily rendered harmless.
Machine Learning and IoT
From the beginning, the Internet of Things (IoT) has been a popular target for hackers. Since then, the number of routers, surveillance cameras and other smart devices has been increasing rapidly. In many cases, however, these devices are extremely unsafe and can often be spied on with the simplest of means or otherwise misused. Factory-set, insecure passwords or weak points that have been known for years are typical.
With the help of ML algorithms, hackers are even better able to profit from these problems, for example they can:
- Find previously unknown vulnerabilities in IoT devices and collect tons of data about traffic and user behavior, which can then be used to train algorithms to improve camouflage mechanisms.
- Learn the standard behavior and processes of certain rival malware to remove it or use it for their own purposes.
- Create training sets with the most effective passwords every year based on millions of leaked passwords. This will make it even easier for you to penetrate comparable IoT devices in the future.
Men and Machines together as a team to defeat Hackers
Machine Learning is of great importance in the fight against cyber-crime, especially when it comes to malware detection. Using huge amounts of data, ML is trained to correctly divide digital malware into “benign” and “malicious”. In this way, new and unknown elements can also be automatically assigned to one of the two categories. Masses of input data are required for this – whereby each information must be correctly categorized. Contrary to what has been shown many times, it is by no means guaranteed that an algorithm will correctly label new elements simply because it was previously fed with large amounts of data. The human verification in advance and a final check for questionable results remains imperative.
In contrast to machines, humans are able to learn from contexts and act creatively. This is something that no algorithm, however advanced, can do. Professional malware authors, for example, are able to cleverly disguise the actual purpose of their code. For example, malicious code in individual pixels of a clean image file or snippets of malware in individual files can be hidden unnoticed. The harmful behavior only develops when the individual elements are combined at an endpoint. If the ML algorithm is then unable to identify this, it makes the wrong decision in doubt. A human virus hunter recognizes the danger based on his training, experience and a portion of gut feeling. It is therefore essential that humans and machines work together to actively prevent harmful activities.
ML is only part of a complex security strategy
ML has been an important security component in IT security since the 1990s. If the last digital decade has taught something, there are no simple solutions to complex problems. This is especially true for cyberspace, where conditions can change within a few minutes. In today’s business world, it would be unwise to rely on just one technology to build resilient cyber defense. IT decision-makers need to recognize that ML is undoubtedly a valuable tool in the fight against cyber-crime, but it should only be part of a company’s overall security strategy. And that still includes the professional expertise of real people: the security officers and administrators.
In conclusion, thanks to the big data and improved computer performance, machine learning (ML) has become the means of choice for countless application areas in recent years – including IT security. But the world of internet security is constantly changing. Therefore, it is impossible to protect yourself against the frequently changing dangers only with ML algorithms. Multi-layered solutions, combined with talented and qualified employees, will be the only way to always be one step ahead of hackers.
Michael Klatte, Digitale Welt Magazine