Areas such as intrusion detection, malware detection, and phishing detection can be conquered by well-implemented machine learning-based solutions. However, we need to set up the right environment for these systems to succeed.
For many years now cybersecurity has topped the list of concerns for a public and private organizations, and even national agendas in many countries around the world. Cyberwarfare has proven to be one of the ugliest faces of war with many examples to mention such as the Colonial Pipeline attack, the California water, and waste-water facility attack, Newfoundland and Labrador healthcare system attack, and the ongoing war in Ukraine just to name a few.
Attacks have grown in numbers and sophistication throughout the past decade, and many organizations believe that cyber-attacks are an inevitable reality. Another alarming trend is the noticeable increase in Advanced Persistent Threats (APT)s. These threats, as the name indicates, are way more advanced compared to independent hacking individuals or groups, with almost unlimited resources and persistence. APTs have been blamed by specialists for most of the advanced attacks that we have witnessed in the past few years.
Attack detection is not an easy task. Statistics show that the average time it takes an organization to detect a breach was 228 days in 2020. This number might seem shocking to outsiders of the cybersecurity world, but it is an improvement compared to previous years. This number is a clear indicator that whatever we’re doing now in cybersecurity is not enough.
Attack detection usually relies on one of the two techniques: signature-based detection, and anomaly-based detection. Very few hybrid systems are lucky to have both. Signature-based detection, which is most popular among cybersecurity professionals, is based on having a database of “signatures” that can be used to identify specific actions, information, code, or any other known indicator to detect an attack. These systems operate in a manner very similar to an anti-virus software with a “definitions database”.
This model seems to work well with well-known attacks that are quite common, and that’s why cybersecurity professionals like it. The internal workings of it are very clear. “If this signature is detected, then this is an attack”.
The main issue with signature-based detection is the same point of strength it has: it is very good at detecting known attacks. What about unknown attacks? Signature-based detection systems perform very poorly with new attacks that are unknown or not yet included in their signatures database (i.e. zero-day attacks). The term “zero-day attacks” refers to attacks that exploit vulnerabilities that have not been identified or patched by the vendor yet. Zero-day vulnerabilities have become an expensive commodity with millions (if not billions) in revenue.
Malicious actors decided that it makes more money to sell these vulnerabilities they find to the highest bidder rather than turn it to the vendor to get a low-dollar bounty prize or a “thank you” note. Although many large organizations have created highly paying bounty programs, they’re not yet able to catch up to large organizations, or even governments that are willing to pay for these vulnerabilities.
The other technique of detection is anomaly-based detection. This detection method relies on being “told,” or “trained” for what is considered normal behavior so that it can flag any action that deviates from the normal behavior and flag it as an “anomaly”. The concept of identifying anomalies requires many contributing factors to be successful, such as:
- System action must be observable
- A baseline of what is “normal” must be established before the system can detect “abnormal” behavior.
- A certain “sensitivity” needs to be set such that false positives and false negatives are minimized.
Machine-learning can help
These requirements are not easy to accomplish, and that’s what makes anomaly-based detection systems the least favorite with cybersecurity professionals. In terms of systems that have the capacity to “learn” what is normal and what is abnormal, machine-learning comes to the front. This seems like a problem that machine-learning can address successfully. However, cybersecurity professionals do not like to rely on systems they don’t fully understand. Even with the recent developments in machine learning and artificial intelligence, most cybersecurity professionals see it as a black-box that claims to do something without really explaining how it does that.
Having worked on both sides, although more on the academic rather than the industrial, in my career, I understand both arguments. The academic side claims that machine-learning models are capable of capturing sophisticated and “unknown” attacks, as machine-learning does in other areas. On the other hand, cybersecurity professionals cannot entrust an important task like attack detection to an unknown black-box that claims to do miracles. I have heard many arguments about how machine-learning-based solutions failed to detect large-scale attacks such as the SolarWinds attack. I don’t have a clear answer to why this happened. However, I know that we cannot expect great results from systems that we do not support or do not provide with the reasons to succeed. It is just unfair.
So what are the approaches?
We are already behind in the fight against malicious actors, and we need all the help we can get. I believe that machine-learning-based solutions can really help attack detection in different aspects. Areas such as intrusion detection, malware detection, and phishing detection can be conquered by well-implemented machine learning-based solutions. However, we need to set up the right environment for these systems to succeed. We need cybersecurity experience to join forces with machine-learning engineers to build these systems in the right way. A machine-learning engineer can spend long hours, and maybe days trying to select the best features to capture and feed into the system, and still fail. While with the help of a cybersecurity expert, decisions made in relevance to feature selection, and data preprocessing can achieve success in a shorter time, and probably with much higher accuracy.
Another aspect we must explore further is explainable machine learning. Providing machine learning models that are explainable would help cybersecurity professionals understand, and hence adopt these systems much faster. With extensive work in explaining the models, there will no longer be black-box decisions. All of these decisions will be based on an explainable basis that can be easily connected to real-life cybersecurity experience. If we combine these two paths; collaborative work and explainable machine learning, the day when we will trust machine learning with our cybersecurity will come sooner than we anticipate.
About the author:
Mohammed M. Alani is a Professor of Cybersecurity and Networking at the School of Information Technology Administration and Security, Seneca College of Applied Arts and Technology, Toronto, Canada. His major fields of interest are networking, and data and network security.
Like to be an author? Contribute to the EAI blog with a similar article.