Countering Intelligent Malware: Neural Networks, AI, and Security

But what if the malware could evolve, all by itself, without the delays involved in human beings crafting each generation?

Moreover, the bad-guy interest groups are increasing in type, numbers and in technical skills. They bring a range of motivations for doing what they do, which makes it even harder to keep up. There are script kiddies who may have no motives other than causing mischief and bragging to their peers. Hacktavists with aspirations to change society, politics, the economy, or be vigilantes. Organized crime, with their ransomware, account hacking, identity theft and fraud. Terrorists, who by definition want to make us fearful in whatever ways they can. And increasingly, state actors who see cybercrime - including the dissemination of misinformation - as a valid tool to achieve their political agendas. And today the bad guy will often be an insider placed inside the edge of your security barriers.

With the rapid growth of IoT, we have millions more devices attached to our networks that are capable of running code. Anything that runs code is a target for malware. Ironically, security cameras are a big favorite. When a bad guy gets malware onto one device behind a firewall it may infect them all, and every one can be used in a coordinated attack on the selected target. The recent attack on Dyn (October 21, 2016) almost certainly involved the use of security cameras. While these devices should have been manufactured with better security measures, it is much harder after-the-fact to inoculate these existing IoT devices than it is to inoculate a computer, switch, or router. It's simply not economically feasible to recall and replace them all.

Targets of cyber-attacks are also numerous and diverse with traffic reaching terabit scales. DDoS can be directed at websites, IP application servers, DNS, or LDAP. Request/response traffic and error traffic can multiply the effects. “LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x,” says Corero Network Security.

In the world of networks, computers and connected devices, today the human authors of malware act as the agents of evolution; seen for example in the evolution of the malware loader Nemucod. But what if the malware could evolve, all by itself, without the delays involved in human beings crafting each generation?  So postulates Darwin Inside the Machines, “By using an evolutionary function, computer malware could implement traits and tricks that allow them to mimic clean application behavior, have themselves white-listed, avoid signature-based detection, or recruit proxies to do their bidding. More importantly, malware could conceivably alter its functionality so as to discover new exploits or find new platforms to infect, with the same ease that biological viruses gain immunity to antiviral drugs, or adapt to new hosts.”

One of the most successful of all biological lifeforms is the virus. Viruses are successful because of their ability to create new generations quickly, with each generation fitter than the previous one to survive in the environment it finds itself. Self-replicating and self-improving malware does the same thing. But it need not always be self-modifying. When needed for innovation, there could be an intelligent human in the design stage of the modification loop. And threat evolution can occur in the lab. Bayesian simulation modeling by bad guys can test and improve these attack vectors. When such self-replicating mutating malware is out in the wild, what can we expect?

Improving Policy Response

These attack vectors are complex and increasing. It’s an ever more rapidly changing environment and one in which a comparatively static policy-rules based approach just won’t be able to keep up. A new paradigm is needed, and fortunately the industry is getting its collective head around what this implies, and has been for some time.

Until recently our paradigm for the automation of network management, service management and security was based on policies and rules. Policy-based management works best in an environment where expert humans really understand the principles of what is happening and can convert their expertise into decision trees. Products include an often complex set of fairly static stimulus-response rules. Humans oversee what’s going on and update the rules when new circumstances or fresh knowledge is applicable. Policy-based management was state-of-the-art ten years ago. It cannot keep up with its slow update cycle. Also, stimulus recognition must become more complex and rich than is present in rules engines and simple pattern identification.

A new approach is to replace policy-management’s encoding of expert knowledge with machine discovery of complex patterns. Network twining and the capture of huge datasets of past attacks allows for mathematical analysis and modeling of the attack scenarios. Darktrace does this with Recursive Bayesian Estimation (RBE) theory. In such a Bayesian approach many runs of a model with varying parameters are made against a data set and the most probable solutions are selected. With Decision Analysis and solution goal costing, the optimal solution outcomes are identified. As Darkface (product: “Antigena”) explains, machine learning is used to identify what is normal in a specific network and then identified departure patterns outside that norm could be advance warnings of a cyber-attack or data breach.


Latest Updates

Subscribe to our YouTube Channel