Machine learning in cybersecurity: A novel framework for anomaly detection
The framework, called keyed learning, is aimed at preventing adversaries from anticipating how security algorithms optimized via machine learning will respond to attacks.
Italy, 2019
As machine learning applications in cybersecurity continue to grow, so do the necessary precautions for preventing malicious cyberattacks. Though efforts have been made in this regard by using secret keys in intrusion detection, a more comprehensive formalization of the problem and a more general solution are needed. Professor Francesco Bergadano, from Università degli Studi di Torino, Italy, has recently published a framework called keyed learning in ETRI Journal to help improve the security of anomaly detection systems in an adversarial context.
Machine learning algorithms can be employed for anomaly detection, by which unusual patterns in the input or sensed data are detected, giving rise to an alarm and thus triggering higher security measures. Such algorithms have to be trained secretly because a malicious adversary could determine the characteristics of the learning process and therefore know what an input should look like for it to be misclassified (for example, classify fake input data as authentic). This “secrecy” notion is accomplished through the explicit use of keys, which are secret bit sequences that affect the learning process in potentially many different ways.
To understand this, knowing the basics of anomaly detection algorithms comes in handy. These algorithms can usually be referred to as classifiers, whose objective is to classify incoming data as either “normal” or “anomalous”. To train such algorithms, they are given ground truth data, which simply means a series of past examples for which we know the answer. Based on these examples, the algorithm learns to identify future instances of anomalous inputs.
Keyed learning implies the use of secret keys to perform various functions during the learning process, such as secretly filtering out examples from the training data or affecting the inner calculations of the model, such as by arbitrarily limiting or altering the features that are extracted from the training data. Although similar techniques had been already reported in the literature based on sensible intuitions about cybersecurity, the framework developed by Prof. Francesco Bergadano from Università degli Studi di Torino, Italy, takes a more general approach to these notions and considers the use of secret keys in any aspect of the learning algorithm. “In this paper, I have formalized previous intuitions and defined a new general notion of ‘keyed learning’. Previous approaches were limited to a very specific context,” explains Prof. Bergadano.
The proposed framework for keyed learning could find many relevant real-life applications in cybersecurity, as Prof. Bergadano states: “Keyed learning is appropriate for anomaly detection applications, where we want to find anomalies with good accuracy, but we do not want an adversary to predict whether a particular anomaly will be detected. Examples include malware classification, website defacement detection, spam/malicious email filtering, and network intrusion detection.” However, establishing the framework is only the beginning. Now, other researchers and engineers should be encouraged to employ this framework to formalize keyed learning techniques and measures. This will hopefully increase the security of our systems and networks so that those with malicious intents are stopped right on their tracks.
Reference
Name of author: Francesco Bergadano
Affiliation: Dipartimento di Informatica, Università degli Studi di Torino
About Professor Francesco Bergadano
Francesco Bergadano obtained his PhD degree in computer science from the University of Milan and Turin. Since then, he has worked as a Visiting Professor in George Mason University (USA), Professor at the University of Catania (Italy), and now Professor at the University of Turin (Italy). He has also worked as a consultant and has been the principal investigator in national and EU-funded research projects. He has authored over 120 publications on machine learning and IT security, which remain his research area of interest.
Media contact:
