AI on preventing Cyber Security Attacks
Each & every company providing online services has so much data of their customers. But how they are protecting those data ? Keep on reading this article to know how AI is helping them to achieve this…
Data Protection :
In today's world there's 4.72 billion users, who use Internet daily. Most of them are using internet for Social Media Platforms, Video Streaming Platforms, Banking Transactions etc. This is the reason popular companies like Google, Facebook, Amazon, Microsoft etc. has too much data about their users. Similarly popular banks like HSBC, Citigroup, JPMorgan etc. has very much sensitive data about their customers.
None of the company in today's world want these data to be leaked anywhere in the internet. Because…
“Data is business, Data is privacy”
But as we know all these technologies are created by humans and none of the technology is 100% bug free. Some of the genius mind find out these loopholes & start making their own profit from them. From here comes the birth of Cyber Crimes.
What is Cyber Attack ?
- In simple terms — A cyber attack is an assault launched by cybercriminals using one or more computers against a single or multiple computers or networks. A cyber attack can maliciously disable computers, steal data, or use a breached computer as a launch point for other attacks.
- Cybercriminals use a variety of methods to launch a cyber attack, including malware, phishing, ransomware, denial of service, among other methods.
This blog is obviously not about learning Cyber Attack & how to do an attack. This blog is focused on the techniques that companies use daily to prevent these attacks. But without knowing the problem, we can never be able to find the solution. So, let’s learn few examples of cyber attacks & then we will learn about the prevention methods.
Example of Cyber Attacks :
SolarWinds Sunburst Attack :
- This was the most sophisticated attack that IT Industry had ever encountered. This attack was made possible when hackers were able to embed a backdoor into SolarWinds software updates. Over 18,000 companies and government offices downloaded what seemed to be a regular software update on their computers, but was actually a Trojan horse.
- By leveraging a common IT practice of software updates, the attackers utilized the backdoor to compromise the organization’s assets enabling them to spy on the organization and access it’s data.
Ransomware Attacks :
- Digital transformation started when companies started using Cloud Computing, Cloud based subscriptions, mobile applications etc. to reach to their customers faster. Now it's obvious that, more companies started increasing their platform by adding more vectors which create more options for the attackers.
- In Q3 2020 Check Point Research saw a 50% increase in the daily average of ransomware attacks, compared to the first half of the year. Organizations worldwide were under a massive wave of ransomware attacks, with healthcare as the most targeted industry. As these attacks continue to mature both in frequency and intensity, their impact on business has grown exponentially.
These are two very popularly known attacks, but similarly there are lot of attacks happening daily, like for example…
- Cyber extortion where attackers demand money to prevent the attack which they are doing continuously.
- Identity Fraud where attackers stole someone's public profiles like social media accounts, YouTube channel etc. to share false information.
- Cyber Spying where attackers mainly target government data centers to stole those data.
- Data Theft where normally attackers keep on stealing & selling someone's personal bank account details, corporate data etc.
and many more.
Artificial Intelligence in prevention of Cyber Attacks :
- In today's world the biggest Domain of IT is Artificial Intelligence. We use Machine Learning to create this Artificial Intelligence in our systems. Nowadays ML is very much strong & it's becoming more stronger as more data we are keep on feeding in our ML Models.
- We can train our Machine Learning Model to detect the possible Cyber Attacks. For that we have lot of different kind of models and applications available based on what kind of attack we want to prevent. Let’s discuss one of the very simple mathematical formula that we use in ML prediction to prevent the Cyber Attack.
Confusion Matrix :
In Machine Learning we have lot of different kind of problems based on what we want to predict. One of the famous problem is Binary Classification. In this problem our goal is to predict binary output like yes or no, true or false etc.
Confusion Matrix is one kind of table that helps us to calculate & analyze the performance of our Binary Classification Model. This is a 2x2 matrix. The columns in the confusion matrix correspond to what the machine learning algorithm predicted and the rows in a confusion matrix correspond to the known truth (Actual value).
Let's take an Example :
Now think in this way, we created one Machine Learning Model, that take some inputs like body weight & height, blood sugar level, blood SPO2 level, patient age etc. & finally it predicts — Does the patient have any disease or not ?
Next we put 165 individual patients data in our model to do the prediction. Once the prediction is done we can create one Confusion Matrix as summary to see the performance of our model. Let's analyze what's there in this table…
Understanding the four different kind of outputs :
- True Negative (TN) :
Meaning of True Negative is our Machine Predicted 50 patients don't have disease & that is true means whatever our machine predicted is right.
- True Positive (TP) :
It’s the opposite of True Negative means total 100 patients predicted has some diseases & that's true mean in actually those patients have disease.
- False Positive (FP) :
In this case model predicted that 10 patients have the disease but that’s a wrong prediction. In actuality those 10 patients don’t have disease. This kind of output is also known as Type I error.
- False Negative (FN) :
Here Comes the challenge because our model predicted that 5 patient don’t have disease, but that’s false means the prediction is wrong. That means actually those 5 patients have disease. This kind of output is also known as Type II error.
Now if we think once again, we can very easily tell that those 5 patients who are predicted as not having any disease are in most dangerous situation. Because actually they have disease & by looking at the prediction if we don’t diagnose them, then that can cause issues.
But if you look at those 10 patients who don't have disease, but predicted as having disease are not on that much problem. Because although we need to diagnose them but they don't need to worry.
So, we can come to conclusion that in Medical Field Type II error is most dangerous. Now as we know what Confusion Matrix is doing for us, we can implement same kind of methodology in Cyber Attacks.
Intrusion Detection System(IDS) :
An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. Any malicious activity or violation is typically reported or collected centrally using a security information and event management system.
IDS Detection Types :
There’s a wide variety of IDS, ranging from antivirus software to tiered monitoring systems that follow the traffic of an entire network. The most common classifications are :
- Network intrusion detection systems (NIDS): A system that analyzes incoming network traffic.
- Host-based intrusion detection systems (HIDS): A system that monitors important operating system files.
There is also subset of IDS types like for example :
- Signature-based IDS which detects possible threats by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. This terminology originates from antivirus software, which refers to these detected patterns as signatures. Although signature-based IDS can easily detect known attacks, it is impossible to detect new attacks, for which no pattern is available.
- Anomaly-based IDS is a newer technology designed to detect and adapt to unknown attacks, primarily due to the explosion of malware. This detection method uses machine learning to create a defined model of trustworthy activity, and then compare new behavior against this trust model. While this approach enables the detection of previously unknown attacks, it can suffer from false alarms.
What's in Backend of these IDS ?
We can see that NIDS mainly analyze the network traffic & try to detect those traffics which are trying to steal our data or trying to destroy our servers. To achieve this in backend IDS uses Machine Learning. Data Scientists & Security Operation Teams always keep on collecting the logs from the servers & then creating the Machine Learning model from it.
There's lot of algorithms available in Machine Learning to create the model from server logs. But in IDS mostly they use Decision Tree, K-Nearest Neighbor (KNN), Support Vector Machine (SVM), K-Mean Clustering etc algorithms. Also scientist use Deep Learning algorithms like Artificial Neural Network to create more stronger models.
Confusion Matrix in IDS :
Again if we think in an IDS our Machine Learning Model need to predict if certain network traffic is from authentic clients or from the attackers. That means this is a binary classification problem.
In Anomaly-based IDS we mainly use unsupervised learning and there our confusion matrix provide us 4 outputs. Let's try to again understand those 4 outputs of confusion matrix & try to see why it's important to learn them.
- True Positive:
Our ML predicted that these traffics are from authentic clients & in actuality we can see those were normal traffics from our clients. So IDS allowed those traffics.
- True Negative:
Here in this scenario we find our ML predicted that these traffics are not from usual clients & in actuality we can see those traffic were from attackers. That means IDS will be able to block them.
- False Positive :
In this case our ML predicted that these traffics are from authentic clients, but that's false. It means IDS will allow those traffic but as those traffic were from attackers so our systems might be hacked or destroyed.
- False Negative:
In this case our ML will predict that these traffic are not from usual clients, but in actuality those were from actual clients. That means they will block those traffic.
If we now try to compare between Type I error (False Positive) & Type II error (False Negative), we can say both has it's own downsides. Because in case of Type II error we are loosing our clients. But in case of Type I error, it's the most dangerous. In Type I error IDS is allowing traffic from hackers which obviously we never want.
Some of the basic Terms to find the performance of our model :
It is the ratio of correctly predicted Attacks to all the samples predicted as Attacks.
It is a ratio of all samples correctly classified as Attacks to all the samples that are actually Attacks. It is also called a Detection Rate.
- False positive rate:
It is also called the false alarm rate and is defined as the ratio of wrongly predicted Attack samples to all the samples that are Normal.
- True negative rate:
It is defined as the ratio of the number of correctly classified Normal samples to all the samples that are Normal.
It is the ratio of correctly classified instances to the total number of instances. It is also called Detection Accuracy and is a useful performance measure only when a dataset is balanced.
It is defined as the harmonic mean of the Precision and Recall. In other words, it is a statistical technique for examining the accuracy of a system by considering both the precision and recall of the system.
Final Words :
- We can now understand that Confusion Matrix is a way to find the performance of our ML. Also having knowledge of Type I & II error is so much important because as I started by saying at the beginning — That none of the technology is 100% bug free, similarly none of the ML can predict 100 % accurate. Still these IDS devices are so much improved and scientists are keep on tuning their models to minimize these errors mainly Type I error.
- I tried to just show one of the example of Artificial Intelligence to prevent Cyber Security Attacks. But in Industry we use lots more algorithms, methods, tools etc to prevent different kind of attacks. Hope you learned something from this Article.
- I keep on writing Blogs on Machine Learning, DevOps Automation, Cloud Computing, Big Data etc. So, if you want to read future blogs of mine, follow me on Medium. You can also ping me on LinkedIn, checkout my LinkedIn profile below…
Raktim Midya - Microsoft Learn Student Ambassadors (Beta) - Microsoft | LinkedIn
★ I'm a tech enthusiast working to better understand the core concepts behind different popular Technological Fields…
Thanks Everyone for reading. That’s all… Signing Off… 😊