As the world becomes increasingly digital, we are unlocking more value and growth than ever before. However, a challenge that governments, enterprises and well as individuals leveraging technology are constantly facing is the growing threat of cyberattacks that looms large over us.

Cyber security solutions provider SonicWall’s 2019 report revealed 10.52 billion malware attacks in 2018, a 217% increase in IoT attacks and 391,689 new variants of attack that were identified. What’s more is that cyber criminals today are evolving with technology and upping their game. Such incidents don’t just have the potential to bring businesses to a standstill but can also inflict serious damages to their resources and repute.

With an increasing number of cyberattacks targeting critical networked resources that cannot be detected by traditional network monitoring tools, it becomes critical to explore and leverage sophisticated tools for detection and reporting of such attacks.

Artificial Intelligence (AI) and Machine Learning (ML) are two of the hottest technology trends that have the potential to transform the modern security architecture landscape. Artificial intelligence is any technique that enables computers to mimic human behavior. Machine Learning is the ability to learn without being explicitly programmed. Both these techniques are widely used in various industries like healthcare, banking and storage.

DoS and DDoS attacks

In this blog, we explore an innovative approach to detect Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks – two of the major kinds of attacks plaguing organizations – using ML algorithm by mining application specific logs.

In a DoS attack, the hacker tries to prevent genuine users from using a website by maliciously flooding it with traffic, which can cause the system to crash. The origin of the attack is single, i.e. it is made from one computer or internet connection. With hackers getting more innovative, there are multiple ways of carrying out such attacks. Recently, a specially crafted MP4 file which was circulated on WhatsApp, triggered a DoS attack on individual users. Attackers can take advantage of this vulnerability to deploy malware on the user’s device to steal sensitive files and also use it for surveillance purposes.

When an attacker uses multiple machines to send requests with mischievous intent, trying to take over the target machine’s resources, it is a DDoS attack. In what is said to be one of the most powerful DDoS attacks, GitHub in 2018 received a staggering 1.35 terabits/second of traffic on a particular day for 18 minutes. GitHub, along with their DDoS mitigation service provider Akamai Prolexic, handled the situation and resolved it within 20 minutes.

The reasons for such attacks can be varied – from an intent to steal data or defame an enterprise to using it as a decoy to perform another high impactful attack.

Some of the most high profile cases include the DDoS attack on the Telegram messaging app which hampered its day-to-day communication. Large multinationals such as Paypal, Twitter and Spotify, with some of the most advanced security tools, have also been victims to similar attacks.

Machine learning to tackle attacks

Today, enterprises across are using cloud to build and manage software. Microservices is a widely used software development technique and Application Program Interface (API) is a type of microservice used in various industries such as banking, storage and healthcare. Many instances of microservices automatically start when required. In such a situation, it is not possible for humans to monitor and check if all the instances are genuine. This presents a greater cyber-attack risk.

A system with APIs is designed to fulfill the assumption that each of the routines will be called only limited times per day and this can provide a viable solution to such attacks. But the number of calls might increase due to programmatic retries if the API fails to respond in a timely manner. Also, the number of API calls may increase in situations when debug or trouble-shooting procedures are performed. Even with troubleshooting, the maximum threshold is not expected to go beyond a defined number of calls per day.

Here, we can make a rudimentary assumption – that if an API call is invoked more than 100 times, then it may constitute a DoS/DDoS attack. The ML algorithm can then be trained using logging data to classify if the system is under attack based on certain attributes.

The logs generated by various microservices are continuously monitored using log monitoring tools such as Fluentd. Various attributes, such as client IP address, API request and date and time, are retrieved from the acquired log data.

This information can be fed into a preprocessor in real time, which calculates the number of hits on a certain API for a given date and time, and client IP address. There can be situations where multiple machines are used to attack multiple APIs exposed by a target. Every industry that uses API, especially applications that deal with sensitive information, can be impacted by DoS or DDoS attacks. These attacks are not just used for denying services to a consumer; an attacker can use it for sending malware with the intent of gathering sensitive data.

Machine Learning algorithms can be used to train and detect if there has been a DoS/DDoS attack. As soon as the attack is detected, an email notification can be sent to the security engineers. Any classification algorithm can be used to categorize if it is a DoS/DDoS attack or not. One example of a classification algorithm is Support Vector Machine (SVM) which is a supervised learning method that analyses data and recognizes patterns.

With increase in attacks, early detection is the best solution

According to data by cybersecurity firm Kaspersky, the number of DDoS attacks rose by a third in the third quarter of 2019. In its survey it observed that DDoS attacks are the second most expensive type of cyberattacks targeting small and medium sized businesses, and the average cost of such breaches is estimated to be $138,000.

With cybercrime mushrooming across the world, the players are not just limited to seasoned criminals, and traditional methods are giving way to sophisticated techniques.

Perhaps one of the strongest indicators of the escalation of such activities is the growth of the DoS/DDoS attack solution market, which is estimated to increase from $900 mn in 2019 to $9 billion in 2025.

The most recent DDoS attacks have been observed to hijack connected devices such as webcams, baby phones, routers, vacuum robots, etc. to launch their attacks.

The number of devices remotely controllable via apps is growing exponentially and the Internet of Things (IoT) is expected to easily surpass 20 billion connected devices by the end of 2020.

Current IoT system follows a centralized architecture that makes it more prone to DoS or DDoS attacks. Blockchain technology can be used to enable creation of IoT networks that are peer-to-peer (P2P) and trustless. This removes the possibility of centralized single point of failure. An attacker’s Command & Control server will not be able to gain access to publish the DDoS attack instructions because of the P2P network of blockchain.

Since we cannot control when, where or how an attack may come our way, and absolute prevention against these cannot be guaranteed yet, our best shot for now is early detection which will help mitigate the risk of irreparable damage such incidents can cause.

Organizations can use existing solutions or build their own to detect cyberattacks at a very early stage to minimize the impact. Any system that requires minimal human intervention would be ideal.

The post Using the Power of Machine Learning to Detect Cyber Attacks appeared first on Artificial Intelligence.

One of the most dangerous aspects looming the computer world is security threats. It is estimated that around three trillion dollars are lost in cyber crimes every year. This figure is expected to double by 2021. With all of these threats lurking around, it is difficult to track and eliminate every threat, especially as the number of users is rising exponentially.

The most popular among the existing cyber threats now is the distributed denial of service (DDoS) attack. A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of the internet traffic. DDoS attacks have adversely affected businesses on a large scale.

Now, with machine learning prevailing in the tech ecosystem, eliminating DDoS attacks has found a new way. In this article, we will lay out a research paper that has used ML techniques to subdue DDoS attacks in systems.

Session Initiation Protocol (SIP) And Voice Over Internet Protocol (VoIP)

Z Tsiatsikas and a team from the University of the Aegean, Greece, have published a new research study in countering DDoS in SIP-based VoIP systems through ML. The reason for choosing VoIP systems is its popularity and spread in the hardware ecosystem. With the growing number of digital devices and the abundant availability of the internet, VoIP is the preferred method for voice and multimedia communications.

In order to establish a VoIP session, Session Initiation Protocol (SIP) is the popular means of initiating and these sessions. A simple version of the SIP/VoIP architecture is given below:

• User Agent (UA): The active entities in the session which represent the endpoints of SIP. For example, in the context of voice communications, the caller and the receiver, which denote the endpoints in the session.
• SIP Proxy Server: An intermediate entity which acts as a client and a server simultaneously during the session. The role of this server is to maintain send and receive requests as well as transfer information to and fro from the users.
• Registrar: This component takes care of authentication and register requests for the UA.

All of the SIP communication is logged by the VoIP provider. This is important because it gives out billing and accounting information for service providers based on users’ activity. Interestingly, it can also give out information regarding intrusion or suspicious activity present in the network. This can be a breeding ground for DDoS attacks if left neglected.

Aggregating ML Techniques In VoIP

The researchers consider the same SIP VoIP architecture and use five standard ML classifier algorithms in their experiments, which are as follows:

1. Sequential minimal optimisation
2. Naive Bayes
3. Neural networks
4. Decision trees
5. Random Forest

These algorithms are set up for dealing with communications directly in the experiment. Then, classification features are generated once the network is made anonymous using keyed-hash method authentication code (HMAC) for the VoIP communications. The algorithms are tested under 15 DDoS attack scenarios. In order to do this, a ‘test bed’ of DDoS simulations is designed by the researchers which is shown below:

“Three or four different Virtual Machines (VMs) have been used for the SIP proxy, the legitimate users, and the generation of the attack traffic depending on the scenario. All VMs run on an i7 processor 2.2 GHz machine having 6GB of RAM. For the SIP proxy, we employed the widely known VoIP server Kamailio (kam, 2014). We simulated distinct patterns for both legitimate and DoS attack traffic using sipp v.3.21 and sipsak2 tools respectively. Furthermore, for the simulation of DDoS attack, the SIPp-DD tool has been used. The well-known Weka tool has been employed for ML analysis.”

Training and Testing process for algorithms include both normal traffic and attack traffic. To simulate the attack traffic, they use a range of random high call rates to give a feel of real VoIP whereas the normal traffic has normal, observed call rates.

The training scenario in the experiment is denoted as SN1 and testing scenarios are denoted as SN1.1, SN1.2, SN1.3 etc. A detailed description is given here.

Performance

The algorithms fare well compared to non-ML detection. Among the algorithms, Random Forest and decision trees stand top when measured from an intrusion detection viewpoint. The other three fare below them. In addition, as the attack traffic rises, the intrusion detection rate drops, which means DDoS is evident. Ultimately, ML techniques outclass conventional attack detection techniques/methods.

The post Machine Learning Is Chasing Out DDoS, The Newest Evil In Cyber Security appeared first on Artificial Intelligence.