Ten AI Stepping Stones for Cybersecurity

12/14/2019 ∙ by Ricardo Morla, et al. ∙ Universidade do Porto 0

With the turmoil in cybersecurity and the mind-blowing advances in AI, it is only natural that cybersecurity practitioners consider further employing learning techniques to help secure their organizations and improve the efficiency of their security operation centers. But with great fears come great opportunities for both the good and the evil, and a myriad of bad deals. This paper discusses ten issues in cybersecurity that hopefully will make it easier for practitioners to ask detailed questions about what they want from an AI system in their cybersecurity operations. We draw on the state of the art to provide factual arguments for a discussion on well-established AI in cybersecurity issues, including the current scope of AI and its application to cybersecurity, the impact of privacy concerns on the cybersecurity data that can be collected and shared externally to the organization, how an AI decision can be explained to the person running the operations center, and the implications of the adversarial nature of cybersecurity in the learning techniques. We then discuss the use of AI by attackers on a level playing field including several issues in an AI battlefield, and an AI perspective on the old cat-and-mouse game including how the adversary may assess your AI power.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 What do you mean AI?

Not the Peter F. Hamilton’s Commonwealth Saga style of AI nor the equally brilliant dozen others like Asimov’s I, Robot that thankfully populate our imagination. Not yet anyway. At the forefront of AI today are systems that learn how to perform a given task without having been specifically programmed for that task. These systems are able to learn the mappings from their inputs to their outputs, can learn more abstract representations of their inputs, and do this through multiple layers of input-to-output mapping, each layer with increasingly abstract representations. The term “deep learning” is used to acknowledge these multiple, stacked layers. In image processing, layers may provide a representation for increasingly abstract concepts of edges, contours, object parts, and objects that we want to identify. Have the AI learn from an adequate (large, diverse) data set of labeled cat and dog images, and it will likely perform well. Need to distinguish another pair of animals? No programming required, just feed another instance of the same AI with the data set of the new pair of animals and it will likely also perform well. As you can expect, a larger chunk of the work in using deep learning lies in preparing and feeding the data set rather than in actually developing and testing new models. Alternatively, you can have the AI learn from a reward function, for example wining or losing a game, using a technique called reinforcement learning 

[38]. Many technical issues such as the number of layers and the type of network can have an impact on the performance of the AI too, which we will not discuss here. For a great conceptual overvirew of deep learning refer to chapter 1 in Goodfellow, Bengio, and Courville’s Deep Learning book [15], and continue reading the book for more technical details on deep learning.

1.1 Other approaches to AI

The deep learning approach to AI lies in the wider field of statistical machine learning, where you can find statistical models that can be learned from data. These include logistic regressions, support vector machines, component analysis, hidden Markov models, and (generically) probabilistic graphical models. For an in-depth technical description of many machine learning techniques refer to 

[16]. The major differences between these machine learning techniques and deep learning are 1) typically the set of features used in ML are chosen by the researcher rather than the algorithm and 2) the typically single layer approach in ML makes it much more complex to represent abstract concepts in the data. A very different approach to AI and in fact its classical and predominant approach in the mid-late 20th century uses rules to manipulate symbols and perform symbolic inference in an if-then logical approach. Expert systems with hand-crafted rules and well defined symbols were built using e.g. LISP and Prolog and applied in many specific tasks. For in-depth technical details on logic and knowledge-based systems refer to chapter 7 in [35].

1.2 Methodological concepts

When going for machine learning type of AI we should be aware of some important methodological concepts. The training phase is typically an optimization process that searches for the best configuration of the AI for the given data, and it is where the AI learns how to perform its task. The training can be supervised if we provide labels to the training data – for example the type of animal in the image – or unsupervised if we want the AI to group pictures of the same type of animal together but not necessarily care about which type is which. Once the learning is over, we can use the AI to identify the type of animal in the inference phase. In some cases we may also want the AI to continue learning from new data during the inference phase. This process is called online, stream, or incremental learning. Although this may translate into a non-trivial technical issue of how to update the configuration of the AI, a more fundamental question is whether the underlying concepts that the AI is trying to learn changed significantly or not [13]

. Incremental learning allows the AI to track any drifts that may happen in the underlying concept and still consider the naturally occurring variance in the data. This is especially important in cybersecurity for tracking evolving normal usage, removing attack data from the learning of normal usage, and considering the possible adversarial nature of the learning data. Another important methodological concept is the independence of data samples from each other – as for example is the case with the pictures of animals – or if the data samples are somehow sequential as in the case of the images of a video. In that case the AI process may need to support memory, such that one or more of the previous data samples may be used both for learning and for inference. This can be the case for natural language processing and video 


. For insight on additional methodological concepts in machine learning such as the bias-variance tradeoff, model selection criteria, the curse of dimensionality, and performance metrics for classification including accuracy, precision, and recall refer to chapter 1 in

[5] and section II in [7].

1.3 Issues at the forefront of AI

Moving towards AI singularity or not, the advances in AI lead to a number of issues that are both technical and societal [42]: will the AI perform as intended by its operators, how can the AI fail? One way of moving forward here is to have the AI explain why it made a particular decision [10]. This is especially hard for deep learning with its multiple layers and complex interconnections. One may also question if the AI can be tricked into making wrong decisions [32], either by slightly modifying the input data for AI decision or by poisoning the training data and altering the learning process. In fact, explainability and resilience to adversarial attacks are two of of the challenges identified by UC Berkeley [40] for mission critical AI usage (which includes cybersecurity), together with continuous learning and secure computing. Researchers have been questioning the use of learning from data in cybersecurity at least since Sommer and Paxson’s seminal paper [39] on the weaknesses of using machine learning outside the closed world of intrusion detection research. This paper is a turning point for machine learning in cybersecurity as it reflects on issues such as closing the semantic gap of black box models and considering the adversarial nature of the attacker, and which in fact crosscut application domains in AI.

2 How do I use it, then?

That depends on what specifically you want to do in cybersecurity.

You may want to use an AI to help you detect or predict a malicious event. If you know the malicious event and can handwrite some rules that parse your data and signal the event, you don’t really need an AI. This is the typical signature-based approach to virus detection. If you know the event, have access to a sufficiently large number of data samples where the event occurs, but the event seems too complex for hand-written rules, then you can use supervised learning. Take the data samples from the malicious event and from the normal events, label them, and feed the data and labels to the AI. You will need to ponder on the data representation and features, but more of that later. The major problem is that if a new, previously unseen malicious event is different from your known malicious events then you will likely not be able to detect it. If you don’t know the event then you have to resort to anomaly detection, which is basically saying that you want the AI learn what the “normal”, non-malicious behavior is. Set a threshold for the malicious event and you’re ready to go. Because the AI doesn’t have samples for the malicious events, the major difficulty with this approach is figuring out the level of detail with which the “normal” behavior should be modeled. AI empowered detection can be of use in many of the kill chain phases, by helping to identify e.g. the delivery of a weaponized document, the exploitation of vulnerabilities, the traffic used for command and control, and the exfiltration of sensitive data. Malicious event detection is likely the best-known use of AI in cybersecurity, but definitely not the only. You may also want to: 2) find causes of malicious events by correlating with data samples from other sources, 3) find similar malicious events by defining a distance metric between them and grouping according to that distance, 4) identify patterns of attacks by finding frequently occurring sequences of malicious events. You can go beyond malicious events and consider using AI to rank, filter, organize, and interpret cybersecurity intelligence, and to prioritize and contextualize vulnerability scans and incident report response, just to mention a few.

2.1 Learning and inference

When and where does the AI learn about malicious events, normal behavior, and any other cybersecurity-relevant piece of information? Not necessarily at the same time and location where it will take a decision. In a self-driving fleet of cars, for example, driving decisions need to be taken within a sub-second delay in every car, but learning may take place at a central location and requires sufficiently long time for the images and sensor data relayed by the cars to be filtered, labeled, and fed into the AI. The newly trained AI can then be downloaded to the cars, somehow similarly to updating your anti-virus definitions daily. This approach would allow the cybersecurity AI to evolve and possibly support new cybersecurity threats learned at a central location, even possibly adjusting for local behavior if local data can be sent to the central learning location. Alternatively, you may allow at least some part of your AI to continuously learn from your local cybersecurity data sources for more quickly adjusting to what’s happening locally. How fast does a cybersecurity AI need to learn new concepts? Assuming that you want to have an AI decision as fast as possible, then the AI should be able to learn a new attack as fast as possible. This could be the detection of a new malicious pattern or of a new “normal” behavior in your organization. A related question is how do you adjust the mix between local knowledge and the more global knowledge that may be available from a central location? Assuming you download the newly trained global AI from the central location, one option would be to have the two AIs running in parallel and decide on an approach at arbitration when they don’t agree. Another option would be to train the local instance of the global AI with a replay of the local data up to that point, leading to an AI that has both the global and local knowledge and that could continue to learn from local data as it arrives.

2.2 Data sources

Buczak et al. [7] provide a description of the packet and flow data sources typically used in network intrusion detection. Flow data is a summary of packet data for each flow, containing e.g. the number of packets and the total number of bytes in each direction of the flow, typically with a much larger time constant than packet data. Depending on the task, feeding packet size, time, and direction directly to the AI may be more useful than summarized flow data [4]. Although this seems to suggest that the more data the better, providing raw packets to the AI may not always be the best approach. Network traffic is highly structured with much information standardized and packaged according to Internet standards like TCP/IP. This brings about a point of what the deep learning approach to AI is best at: learning “intuitive” abstractions from the data [15] which are difficult or too complex for a human to code. Using existing, human coded TCP/IP protocol parsers such as Wireshark and feeding the output of those parsers to the AI may be a better option in general  [12]

. Having said this, in some very specific cases where the Internet stack is not broken but otherwise abused by attackers in order e.g. to exfiltrate information, it may be interesting to directly feed raw packet data to the AI, much as we feed raw pixel data to an image processing AI. This kind of discussion may also apply to other data sources typically used in cybersecurity, including the output of rule-based network intrusion detection systems like Suricata, of host based intrusion detection systems like OSSEC, and of local or centralized anti-virus solutions, the logs of applications, servers, and network services and devices, and incident reports. In addition to this data that originates from within the organization, a large collection of open source intelligence data is available from which an AI could learn.

2.3 Infrastructure

Finding the right data source can be a difficulty. Plumbing that data from different places in your organization all the way to the AI – for training or inference or both – will definitely be another. Restrictions on the available bandwidth or the amount of data that can be stored may have an impact on the choice of data to feed the AI. When upgrading to AI in the security operations center SOC, the most straightforward approach will be to use whatever data is available in the security information and event management SIEM or in other components in the SOC. While this may be interesting for quick wins, small-scale experiments may help show the value of a given data source and support investment decisions to make new data available in the SOC. A variety of processing, storage, and networking hardware can be used for the AI together with software stacks for big data and deep learning. How to achieve desired performance with minimum hardware cost is an important issue here, as is comparing the performance of different deep learning software options. Refer to [18] for an example of a machine learning infrastructure at Facebook, and to [37] for an example of benchmarking different software stacks for deep learning.

3 Ok, but I don’t really need it.

Despite the current AI hype, learning from data is not new to cybersecurity and has been a driver of research on intrusion detection systems at least since the early nineties. Part of that research has found its way into commercial and open source products and has been accounted for in numerous surveys [7], [44]. AI has extended to areas beyond intrusion detection. If you’re running a security operations center and relying on some sort of anti-virus, spam detection engine, or advanced SIEM, you may already be using it. One particularly interesting example is malicious software: malicious software binaries were traditionally identified by unique sequences of bytes seen as “signatures” of the malware. Today we have an exploding number of signatures and malware generation tools can dynamically create different byte codes and signatures for the same malware. This opens the door to reverse engineering approaches that look at system calls, memory and file system access, interaction with operating system registry and other properties of the executable to identify malware. Given the diversity of features and the variability of the values they can take, handwriting detection rules is hard. Consequently, AI is starting to be used to learn and detect new malware from data samples, identify malware variants, learn which category the malware falls under, and find similarities and novelty in new malware. For a detailed discussion and review of related work on AI for malware refer to [45]. In table 1 we highlight several domains in cybersecurity – mostly under operations or intelligence – where AI has been applied, and identify an example contribution in each domain. Other domains111https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp/

may benefit from AI, for example the use of AI in penetration testing from an attacker’s perspective, and the use of AI in game-theory and reinforcement-learning-like active network defense situations. A hierarchical approach to the AI may be viable in the SOC, where output from specific AI tasks such as host intrusion detection and exfiltration detection are provided as input to an upper layer AI. This AI would be able to learn from the variety of lower-layer AI outputs, having an image-like view of the organization and the ability to abstract higher level goals and keeping the organization safe from attacks. One might ponder what similarity this would have with actual images and image processing AIs at the level of the deep learning network architecture. An alternative approach to this layered architecture is to encompass all the lower-layer cybersecurity tasks into a single deep learning solution, in the expectation that the abstraction power of the deep layers would outperform the hierarchical approach and assuming enough computation power and data sets are available to train the single solution.

Domain Approach
Malware [45] Detect, find similarities; use system calls, etc.
Phishing web sites [36] Detect; use static and sandboxed dynamic content
Spam [6] Detect; use email content and headers
Host intrusion [23] Detect; use system call natural language modeling
Network intrusion [53] Detect in hierarchy; use traffic and anomalies from sub-layers
Hardware intrusion [33] Detect; from JTAG instructions
User behavior [22] Model; use authentication graph
Exfiltration [8] Detect; use DNS URL
0-day [41] Detect; use attack graph of non-zero day intrusions
DDoS [11] Detect; use specific traffic features for IoT botnet
Intelligence feed [28] Rank feeds; use feed IoC-defined dependency and graph
IoC [14] Find Indicator of Compromise similarities; use IoC content
Incident response [48] Find similar incidents; use IoC for similarity
TTPs [19] Extract; use unstructured text and map to kill chain
Table 1: Use of AI in example cybersecurity tasks, necessarily ongoing.

4 What about all those privacy nutters concerned people and laws?

There’s no way around it: privacy is here for the long run and cybersecurity AI must oblige. This has consequences in the amount and type of data that a security operations center can use for their AI. Add to the natural unease of sharing potentially sensitive business information with others – be it companies or governments, and you’re a step away from freezing the defender and making the attacker’s day. What you need are tools that allow you to control and monitor the amount of information you remove from your data before you can use it in your AI or share it with others, while at the same time making sure that the AI can still learn something useful for the cybersecurity task at hand. Significant progress has been made in privacy-preserving data mining. Major approaches include applying some level of randomization to the data before data is delivered to the AI; changing values to a more general representation (e.g. integers to intervals); or removing some of the data values (sample- or field-wise). Notable privacy-preserting techniques include k-anonymity where any data sample is made indistinguishable from at least k-1 other samples, and the -differential privacy where the impact of removing a single record from a data set – and thus potentially revealing private information – is negligible up to . Approaches to enable sharing with privacy can rely on cryptographically-based secure computing techniques or on distributed implementations of learning algorithms that share only learned parameters and not actual data. For an in-depth review of privacy-preserving techniques and metrics refer to [29].

During the process of privacy regulation conformity you may end up defining which private data you use and for how long. Having techniques for properly anonymizing data and measuring their impact will help you not only better protect the privacy of your constituency but to deliver a better argument to your privacy protection officer. Cryptography-based solutions for sharing e.g. IoCs have been proposed [21], however these are for relatively simple tasks of counting sightings of IoCs. For a review on sharing in intrusion detection refer to [46]. Sharing for more advanced cybersecurity AIs will likely require more complex cryptography-based mechanisms or distributed learning where the learned parameters do not reveal private or business-sensitive information.

5 Anyway, I don’t trust it.

And you’re probably right not to, at least not without some help. In fact, the advantage of deep learning to intuitively capture the complexity of the problem is also one of its shortcomings. So how do you trust this system? You need to interact with it, test it with different samples, and understand its decisions. You can then improve it by providing additional data that you expect will make the learning more comprehensive. A quick search for deep learning-based intrusion detection, malware detection, and threat detection reveals that most studies only focus on the accuracy of the results without giving much thought to understanding the decisions or the semantics of the model. Comparing these studies with what is typically done in the image processing area, we come to two conclusions: 1) small to none effort to explain the rationale behind the specific deep learning architecture used, the choice of input for the first layer, and the number of layers; 2) no effort to understand the semantics of the abstraction that each layer provides. Take the image processing example in


: the first layer shows edges, the second contours, the third object parts, and finally the last layer takes object parts and combines them into objects. The neural network hidden “units” in each layer encode different concepts and can be “activated” onto the lower layers, creating synthetic representations of what that unit has learned and that we can visualize. Visually representing images is easier than network and system data of course, but that doesn’t mean we cannot try. What could be the layers of a system that tries to learn normal behavior in an organization network and system? Communication patterns for HTTP, SSH, SMTP at one level? Email, web browsing, voice call, backup application behavior at the next level? Admin, engineering, accounting user behavior at the top? What if the system learns from attack samples rather than normal behavior? Does the AI learn this by itself, and can we check? Cybersecurity can have complex data samples such as a comprehensive snapshot of the organization network or the malware features obtained by reverse-engineering binaries. Taking the image analogy from 

[52] a step further into understanding a cybersecurity AI, we can ask what it would mean to check for “feature invariance” like image translation, rotation, and scaling in malware detection data, and to check the impact of zeroing-out part of the data sample in intrusion detection. Figuring out the equivalent of typical image-processing concepts in cybersecurity is an obvious path towards better explaining and trusting AI in cybersecurity. One might also contend that because of the diversity of tasks and data, new ways to validate and explain an AI can be developed based on specific requirements of cybersecurity.

6 And it can be tricked.

Again, you’re probably right. Tricking an AI has been done many times, and adversarial learning is a focus of research in image processing and elsewhere. The main issue with the adversarial mindset is that machine learning techniques expect some form of random distribution to their input data, whereas an adversary will often be smarter than a random distribution. Think about it as the standoff between error detection mechanisms and cryptographic integrity in communication networks; errors are expected to be random, while attacks to integrity can target specific vulnerabilities of the cryptographic mechanisms. Adversaries can attack the AI’s integrity by either crafting a data sample that looks normal to humans but that is misclassified by the AI during the inference phase (called an exploratory attack) or by adding, removing, or changing data samples in the training phase (called a causative or poisoning attack) so that the AI is not able to adequately learn the intented concepts. Causative attacks assume flaws in the AI training production chain that provide the attacker with write access to the training data set or, maybe more plausible, that the AI continues learning during the inference phase with live data from the organization’s network on which the attacker has a compromised machine that can generate traffic. The complexity of a deep learning AI makes it non-trivial to understand how to come up with adversarial data samples that can be used for exploratory or causative attacks, and as it is typical in most attacks, the process of creating attack data samples can benefit from inside knowledge on the training data, the deep learning network architecture, and even from samples or oracle-like access to input/classification results. For a discussion on threat models, a review of adversarial attacks to non-deep learning machine learning, and an approach for crafting adversarial inputs for deep learning refer to [31]. Defensive techniques do exist that can offset the attacker to an AI. Data sets should be cleansed, the impact of new samples analyzed before feeding them to the AI learning, and algorithms should be made more robust. For a detailed discussion on several machine learning defense techniques refer to [25]. In any case, understanding the AI – which intermediate concepts it is able to abstract, how resilient it is to feature invariance and to hiding fields in the data seem – will likely only help to make it more resilient to adversarial attacks. If you’re looking for examples of adversarial attacks to deep learning intrusion detection systems and malware detection, start here: [27]

 assumes a continuous learning autoencoder-based intrusion detection system and assesses its robustness to poisoning attacks under potential, naturally-occurring, non-malicious concept drifts;

[1] evaluates the effectiveness of several adversarial methods on the detection of a set of malware Portable Executable files.

7 Are you telling me the bad guys can use it as well?

Definitely yes. In addition to the adversarial learning techniques discussed in [31], an attacker can resort to generative models and try to learn what ’normal’ data looks like for a given detector and generate malicious samples that look like normal and go unnoticed through that detector. Generative techniques range from statistical random number generators such as mixtures of Gaussians, hidden Markov models, and other probabilistic graphical models, to more recent deep learning techinques including autoencoders and generative adversarial networks. For more details on generative models and their evaluation see [43]. On the flip side, you can have attackers using AI to perform side-channel attacks to privacy by inferring user behavior from eavesdropped traffic with the help of discriminative machine learning techniques. Using AI is also becoming more practical; deep learning platforms are increasingly providing support for browser and mobile apps [49] which opens the door for generative-based malware C2 traffic communications [34] and generative-based DGA (dynamically-generated domain names [3] among others.

If we can disentangle ourselves for just a moment from the good guy vs. bad guy view of the world, the duality of the problem becomes clearer. The defender wants to know what the attacker is doing (e.g. detecting intrusions) and also to prevent the attacker from knowing what it is doing (e.g. for privacy). The attacker wants the same thing: to eavesdrop on the defender and to avoid being detected. So at an abstract level we can envision a pair of opponent AIs where the samples of the generative AI are designed to break the discriminatory AI and the discriminative AI learns to distinguish between normal samples and samples from the generative AI – regardless of which side (good vs. bad) we are currently looking from. In the next sections we discuss some of the rationale in this battle of AIs approach to cybersecurity, provide examples of AI cybersecurity battlefields, and discuss how opponents can gather information from their counterpart AI through Intelligence and reverse engineering techniques.

8 So what does a battle of AIs look like?

8.1 Level playing field

Bringing in additional and more detailed features to one side of the battle only is likely to disrupt the balance between attacker and defender. This is the case for example in malware C2 traffic when the attacker has learned to generate tuples of flow size and duration that resemble those of normal traffic, but uses a hardwired process for generating the actual packets of the flow. While the generated flow has duration and size that match the normal traffic, more detailed features such as the packet size and inter-packet time distribution may not. Bringing these more detailed features in allows the defender to outsmart the attacker no matter how good the attacker’s generator of flow size and duration is. Unless there is very strong evidence of which level of features the opponent uses, trying more detailed features seems to make sense. One question that we can ask is if we can figure out which features the opponent uses. This can be related to black-box attacks that try to infer which data is used for training or in the case of image processing how much scaling is done on the image before actual AI processing.

The other relevant question is if there is a set of features detailed enough for an attacker to be sure the detector cannot use more detailed features. And the answer is yes – those features are the actual data. This of course depends on the battlefield: for example for domain names this would be the actual domain name rather than n-gram statistics, and for malware C2 traffic this would be the actual packet contents and timings, although with encryption the only relevant packet contents are those not encrypted in the different headers. Using the actual data rather than features is quickly becoming the norm with deep learning image processing leading the way. If this can be done in a given battlefield is a very relevant question, which needs to consider not only modeling capability but also sustaining possibly high bit rates. If so, using the full data levels the playing field between attacker and defender AIs. It also brings us to a set of relevant questions related to the extent to which data morphing is possible for a given battlefield and to how good an AI must be to avoid detection or detect traffic from another AI.

8.2 Mine beats yours

How far can we go into understanding how good an AI must be to beat its opponent? Let’s try to get some intuition from an example. Assume a battlefield of independent samples of real-valued data, in which opponents have to generate and make a decision for each sample independently – so no order or correlation is used in the generation and detection of samples. Now think of a simple outlier detector that blocks samples that are outside of the range

. The attacker wants to generate samples that are not blocked by the detector. What does the attacker know about the detector? 1. If the attacker knows the model and its estimated parameters

and , then it can randomly generate samples that are within the

range and successfully perform the attack on every sample. 2. If the attacker knows the model, does not know the parameters, but can have access to training data, it can try to estimate the parameters from the data itself. The success of this attack will depend on how similar the attacker data is from the data used to train the detector, and on the randomness of the training algorithm; for example in the case of K-Means, mixture of Gaussians models, or neural networks in general, the training depends on random initialization values. 3. If the attacker does not know the model, then it is left with guessing which model the detector uses. As in any guess, some uncertainty is involved and it makes sense to try to understand the impact of this uncertainty. Let’s say the detector has been upgraded to use a mixture of Gaussians and the generator still uses the

model, inferred from the same training data as the detector. With luck, some of the generated samples will fall within one of the Gaussians of the detector, but not all; how many will depend on the data and on the number of Gaussians used in the mixture. If the generator model was upgraded to a mixture of Gaussians but not the detector, intuitively the generated samples would better fit the data and possibly fall within the

range – but not necessarily. So a mismatch of models may benefit one of the opponents. Fast forward to deep learning and you can break down the uncertainty of the models of the opponent by the number of layers, type of neural network, reuse of part of the models known as transfer learning, and many other systematizations of deep learning.

8.3 Full morphing ability

When generating adversarial samples, one question that is very relevant is if for the given battlefield the relation between generated sample shape and intended behavior is somehow constrained. Can the generator take an intended adversarial behavior sample, morph it into any other that is not detected, and keep its adversarial behavior – or is it somehow constrained? For example, an attacker that wants to send terror-related emails without being detected has to write a text that is not only intelligible but maintains its subversive message while at the same time not being picked up by the email detector AI. This constraint on the morphing ability could have an impact on how the opponents build their discriminative and generative systems. Differently, it could happen that a given battlefield has full morphing ability, meaning that the generator can choose whatever shape it wants for the adversarial sample. The best example here is likely eavesdropping on encrypted traffic. As long as the generator is able to mimic the non-encrypted part of the communication including timings, sizes, and non-encrypted headers like TLS fingerprints [2], and assuming the detector is not able to break the encryption, the encrypted channel will provide cover to whatever adversarial plaintext data sent on the encrypted payload. In this case, one concern for the generator is if the morphed encrypted traffic is able to sustain the requirements of the adversarial behavior, for example related to throughput and latency.

8.4 Winning with single adversarial sample

If the generator can find one sample that is classified as normal by the detector then why not use it all the time? If the detector does not keep some memory of prior samples, this would work. Repeating the exact same sample would be straightforward to detect leading to sample blacklist. Slightly changing a Gaussian sample might work, but the more complex the sample domain the harder it will be for the attacker to estimate how much and what can be changed. So regardless of the complexity of the sample, you always want to check if the sample is repeated. You could also check for well-known normal samples from public databases. One venue for attack would be to take these known samples and check to which extent they can be changed to be detected as normal but not as repeated.

9 Example battlefields

  • Malware C2 Traffic. Command and control traffic from compromised hosts has evolved to make detection harder – e.g. by moving from IP addresses to dynamically generated domain names and by using encryption. At the same time detectors also evolve to include more detailed features. Morphing C2 traffic to avoid detection has been shown in [34] with the help of Generative Adversarial Networks. In this battle, level playing field equates to encryption and full morphing ability is possible with C2 traffic requirements constraints.

  • Traffic Privacy. Encryption has stepped up in web, smart home, mobile apps, voice, and video traffic across the Internet to protect users against eavesdroppers. With privacy tools like TOR, it is harder to find server IP addresses and infer behavior from encrypted communication patterns. However, most communication today is not over TOR and privacy attacks have been the subject of extended research [30] including traffic morphing techniques [26]. This battlefield is very similar to malware C2 traffic with good guy vs. bad guy roles switched. One difference is that malware will try harder to hide in the shadow of normal traffic while users concerned with privacy will rather be more worried about the attackers finding out what they’re doing and which sites they are visiting so a constant bitrate approach may work for them as long as the quality of service is not compromised.

  • Malware domain names. Domain generation algorithms (DGAs) are used to generate pseudo-random domain names that are easy to generate by both the malware and the command and control server and difficult to detect by security operators. Researchers have applied unsupervised machine learning to train a domain name generator from legitimate domain names [3]. Although their aim was to improve existing detection algorithms and not to propose a new malware, their results show how close generated and legitimate domain names can be. With the availability of deep learning engines for mobile devices and browser applications, it is reasonable to expect that malware will sooner or later leverage machine learning algorithms. The full data is the actual domain name, and generators have full morphing ability except for collisions with already registered domain names; however, collisions are typically taken care of at a later stage.

  • Executable Detection. Finding an executable with a blacklisted hash was for a long time the way to detect hosts to which malware had been downloaded. As always, attackers adapted and started to slightly change their binaries yielding very different hash values while keeping the functionality. Static and dynamic analysis of malware opened the door to machine learning approaches to detect malware executables, which again prompted the development of adversarial learning techniques on the malware [24]. The full data for this battlefield is the malware binary and generators are limited to a viable binary that does not change the intended malicious behavior.

  • Browser Document Object Model. Malicious browser extensions can be used to perform a variety of attacks inside the browser. Malicious browser extensions can be detected through static analysis, which is much similar to the malware executables battlefield [9]. Additionally, as malicious extensions change application behavior through erroneous DOM mutations, application monitoring code can check if DOM mutations are consistent with application behavior. The complexity of the DOM structure and the intense activity in the browser is likely to call for learning from the data both for malicious DOM mutation detection and detection avoidance. The full data here are the sequences of DOM mutations and full morphing ability is constrained by the actual behavior of the DOM mutations.

10 Can you see my AI?

If the AI is going to be used in the context of cybersecurity operations with enough resources to gather intelligence data and profile its potential attackers, and if the threat model for adversarial attacks depends on the capabilities of the AI like the specifics of the architecture of the deep learning network and access to training data samples, then it is foremost important to ask yourself how attackers can gain that kind of information. In addition to the old spy game, the open source data policies to which government organizations and public corporations are typically vulnerable to because of transparency concerns can disclose much information. Moreover, the daily use of the AI itself may be more revealing than desired. A variety of techniques for reverse engineering AIs have been proposed in the literature, from side-channel attacks leveraging shared resources to learn DNN architectures [50] to queries to the API to extract a surrogate model [20], and membership inference of training data [17]. Practical attacks to deep neural networks built on top of public models (named transfer learning) [47] point the way to further assumptions and inference attacks on an AI. [20] also discusses an approach to detect API queries attacks and points to how you could hide the details of your AI.