Foto Bax Lindhardt

Machine learning to prevent cyberattacks

Thursday 14 Jan 21

Contact

Christian D. Jensen
Associate Professor, Head of Section
DTU Compute
+45 45 25 37 24

Universities are working with IT security company to block virus-infected websites before users click on them.

Fighting hackers all the way. Together with CSI Security Group, researchers from DTU and Aalborg University are working to find new solutions aimed at preventing unintentional disclosure of information to criminals or visits to malicious, virus-infected websites. The solutions will use artificial intelligence to detect and block malicious websites and emails already before users can click on them.

The research project is called SecDNS, and it has received a grant of DKK 11.3 million from Innovation Fund Denmark. The aim of the project is to create a safer cyber society.

Until now, historical data has been used to establish which websites to block, but this approach does not provide sufficient protection, explains Christian D. Jensen, who heads the Section for Cyber Security at DTU Compute and participates in the SecDNS project.

“A data security buzzword is ‘zero-day attacks’, which are attacks you've never encountered before. This type of attack will never be caught if you only rely on historical data,” says Christian D. Jensen.

One step ahead of cybercriminals

By keeping one step ahead of cybercriminals, the researchers will take action already against the name servers that direct Internet traffic.

"The development in artificial intelligence has given us far better opportunities to discover cyberattacks."
Associate Professor Christian D. Jensen, DTU Compute

The researchers will develop a system based on artificial intelligence, which can review the so-called DNS lookups that translate the website names (domain names) we enter in our computers into the IP address numerical codes that the computers actually use.

Via these DNS lookups, the system will check whether links to websites are harmful or whether an email contains a malicious link, and, if so, the system will block them. This means that the user will either never receive the email—or if the user receives the email and taps the link—the system will display a warning screen that concurrently prevents the user from being exposed to the malicious content.

To get the system to detect the malicious websites, links, and emails, the researchers will train the algorithms to recognize patterns that characterize malicious websites based on large data volumes from, for example, usage patterns, known infected websites, and cyberattacks observed by the universities and CSIS Security Group.

Positive and negative traffic

This is the first time that such systematic work has been done on name servers using machine learning. The researchers divide their data into positive and negative traffic and teach the algorithms what is good and bad. To teach the algorithms to recognize patterns on virus-infected websites, researchers look at, for example, server and domain names. Here they examine when the names have been registered, who have registered them, how long they have been registered, and whether there are sites that are visited regularly.

“The development in artificial intelligence has given us far better opportunities to discover cyberattacks than previously. But hackers are also becoming increasingly sophisticated,” says Christian D. Jensen.

“Today, we’re seeing examples of the attackers fooling algorithms with machine learning. It will therefore be exciting to see how they start using AI to blur and confuse the artificial intelligence we’re putting into play. To be able to hack our solutions, they need to create patterns that evade our pattern recognition systems. They can do this if our algorithms aren’t good enough.”

Tricked into disclosing data

Today, Christian D. Jensen sees different types of malicious websites used to trick us into disclosing data or installing malicious codes. One of these is botnets, which is a compilation of the words ‘robot’ and ‘network’. Hackers use botnets to break the security on multiple users’ computers and take over the control of each computer to organize all the infected computers into a network which the criminals can remote control. In 2016, for example, the Mirai malware was used to launch some of the largest distributed-denial-of-service (DDoS) attacks ever seen. An attack that rendered a number of large Internet services inaccessible.

Phishing is another type of fraud. Here criminals try to trick the victim into disclosing sensitive data by, for example, pretending to be an authority. Many phishing emails are currently abusing the COVID-19 situation to increase the likelihood of the recipient reading the email and clicking links or attachments.

“I see a great need to increase cybersecurity. All types of crime are decreasing—except cybercrime. Therefore, I hope that the knowledge we’re building will benefit everyone,” says Christian D. Jensen.

Cybercrime is an industry

The initial compromization (access to the organization/company through, for example, phishing, ed.) is not necessarily done by the same criminals who carry out the rest of the ransomware attack. There is a criminal underground market where cyber criminals resell accesses to each other and support each other’s activities in other ways.

In other words, there is rarely only one criminal involved, but rather a network of specialized hackers who are behind a targeted ransomware attack.

Source: Centre for Cyber Security

 
Phishing

In phishing attacks, the hackers try to manipulate a person into disclosing personal data, opening infected files, or clicking links to false websites.

Phishing is often distributed through emails sent to thousands of recipients, but also through text messages, social media, or other communication platforms.

According to the security company Verizon, which has investigated thousands of cyberattacks, nearly all malware (short for malicious software) is delivered through an email. As much as 94 per cent of the incidents in which a computer was infected by malware in 2019 started with an email.

Source: Centre for Cyber Security and Verizon