Artificial Intelligence for Cybersecurity

Andrea Saracino, IIT-CNR

Roma - 29 Ottobre 2018

Application of Artificial Intelligence

Application of Artificial Intelligence

Application of Artificial Intelligence

Artificial Intelligence and Machine Learning

Machine Learning

Unsupervised Learning

Clustering

Clustering (2)

• Can be aggregative or divisive

• Able to work on unlabeled data

• Automatically infers patterns out of input data

• Fast thanks to low complexity

• Does not characterize results

Supervised Learning

Supervised Learning - Training

Machine Learning

Algorithm

Input

ExpectedOutput

Model

Supervised Learning - Application

ModelInput Output

Classification

• Assigning a label (class) to each sample of a dataset.

Machine Learning

Algorithm

Input

Label

Model

Feature Extraction

Feature Apple Orange

Shape Not Round Round

Skin Smooth Non-Smooth

Color Not Orange Orange

A1: 0,1,0O1: 1,0,1

Error

Evaluation Indexes

True Acceptance (Match) Rate (TAR) - Probability to correctly match input pattern to a

matching template. It measures the percent of valid inputs which are correctly accepted.

True Rejection (Non Match) Rate (TRR) - Probability to correctly detect non-matching input

pattern to any template stored in the database. It measures the percent of invalid inputs which

are correctly rejected.

False Acceptance Rate (FAR) - Probability to incorrectly match input pattern to a non-matching

template stored in the database. It measures the percent of invalid inputs which are incorrectly

accepted. It is more dangerous than FRR.

False Rejection Rate (FRR) - Probability to fail to detect a match between the input pattern and

a matching template in the database. It measures the percent of valid inputs which are

incorrectly rejected.

Deep Learning-based Methodologies

• Techniques very effective for image recognition problems• Classify objects

• Detecting presence

• Identifying similarities

• Applied widely to face detection starting from 2014

Difference With Machine Learning

Deep learning: architecture structure

Deep CNN architecture example

Applications to Cybersecurity

SPAM email analysis

SPAM

• Unsolicited advertisement message sent to a large number of Internet users via email

SPAM analysis services

Anti-Spam Filter: HAM vs SPAM

• Based on Deep Learning and Bayesian Classifiers

SPAM analysis service

Threat Identification:

• Advertisement

• Phishing

• Confidential Trick

• Malware

• Portal

Advertisement

Phishing

Scam

Malware

Portal

Spam Campaign

Spammer

BotBot Bot

Bot

SPAM analysis service

• Campaign Clustering

Categorical Clustering Tree (CCTree)

• Entropy-based clustering algorithm and classifier

• Exploting structural features• Not based on semantic

• Fast and accurate

Malware Analysis

Network Traffic Analysis

Techniques

• Sketch analysis for DDoS prevention

• Text analysis for DGA Recognition

• Cybersquatting automated detection

Behavioral Authentication

Gait-Based Authentication

• Using the walking pattern of a person to verify her identity.

• Each person as a completely unique walking pattern• Mix of physical (biometric) elements and behavioral ones.

Gait Analysis

• Analyzing a person movement pattern.• Monitor clinical conditions related to walking pattern

• Fall detection for early assistance to elderly people

• Extraction of features for user identification

Gait Analysis (2)

• Can be performed by means of accelerometers

• Extraction of acceleration on the three axis

• Multiple accelerometers allow to monitor different parts of the body.

Workflow

• Usage of deep learning and accelerometers for user authentication.

Authenticated

Not Authenticated

Monitoring Extraction Filtering Classification

Framework

• Classifier based on Convolutional Neural Network (CNN).

• Features extracted from 5 body sensors

• Readings normalized and filtered for noise reduction

• Normalized readings are used to train and then test deep learningCNN.

Results

Concluding

• More and more application related to cybersecurity exploit AI

• Increasing need of knowledge to design and tune-up specific machine learning methodologies

• Beware of possible malicious use of machine learning

Thank You

andrea.saracino@iit.cnr.it