Machine Learning techniques applied to computer cybersecurity

By César Barreto

Currently, a lot is heard about Artificial Intelligence and, especially, about one of
its most prominent branches, such as “Machine Learning”. However, Artificial
Intelligence is not new; It has been with us since the end of the 50s, when a
group of scientists met in Darthmoud and coined the term, in 1956. Today, its
influence has reached multiple sectors and areas, among others: the
automotive sector, energy, industry, the banking sector, health, cyber defense
and cyber security.

Machine Learning consists of creating models or algorithms to analyze data,

learn from it, and then make a prediction of its possible behavior in a range of
time or estimated situation. For these reasons, the cybersecurity industry has
not been immune to the growth, dissemination and installation of techniques to
improve computer security, using Machine Learning models and techniques,
which allow a more adequate response and in line with current requirements. .
These practices improve and enable analysis of threats and promise to be more
effective in stopping or preventing security incidents. Currently, we find several
applications of artificial intelligence, through Machine Learning, in computer
cybersecurity, among them: detection of bank card fraud, intrusion detection,
malware classification and detection of denial of service attacks, for example.
list some of them.

It is undeniable that the appearance of the Internet has achieved a great

number of advantages and improvements in living conditions for many people.
For example, teleworking and virtual education are two areas or sectors that
have benefited from the tools and platforms, to be able to work at home or study
some type of study, without being immersed in the chaotic and constant
problems of transportation and insecurity. of our big cities.

Machine Learning and e-commerce

Another sector that has benefited from the development and massification of
the Internet has undoubtedly been electronic commerce. Currently, companies
have been immersed in the need to create new media and communication
strategies with their clients, which allow them to obtain the necessary sales
volume to improve profits; For reasons like this, e-commerce is an invaluable
tool for the sales department of companies. But, on the other hand, just as the
benefits and advantages of using the Internet have increased, in multiple tools,
platforms, consultation sites, financial and banking portals, etc., it is also true
that the risks, threats and possibilities have increased. of intrusions, by
unscrupulous and ill-intentioned people.

The expansion and accelerated development in communications, the

massification of mobile and intelligent devices and the advancement in
technologies such as the Internet of Things (IoT), have increased their
importance and complexity, it is there where data science stands with an option
to optimize the requirements analysis mechanisms in computer systems and
generate a better option against the different types of security risks that exist
today.

On the other hand, attacks and intrusions into computer systems, Web sites
and applications continue to increase more frequently, making it essential to
use autonomous mechanisms to prevent damage or loss of information. The
security of business data, personal data and mission-critical applications are
aspects that organizations must avoid at all costs that are compromised. This is
where the constant evolution and improvement in machine learning techniques
come into the picture, since they take historical or current data into
consideration, with the aim of making predictions or projections of a certain
range of data, or in certain periods of time, to be able to establish similarities, in
relation to patterns or characteristics of behavior. It must be taken into account
that, thanks to machine learning, a computer system has the ability to locate
strange behaviors and anomalous situations in large amounts of data, which are
known as patterns. Machine Learning is used to detect unusual situations that
want to infiltrate a system network. For this, we can find 2 possible solutions:
Heuristic IDS and rule-based IDS.

Heuristic IDS

The IDS is the intrusion detection system, which is responsible for monitoring
the incoming and featured traffic of a website and recording its behavior, allows
supervision that detects suspicious activities and generates alerts upon
detection. Based on these alerts, a security operations center (SOC) analyst or
incident responder can investigate the problem and take appropriate action to
correct the threat. IDS are designed to be deployed in different environments.
And like many cybersecurity solutions, an IDS can be host-based or network-
based. Now, let's learn a little more about the different types of IDS.

• Host-Based IDS (HIDS): A HIDS is deployed on a particular endpoint and is

designed to protect against internal and external threats. This type of IDS may
have the ability to monitor the computer's network traffic, both incoming and
outgoing, observe running processes, and inspect system logs. The visibility of
a HIDS is limited to its host computer, which decreases the context for decision
making, but it has deep visibility into the internal components of the Host
computer.

• Network-Based IDS (NIDS): A NIDS is designed to monitor an entire protected

network. It has visibility into all traffic flowing through the network and makes
determinations based on the metadata and contents of the packets. This
broader view provides greater context and the ability to detect pervasive
threats. However, these systems lack visibility into the internal components of
the endpoints they protect. It is recommended to implement a unified threat
management solution, which integrates technologies into a single system to
provide more comprehensive security, due to the different levels of visibility,
implementing an isolated HIDS or NIDS provides incomplete protection of the
threat system. an organization.
IDS detection methods

IDS solutions differ in the way they identify potential intrusions:

• Signature detection – Signature-based intrusion detection system solutions

use fingerprints of known cyber threats to identify them. Once Malware or other
malicious content is identified, a signature is generated and added to the list
used by the IDS solution to scan incoming content. This allows an IDS to
achieve a high threat detection rate without false positives, since all alerts are
generated based on the detection of known malicious content. However, a
signature-based IDS is limited to detecting known cyberthreats and does not
detect vulnerabilities.

• Anomaly Detection: Anomaly-based intrusion detection system solutions

create a model of the “normal” behavior of the protected system. All future
behavior is checked against this model, and any anomalies are tagged as a
potential cyberthreat and trigger alerts. Although this approach can detect new
cyberthreats, the difficulty of creating an accurate model of “normal” behavior
means that these systems must balance false positives with false negatives.

• Hybrid detection: A hybrid IDS uses both signature-based detection and

anomaly-based detection. This allows you to detect a greater number of
potential attacks with a lower error rate than if either system were used in
isolation.

IDS and Firewalls

IDS systems and Firewalls are cybersecurity solutions that can be implemented
to protect an Endpoint or a network. However, they differ significantly in their
purposes. An IDS is a passive monitoring device that detects potential cyber
threats and generates alerts, allowing analysts in an incident response SOC to
investigate and respond to the potential incident. However it does not provide
real protection for the endpoint or the network. On the other hand, a Firewall is
designed to act as a protection system that analyzes the metadata of network
packets and allows or blocks traffic based on predefined rules, which creates a
limit that certain types of traffic or protocols cannot pass.

In other words, a fFrewall is an active protection device, more like an intrusion

prevention system (IPS). An IPS is like an IDS, except that it actively blocks
identified cyberthreats instead of simply raising an alert. IDS complements the
functionality of a Firewall, and many Next-Generation Firewalls (NGFWs) have
IDS/IPS capabilities built-in, allowing predefined filtering rules to be applied and
detecting and responding to more sophisticated cyberthreats (IDS/IPS).

Rule-based IDS

It is the solution that starts from a match with patterns, so that the system is
capable of detecting them automatically and launching a warning. Some
examples are Snort, Suricata, Ossec, Samhain, Bro, or Kismet. All these
systems are based on rules that need to be pre-configured in them, so that they
can work automatically and without supervision. It is also important to bear in
mind that they will be as effective as their databases on known threats are
updated.

How to choose an IDS solution?

An IDS system is a component that must be present in the cybersecurity

implementation of any organization. A simple firewall provides the foundation for
network security, but many advanced cyber threats can go unnoticed. An IDS
adds an additional line of cyber defense, making it difficult for a cyber attacker
to gain access to an organization's network undetected.

When selecting an IDS, it is important to consider the deployment scenario. In

some cases, an intrusion detection system may be the best option for the job,
while in others, the built-in protection of an IPS may be a better option. Using an
NGFW with integrated IDS/IPS functionalities provides an integrated solution
and simplifies cyber threat detection and security management.

Conclusion

Cyberattacks do not stop happening and it is necessary for companies to

implement different security measures, in order to guarantee the integrity and
availability of information, as well as the correct functioning of the entire system.
Among those security measures that can be adopted, we have the intrusion
detection system. On many occasions, among the security tools used by a
company, we find mixed systems that combine an IDS with a Firewall.

While both systems monitor and analyze the network and devices for
anomalous cyberthreats, the main difference between an IDS and an IPS is that
the latter can block attacks, since it has a preventive and proactive role.

Regarding the firewall, what it does is block all traffic, filtering only that traffic or
data packets allowed in its configuration. An IDS does the opposite, that is, it
lets all traffic through, scanning it for malicious data or activity. Therefore, the
IDS and the firewall must work together, with the second filtering allowed traffic
and the first analyzing it for threats or anomalies.