AI & ML for Cyber Security

AI & ML for Cyber Security

Course Outline
Modules:
Module-1: Cyber Security Fundamentals
Total Engaging Hours: 38 Hrs
Module-2: Controlling attack
26 Hrs Theory and 12 Hrs Lab
Module-3: Handling Malicious Code

Pre-requisites Lab Sessions: Every Module Min of 4Hrs.

Basics of ML, Python, use of open source Session Starts: 15th Oct to November 30th
libraries (numpy, scikit learn etc), Use of
Jupyter Notebook.
 Overview

❖ Cyber Security TRIAD

❖ Basic Security Measures
❖ Basic Cryptography
❖ DNS
❖ Firewalls
❖ Attacker Techniques and Motivations
Cybersecurity Objectives
More
NIST Special
a lit y
nt i Publication

fide 800-12,
con revision 1
inte An
grit Introduction
y to
Information

ilit y Security

ila b section 1.4

a v a
 Con dentiality

a lit y
nt i
fide
con

Example:
Criminal steals
customers’ usernames,
Protecting information passwords, or credit
from unauthorised card information
access and
disclosure
fi
 Integrity

inte
grit Example:
y
Protecting Someone alters payroll
information information or a
from proposed product design
unauthorized
modification
 Availability

Preventing
disruption in Example:
how ilit y Your customers
ila b
information is a v a are unable to
access your
accessed
online services
 The OSI Security Architecture
❖ OSI security architecture is useful to managers as a way of organizing the task of providing
security.
❖ The OSI security architecture focuses on security attacks, mechanisms, and services.
❖ Security attack: Any action that compromises the security of information owned by an
organization.
❖ Security mechanism: A process (or a device incorporating such a process) that is designed to
detect, prevent, or recover from a security attack.
❖ Security service: A processing or communication service that enhances the security of the
data processing systems and the information transfers of an organization.
 OSI-SA
❖ Attack: an intelligent act that is a deliberate attempt (method or technique) to
evade security services and violate the security policy of a system.
❖ The attacks are of two types:
❖ Passive Attack: attempts to learn or make use of information from the
system but does not affect system resources.
❖ Active Attack: attempts to alter system resources or affect their operation
 Passive Attack
❖ Passive attacks are in the nature
of eavesdropping on, or
monitoring of, transmissions.
❖ The goal of the opponent is to
obtain information that is
being transmitted.
❖ Two types of passive attacks
are:
❖ Release of message
contents
❖ Traf c analysis.
fi
 Passive Attacks
❖ Passive attacks are very dif cult to detect, because they do not involve any alteration of the
data.
❖ Neither the sender nor the receiver is aware that a third party has read the messages or
observed the traf c pattern.

❖ Best way to counter these Passive Attacks is usually by means of encryption.

❖ Its similar to prevention rather than detection.
fi
fi
 Active Attacks
❖ Active attacks involve some modi cation of the data stream or the creation of a false stream.
❖ Subdivided into four categories:
❖ Masquerade
❖ Replay
❖ Modi cation of messages
❖ Denial of service.
fi
fi
 Active Attacks
❖ Masquerade: one entity pretends to be a different
entity.
❖ Masquerade attack usually includes one of the
other forms of active attack.
❖ Replay: passive capture of a data unit and its
subsequent retransmission to produce an Masquerade
unauthorized effect

Replay
 Masquerade Attacks
❖ There are several types of masquerade attacks, including:
❖ Username and password masquerade: In a username and password masquerade attack, an
attacker uses stolen or forged credentials to log into a system or application as a legitimate user.
❖ IP address masquerade: In an IP address masquerade attack, an attacker spoofs or forges their
IP address to make it appear as though they are accessing a system or application from a trusted
source.
❖ Website masquerade: In a website masquerade attack, an attacker creates a fake website that
appears to be legitimate in order to trick users into providing sensitive information or
downloading malware.
❖ Email masquerade: In an email masquerade attack, an attacker sends an email that appears to
be from a trusted source, such as a bank or government agency,
 Active Attacks
❖ Modi cation of messages: some portion of a
legitimate message is altered, or that messages
are delayed or reordered, to produce an
unauthorized effect.
❖ Denial of Service: inhibits the normal use or
management of communications facilities
Modi cation of Messages

Denial of Service
fi
fi
 Active Attacks
❖ Modi cation of messages: some portion of a
legitimate message is altered, or that messages
are delayed or reordered, to produce an
unauthorized effect.
❖ Denial of Service: inhibits the normal use or
management of communications facilities
Modi cation of Messages

Denial of Service
fi
fi
 DoS Attack Prevention

❖ To prevent DoS attacks, organizations can implement several measures, such as:
❖ Using rewalls and intrusion detection systems to monitor network traf c and block
suspicious activity.
❖ Limiting the number of requests or connections that can be made to a system or network.
❖ Using load balancers and distributed systems to distribute traf c across multiple servers
or networks.
❖ Implementing network segmentation and access controls to limit the impact of a DoS
attack.
fi
fi
fi
 Cryptography
❖ Cryptography derives from Greek and translates roughly to “hidden writing
❖ Method of hiding the content of a message called as ciphers
❖ Most famous classical cipher is the substitution cipher
❖ Substitution ciphers work by substituting each letter in the alphabet with another one when
writing a message.
❖ For Example abcdef is replaced as efghij
❖ Cipher obtained by using the substitute of a character of distance 4.
❖ Now iiitr will be replaced with mmmxv
 Types of Security Mechanism
❖ A security mechanism is a method or technology that protects data and systems from
unauthorized access, attacks, and other threats.
❖ Security measures provide data integrity, con dentiality, and availability, thereby protecting
sensitive information and maintaining trust in digital transactions.

fi
 Security Mechanism
❖ Encipherment : This security mechanism deals with hiding and covering of data which helps data to become
con dential.
❖ It is achieved by two famous techniques named Cryptography and Encipherment.
❖ Access Control : This mechanism is used to stop unattended access to data which you are sending.
❖ It can be achieved by various techniques such as applying passwords, using rewall, or just by adding
PIN to data
❖ Notarization : This security mechanism involves use of trusted third party in communication
❖ Data Integrity : This security mechanism is used by appending value to data to which is created by data
itself.
❖ Authentication Exchange : This security mechanism deals with identity to be known in communication.
❖ Bit Stuf ng : This security mechanism is used to add some extra bits into data which is being transmitted.
❖ Digital Signature : This security mechanism is achieved by adding digital data that is not visible to eyes.
fi
fi
fi
 Substitution Cipher

Here Jupiter Notebook to show the working of Substitution Cipher.

 Symmetric Encryption
❖ Symmetric encryption requires a shared key and therefore depends upon the secrecy of that
key, it is an effective and fast method for protecting the con dentiality.
❖ Both communication endpoints to know the same key in order to send and receive
encrypted messages.
❖ Key exchanges or pre-shared keys present a challenge to keeping the encrypted text’s
con dentiality.

Fig. Symmetric Encryption

fi
fi
 Block Ciphers
❖ Block ciphers are more common in symmetric encryption algorithms because they operate
on a block of data rather than each character
❖ Block ciphers use a more ef cient method called cipher block chaining (CBC).
❖ When using a block cipher in CBC mode, both a key and a random initialisation vector (IV)
convert blocks of plaintext into cipher-text.

Fig. CBC Mode Encryption

fi
 Symmetric Encryption
❖ Symmetric encryption can be very fast and protect sensitive information provided the key
remains secret.
❖ The grouping of larger blocks of data in the encryption algorithm makes it more dif cult to
decrypt without the key.
❖ Key exchange and protection are the most important aspects of symmetric cryptography
because anyone who has the key can both encrypt and decrypt messages.
❖ Asymmetric algorithms are different because they use different keys for encryption and
decryption.
❖ Using public key encryption can solve other goals beyond symmetric algorithms that protect
con dentiality.
fi
fi
 Public Key Encryption
❖ Public key encryption represents a branch of cryptography for which the distinguishing
attribute of the system is the use of two linked keys for encryption and decryption, rather
than a single key.
❖ Each public key system uses one key, known as the public key, to encrypt data, and a second
key, known as the private key, to decrypt the encrypted data.

Fig. Symmetric encryption (top) versus public key

encryption (bottom).
 Public Key Encryption
❖ One of the algorithm which uses asymmetric encryption is RSA system, a name derived from
the original inventors’ last names, the system uses large prime numbers to encrypt and
decrypt communication.

Fig. RSA Example

 Firewall and its role in Cyber Security
A rewall is a network security device that monitors incoming and outgoing network traf c
based on predetermined security rules.
Its primary function is to block unauthorized access to a network while allowing legitimate
traf c to pass through.
They use various methods to control network traf c, such as packet ltering, stateful
inspection, and application-level gateways.
fi
fi
fi
fi
fi
 Role of Firewall in Cyber security
❖ Controls Network Traf c: Firewall uses methods such as packet ltering, stateful
inspection, and application-level gateways.
❖ These methods help to prevent malicious traf c from entering the network and to stop
sensitive data from leaving the network without authorization
❖ Prevents Viruses and Malware: Firewalls also play an essential role in preventing the
spread of malware and viruses.
❖ They can be con gured to block traf c from known malicious sources and prevent
infected machines from connecting to the network.
fi
fi
fi
fi
fi
 Attacker Techniques and Motivations
❖ How Hackers Cover Their Tracks ?
❖ Masking one’s IP address is a standard practice when conducting illicit activities.
❖ A well-con gured proxy provides robust anonymity and does not log activity, thereby
frustrating law enforcement efforts to identify the original location of the person(s)
involved.
❖ AnonProxy is one example of a malicious proxy that its authors designed to monitor users
and steal information such as social-networking passwords.
❖ Malicious code authors also install local proxies.
❖ By altering the host’s le or browser con guration to use the proxy, the attacker redirects
requests and captures con dential information.
fi
fi
fi
fi
 Attacker Techniques and Motivations
❖ Types of Proxies
❖ Proxies are so common that many attackers scan the Internet for common listening proxy
ports.
❖ The most com-mon proxies listen on TCP port 80 (HTTP proxies), 8000, 8081, 443, 1080
(SOCKS Proxy), and 3128 (Squid Proxy).
❖ User Datagram Protocol (UDP).
❖ A virtual private network (VPN) acts as a more versatile proxy and supports more
security features.
 Attacker Techniques and Motivations
❖ Detecting Proxies
❖ Port scanning on corporate networks can identify proxies that listen on default ports.
❖ The domain name system blacklist (DNSBL) is one example of a blacklist that allows
administrators to block certain proxies.
 Tunnelling
❖ Most security controls include strong rewalls, intrusion detection systems (IDSs), and user
policies, such as proxies and time-of-day rules that limit the amount and type of traf c generated
on user networks.
❖ Tunnelling data through other protocols often bypasses these controls and may allow sensitive
data to exit the network and unwanted data to enter.
❖ A common, simple form of traf c tunnelling in SSH is the tunneling of a Transmission Control
Protocol (TCP) port.
❖ When a user con gures such tunnelling over an SSH session, the protocol simply proxies a TCP
connection over the SSH connection.
❖ The content of the TCP connection does not ow directly from source to destination, but rather
through the SSH connection.
fi
fi
fi
fl
fi
 Tunelling

❖ Some of the other protocols used for tunnelling are;

❖ HTTP
❖ DNS
❖ ICMP
 Tunelling
❖ Unlimited space in the content section: makes it
convenient to transfer arbitrary data to and from
an HTTP server.
❖ Similar DNS frame format is used for transmitting
the fake data/rouge data using the tunnelling in
the DNS Query and respond messages.
❖ ICMP tunnelling was one of the earliest methods
15

publicly available to transmit traf c over a

protocol in a covert way that essentially abused
the protocol
fi
 DNS
DNS messages.
1. protocol are carried in a
single format called a
message.
1. Message Format
the question section is used
to carry the “question” in
most queries.
and the answer, authority
and additional sections all
3. Answer Format
2. Question Format share the same format
(bottom).
 ICMP

ICMP Echo Message

❖ It is used mostly to deliver status and error messages when IP-based communication errors
occur or to troubleshoot and test connectivity status
❖ ICMP tunneling was one of the earliest methods publicly available to transmit traf c over a
15

protocol in a covert way that essentially abused the protocol

fi
 Fraud Techniques
❖ Phishing is a form of online fraud in which hackers attempt to get your private information such as
passwords, credit cards, or bank account data.
❖ This is usually done by sending false emails or messages that appear to be from trusted sources like
banks or well-known websites.
❖ The most common mode of phishing is by sending spam emails that appear to be authentic and thus,
taking away all credentials from the victim. The main motive of the attacker behind phishing is to gain
con dential information like:
❖ Password
❖ Credit card details
❖ Social security numbers
❖ Date of birth
fi
 How Phishing is Carried out?
❖ Clicking on an unknown le or
attachment
❖ Using an open or free wi hotspot:
❖ Responding to social media requests
❖ Clicking on unauthenticated links or
ads:
fi
fi
 Types of Phishing Attack
Email Phishing: The most common type where users are tricked into clicking unveri ed spam emails
and leaking secret data. Hackers impersonate a legitimate identity and send emails to mass victims
Spear Phishing: Target Individual. In this method, the attacker rst gets the full information of the
target and then sends malicious emails to his/her inbox to trap him into typing con dential data.
Whaling: Whaling is just like spear-phishing but the main target is the head of the company
Smishing: In this type of phishing attack, the medium of phishing attack is SMS. Smishing works
similarly to email phishing.
Vishing: Vishing is also known as voice phishing. In this method, the attacker calls the victim using
modern caller ID spoo ng to convince the victim that the call is from a trusted source
Clone Phishing: Clone Phishing this type of phishing attack, the attacker copies the email messages
that were sent from a trusted source and then alters the information by adding a link that redirects
the victim to a malicious or fake website.
fi
fi
fi
fi
 How to stay protected against Phishing?
❖ Authorized Source: Download software from authorized sources only where you have trust.
❖ Con dentiality: Never share your private details with unknown links and keep your data
safe from hackers.
❖ Check URL: Always check the URL of websites to prevent any such attack. it will help you
not get trapped in Phishing Attacks.
❖ Avoid replying to suspicious things: If you receive an email from a known source but that
email looks suspicious, then contact the source with a new email rather than using the reply
option.
❖ Phishing Detection Tool: Use phishing-detecting tools to monitor the websites that are
crafted and contain unauthentic content.
fi
 Malicious Codes
❖ Malware is malicious software and refers to any software that is designed to cause harm to
computer systems, networks, or users. Malware can take many forms.
❖ Malware is software that gets into the system without user consent to steal the user’s private
and con dential data, including bank details and passwords.
Types of Malware
fi
 Thank you

Any Questions??