Could Machine Learning Have a Role in Preventing Web Attacks?

machine learning cyber attacks

In the cyber security community, there has been much debate as of late surrounding the topics of both Artificial Intelligence (AI) and machine learning and what their places are in the prevention of cyber attacks. Cyber attacks are evolving and increasing at an astounding rate, exploiting multiple vectors, sometimes simultaneously, with sophisticated techniques.

While AI has always been a hot topic, this blog post will focus on the roles that machine learning can play in protecting organizations against cyber attacks. Though machine learning has been hailed as the “saviour of cyber security” by some, it is too early to declare it as the “be-all, end-all” solution to today’s cyber challenges. However, we can predict some of the potential advantages. Here are five kinds of cyber attacks where machine learning may prove useful.

1. Ransomware

Ransomware, a popular form of malware making waves across the Web, has the power to wipe out entire computer drives and put computer systems on lockdown until a ransom is paid. Because of its devastating consequences and exorbitant payouts demanded, could machine learning be the solution that ransomware victims desperately need?

Ransomware presents a major challenge to organizations since attackers leave behind very little evidence of suspicious network activity when infiltrating a computer system. Machine learning can slow down the spread of ransomware by detecting “micro” behaviors that are associated with a ransomware attack such as those very processes that encrypt files for ransom. With machine learning, these modes of evidence could indict an initial infection and thus prevent its spread and reduce its overall impact.

2. Injection Attacks

Injection attacks refer to a broad class of attack vectors that allow a command or query to alter the course of execution of an infected program. Hackers typically input a line of malicious code into a system’s database, gain unauthorized access, and make changes to this database—consequently defacing a website entirely. This can result in the loss of data integrity or enable the launch of DoS attacks. Injection attacks can include SQL and XSS attacks among others.

The databases mentioned above can be used alongside machine learning to help a business in preventing cyber attacks. If algorithms powered by machine learning can create unique, statistical profiles of groups of users in the database that have authorized access, then over time the “machine” can learn to distinguish groups and spot any irregularities by separating who can or cannot gain access.

3. DDoS Attacks (Layer 7)

DDoS attacks arising from layer 7, or the application layer, are often very difficult to detect.  Illegitimate traffic can often be disguised as a user’s normal behavior, making detection that much harder. There are other ways, too, that make it hard to distinguish between legitimate and illegitimate users. For starters, DDoS attacks consume much lower bandwidth compared to network layer attacks and therefore can bypass detection quite easily. Then, there is also the problem of DDoS attacks being incorporated into blended attacks where they are stealthily converged with other types of attacks to avoid detection, rendering signature-based techniques ineffective.

By employing machine learning techniques, there is hope for providing an alternative form of protection against DDoS attacks. Distinguishing “good” traffic from the “bad” is one way machine learning can better assist in the fight against DDoS attacks. It can look at anomalies in large datasets to detect and distinguish between good and bad traffic. For example, in the case that a DDoS attack attempts to exhaust a system’s resources by continuously starting and restarting the signup process, machine learning would be able to detect this abnormality and prevent the task from being performed to begin with.

4. “Reconnaissance” and Scanning

While not necessarily an attack type, reconnaissance will always have a place in computer security. What is reconnaissance? Before a hacker gains access to a network or system, he or she must first collect as much information as possible about the target such as IP address range, DNS records, and more. A hacker then takes it a step further and uses this information to “scan” the network by gathering additional useful information to proceed in the next phase of hacking, such as soliciting user accounts.

With traditional signature-based detection, it’s more likely that malicious behavior will go undetected. With this method, there is also the possibility of setting off false alarms. When machine learning is introduced into the picture, new algorithms can be generated to identify fresh attack patterns more quickly than signatures that rely on updates.

The various types of attacks discussed above would be identified and handled more quickly with machine learning. While machine learning may not be the ultimate, end-all security savior to preventing cyber attacks, it does present an exciting alternative approach to addressing the new era of cyber challenges we are currently seeing. The technology has not yet been perfected, so for now we can only recognize the potential role machine learning has in protecting against common cyber attacks.