Center for Cyber-Physical Systems (C2PS)

Artificial Intelligence for Cyber Crisis Management Expertise Shared

July 18, 2019

Khalifa University’s Dr. Ernesto Damiani Discusses the Need to Leverage AI and Big Data Analytics to Prevent Cyberattacks

As a regional expert in the field of artificial intelligence (AI), Khalifa University’s Dr. Ernesto Damiani, Professor of Electrical and Computer Engineering and Director of KU’s Center on Cyber Physical Systems (C2PS) and Senior Director of KU’s recently launched Artificial Intelligence and Intelligent Systems Institute, was invited to the European Agency for Network and Information Security’s (ENISA) high-level meeting in Athens in June to discuss the pressing issue of cyber crisis management.

ENISA is the EU agency tasked with establishing a high level of network and information security within the European Union. The meeting in Athens convened AI experts from around the globe to share and debate the best practices for preventing and managing cyber-attacks.

“When a security crisis takes place in the physical world some things are certain, like who is threatening you, how and (most of the time) why. This is not the case for cyber-crises, as the hand pointing the gun at you is hidden in the Dark Net and the gun itself may have been planted in your network years before. AI has become crucial for cyber-security,” explained Dr. Damiani.

A good example of a hidden cyber-gun is EternalRocks, a computer worm that infects Microsoft Windows machines, which was originally developed by the United States’ National Security Agency (NSA). Once installed on the victim’s machine through a phishing email, EternalRocks’ small infecting module (or carrier) installs Tor, the notorious private network that conceals Internet traffic, to access its hidden servers. The carrier uses Tor to connect to a remote server and downloads an entire Trojan horse that allows the remote attacker to control the victim’s machine and the networks it is connected to.

Unlike ransomware such as WannaCry, which infected 230,000 computers in May 2017, EternalRocks does no immediate harm to its hosts.

“It just hides on a disk, renaming itself to escape detection, and then stays dormant for months, even for years, until the time comes for a “soft” attack aimed at collecting and stealing information or for a generalized attack to clog the victim’s network,” said Dr. Damiani.

“Soft” attacks are especially dangerous because they can subtly impair a country’s key industries and markets, steal relevant information and weaken defenses, while going completely unnoticed.

Traditional security measures, like cyber-walls, are useless once EternalRocks “sleepers” are installed inside a system’s defense perimeter. Sleeper modules generate traffic at random intervals, waiting for network activity bursts to hide their footprints. This makes traditional attacks identification techniques based on fixed traffic patterns almost useless against sleepers.

However, some AI models, like Recursive Neural Networks (RNNs), can be equipped with long-term memory to find, remember and link to each other statistically rare events taking place on smartphones, computers and other devices, as well as on the network connecting them. RNNs are trained to match these sequences to “attack graphs”, i.e. event connections that correspond to an attack.

Dr. Damiani and a team of KU researchers from the Center on Cyber-Physical Systems, the Emirates ICT Innovation Center (EBTIC), in collaboration with other UAE-based stakeholders in the telecommunication domain, are developing an AI model that will be able to identify suspicious activities trying to escape detection. The team is automating the set-up and deployment of Big Data pipelines that ingest streams of events (like smart phones’ data connections start and end, use of apps, hand-overs from one cell to the other) coming from large-scale mobile network environments comprising millions of smartphones and other devices. These streams are collected using a technique based on a multiple-SIM probe developed by C2PS in collaboration with Purdue University’s CERIAS center, and then fed into the AI models that identifies suspicious activities.

Cyberattacks are the fastest growing crime in the US, according to a report released last year by Cybersecurity Ventures, and they are increasing in size, sophistication and cost. Cybersecurity Ventures predicts that cybercrime will cost the world US$6 trillion annually by 2021.

Using data analytics and AI to prevent cyber threats is critical for achieving information security and better cyber resilience. This capability is critical as we shift from merely reacting to incidents to predicting, understanding and responding to complex events.

Erica Solomon
Senior Editor
18 July 2019