Machine Learning Techniques for Cybersecurity

This book explores Machine Learning (ML) defenses against the many cyberattacks that make our workplaces, schools, private residences, and critical infrastructures vulnerable as a consequence of the dramatic increase in botnets, data ransom, system and network denials of service, sabotage, and data theft attacks. The use of ML techniques for security tasks has been steadily increasing in research and also in practice over the last 10 years. Covering efforts to devise more effective defenses, the book explores security solutions that leverage Machine Learning (ML) techniques that have recently grown in feasibility thanks to significant advances in ML combined with big data collection and analysis capabilities. Since the use of ML entails understanding which techniques can be best used for specific tasks to ensure comprehensive security, the book provides an overview of the current state of the art of ML techniques for security and a detailed taxonomy of security tasks and corresponding ML techniques that can be used for each task. It also covers challenges for the use of ML for security tasks and outlines research directions. While many recent papers have proposed approaches for specific tasks, such as software security analysis and anomaly detection, these approaches differ in many aspects, such as with respect to the types of features in the model and the dataset used for training the models. In a way that no other available work does, this book provides readers with a comprehensive view of the complex area of ML for security, explains its challenges, and highlights areas for future research. This book is relevant to graduate students in computer science and engineering as well as information systems studies, and will also be useful to researchers and practitioners who work in the area of ML techniques for security tasks. Today, terms such as Artificial Intelligence (AI), Machine Learning (ML), and Deep Learning (DL) are widely used not only in the technical literature but also in the media, popular culture, advertising, and more. These terms are often used interchangeably. There are however differences among the respective areas that we outline in what follows. Early AI approaches were mainly based on declarative knowledge provided by humans, for example, in terms of logical rules and ontologies. Such knowledge would then be used as input by inference mechanisms, often based on some formal logic. Today, AI encompasses a broad set of technology solutions that can learn on their own. A major problem of early AI approaches was the lack of scalability because of their reliance on human inputs. ML techniques, which started to be widely used in the1980s, address this problem by relying on data, instead of explicit human input. They apply statistical methodologies to identify patterns occurring in data. They improve their prediction tasks every time they acquire new data. A special category of ML techniques is represented by data mining (DM), which basically addressed the problem of identifying patterns on very large datasets. DL techniques represent an important category of ML techniques that address the shortcoming of early ML techniques. DL essentially refers to algorithms that adapt, when exposed to different situations or data patterns. Vaguely inspired by biological neural networks, DL algorithms try to learn various characteristics from data and use them for decision-making/prediction on similar unseen data. DL techniques have gained interest because of the increased amounts of data available and their various algorithmic innovations as well as significant improvements in computing capabilities enabled by GPUs, which have made fast training and deployment of DL models possible. Preface 6 Contents 8 Acronyms 11 1 Introduction 13 1.1 Artificial Intelligence, Machine Learning, and Deep Learning 14 1.2 Security Functions 15 1.2.1 Security Policy Learning 16 1.2.2 Software Security Analysis 16 1.2.3 Hardware Security Analysis 16 1.2.4 Detection 17 1.2.5 Attack Management 17 1.3 Security Life Cycle 17 1.4 Organization of This Monograph 19 2 Background on Machine Learning Techniques 20 2.1 Preliminary Notions 20 2.2 Neural Networks 21 2.3 Autoencoders 23 2.3.1 Denoising Autoencoders 23 2.3.2 Variational Autoencoders 24 2.4 Recurrent Networks and Long Short-Term Memory 25 2.5 Attention Mechanism 26 2.6 Reinforcement Learning 28 2.7 Transfer Learning 29 2.7.1 Notations and Definitions 29 2.7.2 Fine-Tuning 30 2.7.3 Domain Adaptation 30 2.8 Embedding Techniques 32 3 Security Policy Learning 33 3.1 Access Control Policies 34 3.1.1 Learning Access Control Policies 35 3.1.2 Policy Transfers Across Domains 40 3.1.3 DL Models for Access Control Decisions 41 3.1.4 Model-Independent Policy Mining 42 3.2 Network Security Policies 44 3.2.1 Firewall Rule Miners 45 3.2.2 ML-Based Firewall Systems 47 3.2.3 Network Security Policies for Traditional Networks 48 3.2.4 Network Security Policies for IoT 49 3.3 Privacy Policy Contradiction Identification 49 3.4 Adaptive Security Policy Learning Systems 51 3.5 Research Directions 54 4 Software Security Analysis 56 4.1 Static Analysis 56 4.1.1 A Survey on Machine Learning Techniques for Source Code Analysis 57 4.1.2 Recent Approaches 59 4.2 Fuzzing Techniques 61 4.2.1 Fuzzing Steps 62 4.2.2 ML-Based Fuzzing 63 4.3 NLP-Based Techniques for Specification Analysis 68 4.3.1 Finite State Machine Extraction 68 4.3.2 Zero-Shot Protocol Information Extraction 69 4.3.3 4G LTE Testcase Generation 71 4.3.4 Semantic Information Analysis of Developer's Guide 72 4.3.5 Security-Specific Change Request Detection 74 4.3.6 Capturing Privacy-Related Settings in Android 75 4.4 Supporting Techniques 75 4.4.1 Neural Network-Based Function and Type Identification 75 4.4.2 Reverse Engineering 76 4.5 Research Directions 77 5 Hardware Security Analysis 79 5.1 ML-Based Hardware Test Input Generation 80 5.2 ML-Based Detection of Hardware Trojans 83 5.3 Research Directions 85 6 Detection 86 6.1 Types of Malware 87 6.2 ML-Based Anomaly Detection 88 6.2.1 Networks 89 6.2.2 IoT Systems 91 6.2.3 Cyber-Physical Systems 93 6.2.4 Ransomware 96 6.3 Malware Detection and Classification 98 6.3.1 Portable Executable File Format 99 6.3.2 Analysis and Detection Techniques 101 6.3.3 Data Preparation and Labeling for ML-Based Malware Analysis 102 6.3.4 Malware Detection and Analysis: Features for Specific Platforms 105 6.3.5 Malware Representation 108 6.4 Research Directions 111 7 Attack Management 112 7.1 Attack Mitigation 112 7.2 Defense Enhancement 114 7.3 Digital Forensics 116 7.3.1 NLP-Based Attack Analysis 117 7.3.2 Transformer-Based Contextual Analysis of Security Events 117 7.3.3 GNN-Based Memory Forensic Analysis 118 7.3.4 An Explanation Method for GNNs Models 119 7.4 Research Directions 120 8 Case Studies 122 8.1 The Target Data Breach 122 8.2 The SolarWinds Attack 128 8.3 The WannaCry Ransomware 131 9 Challenges in the Use of ML for Security 137 9.1 Data Availability and Quality 137 9.2 Selection of Models, Hyperparameters, and Configurations 139 9.2.1 Selecting the Right Model 139 9.2.2 Hyperparameter and Configuration Tuning 139 9.3 Ethics 140 9.3.1 Explainability 142 9.3.2 Fairness 143 9.3.3 Robustness 145 9.3.4 Transparency 146 9.3.5 Privacy 147 9.4 Security of ML 147 9.5 Research Directions 149 10 Concluding Remarks 150 Appendix: Publicly Available Datasets 152 References 155