Page 266 - Artificial Intelligence in the Age of Neural Networks and Brain Computing
P. 266
258 CHAPTER 12 Computational Intelligence in the Time
Various software products are available to implement the second level of
security. However, there is still plenty of room to design machine learningebased
algorithms to identify malwares and detect unknown cyberattacks using zero-day
vulnerability. Many approaches have been proposed so far in this direction, for
example, see Refs. [20,21] for details.
The third security layer is also very important and can be seen at the application
level. Usually, the number of new malware victims gradually increase, infection then
rapidly spreads following some triggering events associated with malware evolution
(the open source code of the malware is made available), and, finally, we end up in a
pandemic situation. Early detection of malware can mitigate the infection, as
presented in the next subsection Case Study.
6.2 CASE STUDY: DARKNET ANALYSIS TO CAPTURE MALICIOUS
CYBERATTACK BEHAVIORS
In order to protect users from cyber threats, it is important to characterize mal-
ware behavior, with malware instances caught both within one’s local network
domain and the Internet as a whole. A classification system can then be designed
to monitor the current system behavior in order to detect cyberattacks. One way
to observe large-scale events taking place on the Internet is to design a network
probe inspecting activity in the darknet.The darknetisdefinedasa setofunused
address-space of a computer network which should not be used and, as such, not
have any normal communication with other computers. Following the definition,
it comes out that almost all communication traffic along the darknet is therefore
suspicious; by inspecting such a traffic, we can grasp information related to
cyberattacks. Observable cyberattacks are mainly activities of random scanning
worms and DDoS backscatter messages. However, since the darknet can receive
packets from the whole Internet space, by operating in the darknet we can monitor
the large-scale malicious activities on the whole Internet.
Fig. 12.3 shows the darknet traffic patterns representing two cases of typical
malicious behaviors: (A) DDoS attacks and (B) scanning. The vertical axes of the
plots represent the port number of a source host and a destination IP (darknet
side). The horizontal axis is divided into two parts: the left one refers to the time
needed to send a packet from a source host while the right half refers to the
destination IP. Therefore, the plot shows that a packet of a certain host is delivered
from a port number on the left vertical axis at a certain time on the left horizontal
axis and it reaches a destination host with IP on the right horizontal axis and a
port number on the right vertical axis. Traffic patterns differ depending on the nature
of cyberattacks. For instance, Fig. 12.3 shows a typical DDoS attack and a typical
scanning activity.
