The classical cyber security paradigm is facing a major crisis. IoT botnets are currently becoming AI driven. They are now more easily causing diverse types of business and operational damages in no time while rarely getting caught, seriously risking any on-line industry. Due to privacy concerns, the next-gen AI-IoT botnets render cloud services as almost useless as they disable performing Deep Packet Inspection (DPI) of traffic which is a must to monitor anything outside the enterprise. The next logical step should be counting on the internal in-line defense shields. Unfortunately, installed legacy appliances don’t work as they’re mostly built to protect from simple “brute force” or “sql-injection” like attack types. Therefore, the asymmetry between the capabilities of the fighting sides has never been clearer than today, giving a tail wind to the improving “low cost” cyber-attacks-as-a-service industry which is on a rise.
The Rising Threat of AI-enhanced IoT-botnets
An overwhelming number of cyber-attacks are currently automated. Human hacker going after an individual target is far rarer and more common approach now is to automate attacks with tools of AI and machine learning, everything from scripted Distributed Denial of Service (DDoS) attacks to Ad-fraud and so on. It is another layer of sophistication being added to already fast growing IoT-botnets threat. Furthermore, IoT botnets “tunnel” through encrypted traffic directly to the applicative servers. The results are fast and accurate damages as AI capabilities change in real time the attack tactics to defeat the given “local” defense layers.
As for the threat landscape describe above, next generation “Local” defense systems should made to fulfill at least the following requirements:
Protect on the enterprise reputation, customers and revenues
Discover in real time IoT-AI attacks at any traffic condition and attack complexity
Mitigate in real time IoT-AI attacks with a minimal damage to normal users activity
Fully automated operation with a minimal need for maintenance & support
Simple and Immediate deployment process at modern data centers (“plug and play”)
Auto-adapt to protect on frequently uploaded applicative updates (“deploy and forget”)
"Supervised Learning" (AI) cannot fill the gap
Although popular, “supervised learning” seems to be limited by the ability to fill the gap. Building a working “supervised learning” model requires training the system with a stable data set before it can be used. However, Internet traffic is very challenging as its volume, content and sources are constantly changing. Normal traffic can accelerate in no time from zero to 1,000 requests per second and decay at the same speed. In addition, users visit different web pages and APIs, while each request may “carry” different parameters.
As the characteristics of the data model (traffic data) constantly change, limited “supervised learning” models could be built and are mostly fall to one of the following categories:
Low resolution models that are usually limited by its capabilities to identify in high precision specific bots activities and damages.
Limited high resolution models that are focus on specific questions based on limited set of features.
Hackers change the rules of the game on a continuous basis including the attack details, tactics and characteristics. This dynamics demands of training the system as for unknown on continuous bases, which is out of the scope for the “supervised learning” approach.
"Unsupervised Learning" (AI) is the right answer
“Unsupervised learning” requires a general approach for the way a problem should be identified and solved, requiring no training set at the start. Therefore, it seems like the right approach as no model can be pre-identified, only the nature of the problem that the system should look for. Namely, identifying that bots activity trace can be found.