Role of AI in Threat Detection and Zero-day Attacks

Cybercrime and attack methods have been steadily increasing since the 2019 pandemic. In the years following 2019, the number of victims and attacks per hour rapidly increased as businesses and organizations transitioned to digital environments for business continuity amidst lockdowns. In most scenarios cybercriminals continued to use conventional attack methods and known vulnerabilities that would cause minimal damage to an organization with a robust cyber security posture. However, zero-day exploits have skyrocketed across all industries with an increasingly growing technological landscape encompassing internet of things (IoT), cloud hosting, and more advanced mobile technologies. Reports by Mandiant Threat Intelligence (2022) concluded that 2021 had the largest increase in zero-days accounting for at least 80% that had been exploited. State-sponsored actors led by Chinese groups were the primary attackers. Traditional methods of defense, which include antivirus software, patching, firewalls, and other cybersecurity controls are less effective against zero-days, which are unknown to vendors and organizations. Zero-days bypass the traditional signature and anomaly-based detections and antivirus software, which contain signatures information for known attacks. To deal with a changing and advanced threat landscape, techniques incorporating artificial intelligence such as machine learning and deep learning along with IDS have been implicated in detecting and preventing zero-day attacks

A novel ensemble of hybrid intrusion detection system for detecting internet of things attacks

The Internet of Things (IoT) has been rapidly evolving towards making a greater impact on everyday life to large industrial systems. Unfortunately, this has attracted the attention of cybercriminals who made IoT a target of malicious activities, opening the door to a possible attack to the end nodes. Due to the large number and diverse types of IoT devices, it is a challenging task to protect the IoT infrastructure using a traditional intrusion detection system. To protect IoT devices, a novel ensemble Hybrid Intrusion Detection System (HIDS) is proposed by combining a C5 classifier and One Class Support Vector Machine classifier. HIDS combines the advantages of Signature Intrusion Detection System (SIDS) and Anomaly-based Intrusion Detection System (AIDS). The aim of this framework is to detect both the well-known intrusions and zero-day attacks with high detection accuracy and low false-alarm rates. The proposed HIDS is evaluated using the Bot-IoT dataset, which includes legitimate IoT network traffic and several types of attacks. Experiments show that the proposed hybrid IDS provide higher detection rate and lower false positive rate compared to the SIDS and AIDS techniques. © 2019 by the authors. Licensee MDPI, Basel, Switzerland

Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application

In the last decade, researchers, practitioners and companies struggled for devising mechanisms to detect cyber-security threats. Among others, those efforts originated rule-based, signature-based or supervised Machine Learning (ML) algorithms that were proven effective for detecting those intrusions that have already been encountered and characterized. Instead, new unknown threats, often referred to as zero-day attacks or zero-days, likely go undetected as they are often misclassified by those techniques. In recent years, unsupervised anomaly detection algorithms showed potential to detect zero-days. However, dedicated support for quantitative analyses of unsupervised anomaly detection algorithms is still scarce and often does not promote meta-learning, which has potential to improve classification performance. To such extent, this paper introduces the problem of zero-days and reviews unsupervised algorithms for their detection. Then, the paper applies a question-answer approach to identify typical issues in conducting quantitative analyses for zero-days detection, and shows how to setup and exercise unsupervised algorithms with appropriate tooling. Using a very recent attack dataset, we debate on i) the impact of features on the detection performance of unsupervised algorithms, ii) the relevant metrics to evaluate intrusion detectors, iii) means to compare multiple unsupervised algorithms, iv) the application of meta-learning to reduce misclassifications. Ultimately, v) we measure detection performance of unsupervised anomaly detection algorithms with respect to zero-days. Overall, the paper exemplifies how to practically orchestrate and apply an appropriate methodology, process and tool, providing even non-experts with means to select appropriate strategies to deal with zero-days