Friday, 2 October 2020

Reinforcement Learning for Anti-Ransomware Testing

ML models have recommended themselves as a powerful tool for cyberdefense. AI/ML is heavily used in antiviruses (EDR), Next-Gen Firewalls, and SIEM (SOAR) solutions to solve the classification problem as well as to discover anomalous behavior that may indicate a presence of an attacker with the help of Supervised and Unsupervised Learning. Deep Learning helps to filter spam emails and mark fake news to protect users against disinformation [1].

Thursday, 26 March 2020

AI and Cybersecurity. Part 4 - Clustering URLs

In Part 3, we tried to apply the feature scaling and dimensionality reduction techniques to the dataset with phishing and benign URLs. As a result, we were able to clearly see the distribution of URLs between two classes based on four attributes: registrar, country, lifetime, and protocol.

But what if we don’t have labels (phishing and benign) for the Internet links in the beginning. Will ML still work to detect phishing attacks? In this case, we may come to unsupervised learning, in particular, clustering. Clustering enables grouping objects of unknown classes according to common features so that we do not need labeled data for a training set.

Wednesday, 18 March 2020

AI and Cybersecurity. Part 3 - Dimensionality Reduction and Feature Scaling

In the previous post, we created a binary classifier for detecting phishing URLs. Here, we're going to continue exploring the data with visualization techniques.

Monday, 16 March 2020

AI and Cybersecurity. Part 2 - Detecting Phishing URLs with ML

hack fraud card code computer credit crime cyber data hacker identity information internet password phishing pile privacy protection safety secure spy steal technology thief green cartoon text product line font illustration human behavior angle clip art graphics computer wallpaper

In Part 1, we already got acquainted with AI paradigms and the main ML approaches: supervised, unsupervised, and reinforcement learning. Even though the unsupervised learning approach looks more attractive as you do not need to pre-mark the data for training, supervised learning can be seen as a more precise instrument for detecting malicious objects such as phishing URLs once we have enough labeled data.

Saturday, 14 March 2020

AI and Cybersecurity. Part 1 - Intro

Image via
[Author: Alexander Adamov]

I have spent almost all my professional life working in the antivirus industry detecting and analyzing malware. Around ten years ago, when the malware flow had increased so much that my colleagues and I did not have enough resources to analyze them all, we started thinking about automating our efforts. How to make a machine that autonomously detects and analyzes malware and phishing URLs day and night, writes and publishes reports? As a result, we managed to create a robot (what we call now 'malware sandbox') from scratch to automate most of the processes in the malware laboratory with the help of His Majesty Artificial Intelligence (AI). Since that, we accumulated a bunch of use cases for cyberattacks detection, malware analysis, and security testing with ML that can be useful for cybersecurity professionals that decided to leverage ML for cyberdefense. I'm going to share this knowledge in the series of blog posts that will eventually become a part of a new university course 'ML in Cybersecurity' that I plan to make open-source. I also welcome cybersecurity experts and data scientists to contribute and help universities adopting the course.

Monday, 9 December 2019

Analysis of Ryuk Ransomware

[Authors: Viktoria Taran, Alexander Adamov]

The Ryuk ransomware seen for the first time in August 2018 has been successfully used in targeted attacks encrypting data and asking for a ransom payment which differs from 10 BC to 50 BC. The recent attack was executed against DCH hospitals in Alabama on October 1st, 2019. As a result, DCH paid the ransom to recover the data stored on their servers. In this report, we analyze one of the recent versions of Ryuk ransomware discovering the installation process, networking details, and encryption model.

Sunday, 29 September 2019

GermanWiper: One More Wiper Pretending to Be Ransomware

[Authors: Viktoria Taran, Alexander Adamov]

GermanWiper was first seen on the BleepingComputer forum on July 30, 2019. After analysis, it turned out that the malware is rather a wiper than ransomware. Interestingly, GermanWiper managed to raise $9,000 almost reaching the result of $10,500 (4.13528947 BTC) earned by another wiper called NotPetya in June 2017. Let us take a close look at the ransomware to find out the installation process, communication details, and wiping details.