Using machine learning to protect the proliferating landscape of IoT and edge devices will ultimately rely on a distributed network model that applies intelligence at different tiers, based on cost, bandwidth and availability.
Previously, computing power was centralized in the cloud or an on-premises data center. But many enterprise tasks require a decentralized model, where capabilities are brought closer to the devices and users that need these resources.
This need for low latency, data-rich digital capabilities is moving to compute to the edge of the network. Computing power is distributed at the edge, fueling growth in data-driven intelligence among burgeoning numbers of Internet of Things (IoT) devices.
One downside to the rising popularity of edge computing is increasing infrastructure complexity. Protecting this extended infrastructure may ultimately depend on machine learning (ML) technologies to automate threat detection and response.
Cybersecurity is increasingly becoming more dependent on machine learning; ultimately relying on a distributed network model. Companies must be ready for this and equipped correctly to be successful. Some downsides come with this, one being: increasing infrastructure complexity.
In this article, we explore the capabilities of machine learning for cybersecurity tasks. Key takeaways from this article include the following:
How machine learning algorithms can infer relationships and patterns of previously unseen activity to recognize network activity that indicates pending attacks.
While cyberattacks on IoT devices grow, CIOs and CISOs mistakenly assume they are required to purchase separate point solutions, build a separate IoT security team and change IT security processes to bring it all together, begging the question “is it possible to secure IoT devices without spending on additional infrastructure or upsetting the already established IT status quo?”
As organizations take advantage of emerging 5G connectivity to exploit more data from more devices, they must guard against the potential of bad actors hijacking ML-embedded devices and broadband capacity.
Table of contents
The numbers of connected devices, systems and applications are proliferating at a rate far beyond the capacity of security teams to monitor manually. “The next frontier for cybersecurity is protecting IoT because of the influx of new connected devices,” said Dimitrios Pavlakis, an industry analyst at ABI Research. “It’s incredibly difficult to protect every one of those devices, or even to see what is out there and connected.”
Attackers could take control of IoT devices that are poorly protected and use them as “zombies” in botnets for distributed denial of service (DDoS) assaults or other schemes such as cryptocurrency mining and exploiting industrial control systems.
“Cyber-analysts are finding it increasingly difficult to effectively monitor current levels of data volume, velocity, and variety across firewalls,” CapGemini concluded in a report on artificial intelligence (AI) and cybersecurity. The report was based on a survey of 850 senior executives spanning IT information security, cybersecurity and IT operations roles. “Signature-based cybersecurity solutions are unlikely to deliver the requisite performance to detect new attack vectors,” the report also concluded.
An analysis of 5 million unmanaged IoT things over one year revealed that “shadow IoT” devices are rampant in many environments. Consumer-grade Amazon Echo smart speakers, for instance, were connected to 95% of health care IoT deployments, despite not being compliant with health care privacy standards such as the Health Insurance Portability and Accountability Act.
Further, 20% of IoT deployments violated Payment Card Industry requirements; some devices were being used for bitcoin mining, and unusual patterns of communication were discovered with countries deemed hostile to the U.S., including Iran, North Korea and Russia.
Applying ML to Cybersecurity
“The way technology is proliferating, machine learning is a necessity for infrastructure; you can’t manage IT or an organization without it,” said Dr Chase Cunningham, principal analyst for security and threat professionals at Forrester. He believes about 30% of organizations have implemented MLbased cybersecurity at the edge and that getting executive buy-in is a challenge.
ML is a subcategory within a growing universe of AI disciplines. ML uses “algorithms to understand models of phenomena from examples (i.e., statistical machine learning) or experience (i.e., reinforcement learning),” stated a National Science and Technology Council report. Deep learning is a subset of ML that uses neural networks to simulate the workings of the human brain, such as interpreting images and sound.
That learning aspect enables ML algorithms to infer relationships and patterns of previously unseen activity or data, based on similarities to what has been previously observed, improving its performance as it encounters additional experiences. “Ideally, the relationships and patterns inferred by ML will lead to a useful model of the object or phenomenon that the data describes,” wrote experts at the Software Engineering Institute of Carnegie Mellon University.
In the case of malware detection, for example, cyberdefenses have traditionally focused on signature recognition of code that has been detected in previous malware attacks or on heuristics that define a set of rules based on past malware behaviour. But sophisticated attackers try to elude signature detection and bypass heuristics by frequently altering malicious code so it would not be recognized until new rules could be created post-detection. ML can overcome that issue by inferring that a new variant is likely to act like previously detected malware.
ML can similarly be applied to intrusion detection, sorting through high volumes of network events to make determinations on the probabilities of real threats and screen out myriad “false alarms” that can overwhelm network security teams. Based on past observations, ML may also be able to make recommendations on actions that should be taken to protect against those real threats. ML could learn to spot anomalies in normal network behaviours, such as recognizing a series of probes that indicate an attack is likely to occur.
Levels of Learning
There are many types of ML algorithms, which can be classified according to various categories. Five key umbrella categories are:
Supervised: A learn-by-example method where the algorithm is provided with labelled datasets, such as files labelled as malware, from which the model can make judgments when it encounters other files that have similarities to the labelled datasets. The algorithm evaluates labelled inputs and outputs to predict outputs based on new inputs. This is the most labour-intensive category as it requires somebody to create the labels.
Unsupervised: Relying on unlabeled datasets, this approach is more focused on detecting patterns in data. Data scientists can create a baseline of how something is supposed to work, and the algorithm will detect anomalies.
Reinforcement: A trial-and-error approach by which an algorithm assesses the probability that an action will cause a transition. Each successful assessment is provided with a reward value and by maximizing those rewards the algorithm “learns” to take sequential actions optimally in an unknown or changing environment, making it adaptive to rapid and sophisticated attacks.
Semi-supervised: Combining elements of supervised and unsupervised to reduce the effort required to label datasets.
Active learning: Combining elements of reinforcement and semi-supervised learning by seeking operator guidance when the algorithm is unable to assess a probable action.
Embedding ML Where It’s Needed
Like any data analytics, AI technologies thrive on data. Generally, the greater the volume of relevant data, the better the results. If you have access to scalable cloud resources, which many AI implementations rely on, you’re limited only by budget. But when you get out to the edge, and in IoT deployments that could extend to hundreds of thousands, even millions of sensors and other devices, data can quickly become a choke point.
By definition, IoT engages connected devices, so ultimately they will connect to a network, although in some cases that connection may be intermittent. So utilizing ML across the broad universe of IoT and edge devices will rely on a distributed network model that applies different levels of intelligence at different tiers, based on cost, bandwidth and availability.
“Given the fact that IoT solutions are distributed systems, a key design question is ‘Where should my organization deploy the machine learning inference server in the distributed IoT system?’” wrote Gartner Research’s Paul DeBeasi. There are, he asserted, four key options on which to create a system design that integrates ML with IoT: IoT endpoints, edge gateways, cloud platforms and enterprise data centres.
Depending on the hardware deployed, ML models can run on inference servers at each of those tiers. But the models first need to be created or trained, and that isn’t economically feasible, at least today, on a low-cost IoT device.
Those models, or algorithms, will more likely be generated in the cloud and traditional enterprise data centres or smaller data centres located at the edge. That’s because they rely on large—sometimes massive—datasets being updated constantly or at intervals with fresh data generated at the level of the endpoint or edge gateway. Those updated models may, depending on the application and type of device, be subsequently downloaded to the device level to improve performance or implement new capabilities.
At the device level, trained ML inference models can monitor data and events without having to constantly stream data up to a cloud or enterprise data center. “The role of machine learning is to build behavioural models, so as an organization you know that when a security camera is connected to the network these are the things that it does and these are the protocols that it uses,” said network industry veteran Gnanaprakasam Pandian. “You don’t need all the data of all the images.” Instead, he added, by applying intelligence at the data collection point, a device can determine a subset of data that needs to up-streamed for additional data analysis.
The extent to which ML capability will be deployed at endpoints is likely to be determined by cost and perceived value. In a manufacturing environment, for example, deploying tens or hundreds of sensors to monitor the dimensions of widgets on a production line is likely to involve lower-cost ML capabilities than sensors used in quality assurance and predictive maintenance applications for high-end equipment used to produce pharmaceuticals or semiconductors.
Other gating factors are power needs and connectivity. Some devices, such as those in agriculture and mining environments, may have intermittent connectivity and need to conserve battery power, each a factor in limiting how much data can be processed and what can be uploaded to a high-level analytical level.
But inevitably, driven by advances in silicon specific to ML and other AI applications, hardware costs will come down, and the return on investment will increase even with low-level, low-price devices. “I think in the distinct future just about anything will have some algorithmic compute power to it,” said Forrester’s Cunningham. “The end state of this is almost infinite. The more we have, the more we need – it becomes a self-propagating cycle.”
Managing ML to Scale
ML, as a workable concept, dates back to the early 1950s when IBM researcher Arthur Samuel created a self-learning program to “teach” a computer to play chess. At the turn of the millennium, multiple efforts underway to put ML to practical use, but generally required massive computing resources. Now it’s time to put ML to work at scale, and it’s clear there’s a learning curve to overcome.
A 2020 survey by the SANS Institute found that of various aspects of cyber threat intelligence, with only 36% of respondents expressing satisfaction “and 58% outright dissatisfaction in the effectiveness or value of it.”
“That may reflect over-expectations or misunderstanding of ML,” said Fotis Konstantinidis, managing director and head of AI & Digital Transformation at global advisory firm Stout. “It is essential first to analyze the data to reveal trends and patterns before ML is applied blindly. Quite often, ML methods are deployed without carefully choosing the optimal algorithm based on data analytics and objectives of the cybersecurity project. You have to understand in practical terms the level of importance of various data fields to detect cyber threats accurately.”
As ML technology advances and data scientists refine and expand their skills, the ability to further automate cybersecurity defences will improve by leaps and bounds. Only by leveraging these capabilities can organizations have any hope of better protecting their edge network and IoT devices from the relentless assaults of bad actors.
Source: Palo Alto Networks