Applying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection
Description
Comprehensive resource providing strategic defense mechanisms for malware, handling cybercrime, and identifying loopholes using artificial intelligence (AI) and machine learning (ML)
Applying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection is a comprehensive look at state-of-the-art theory and practical guidelines pertaining to the subject, showcasing recent innovations, emerging trends, and concerns as well as applied challenges encountered, and solutions adopted in the fields of cybersecurity using analytics and machine learning. The text clearly explains theoretical aspects, framework, system architecture, analysis and design, implementation, validation, and tools and techniques of data science and machine learning to detect and prevent cyber threats.
Using AI and ML approaches, the book offers strategic defense mechanisms for addressing malware, cybercrime, and system vulnerabilities. It also provides tools and techniques that can be applied by professional analysts to safely analyze, debug, and disassemble any malicious software they encounter.
With contributions from qualified authors with significant experience in the field, Applying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection explores topics such as:
* Cybersecurity tools originating from computational statistics literature and pure mathematics, such as nonparametric probability density estimation, graph-based manifold learning, and topological data analysis
* Applications of AI to penetration testing, malware, data privacy, intrusion detection system (IDS), and social engineering
* How AI automation addresses various security challenges in daily workflows and how to perform automated analyses to proactively mitigate threats
* Offensive technologies grouped together and analyzed at a higher level from both an offensive and defensive standpoint
Providing detailed coverage of a rapidly expanding field, Applying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection is an essential resource for a wide variety of researchers, scientists, and professionals involved in fields that intersect with cybersecurity, artificial intelligence, and machine learning.
More details
Other editions
Additional editions
Persons
Shilpa Mahajan, PhD, is an Associate Professor in the School of Engineering and Technology at The NorthCap University, India.
Mehak Khurana, PhD, is an Associate Professor in the School of Engineering and Technology at The NorthCap University, India.
Vania Vieira Estrela, PhD, is a Professor with the Telecommunications Department of the Fluminense Federal University, Brazil.
Content
About the Editors xvii
List of Contributors xxi
Preface xxv
Acknowledgment xxvii
Disclaimer xxix
Note for Readers xxxi
Introduction xxxiii
Part I Artificial Intelligence (AI) in Cybersecurity Analytics: Fundamental and Challenges 1
1 Analysis of Malicious Executables and Detection Techniques 3 Geetika Munjal and Tushar Puri
1.1 Introduction 3
1.2 Malicious Code Classification System 5
1.3 Literature Review 5
1.4 Malware Behavior Analysis 8
1.5 Conventional Detection Systems 11
1.6 Classifying Executables by Payload Function 12
1.7 Result and Discussion 13
1.8 Conclusion 15
2 Detection and Analysis of Botnet Attacks Using Machine Learning Techniques 19 Supriya Raheja
2.1 Introduction 19
2.2 Literature Review 20
2.3 Botnet Architecture 21
2.4 Methodology Adopted 24
2.5 Experimental Setup 27
2.6 Results and Discussions 28
2.7 Conclusion and Future Work 30
3 Artificial Intelligence Perspective on Digital Forensics 33 Bhawna and Shilpa Mahajan
3.1 Introduction 33
3.2 Literature Survey 34
3.3 Phases of Digital Forensics 35
3.4 Demystifying Artificial Intelligence in the DigitalWorld 36
3.5 Application of Machine Learning in Digital Forensics Investigations 39
3.6 Implementation of Artificial Intelligence in Forensics 40
3.7 Pattern Recognition Using Artificial Intelligence 40
3.8 Applications of AI in Criminal Investigations 42
3.9 Conclusion 43
4 Review on Machine Learning-based Traffic Rules Contravention Detection System 45 Jahnavi and Urvashi
4.1 Introduction 45
4.2 Technologies Involved in Smart Traffic Monitoring 47
4.3 Literature Review 50
4.4 Comparison of Results 59
4.5 Conclusion and Future Scope 59
5 Enhancing Cybersecurity Ratings Using Artificial Intelligence and DevOps Technologies 63 Vishwas Pitre, Ashish Joshi, Satya Saladi, and Suman Das
5.1 Introduction 63
5.2 Literature Review 66
5.3 Proposed Methodology 67
5.4 Results 75
5.5 Conclusion and Future Scope ofWork 84
Part II Cyber Threat Detection and Analysis Using Artificial Intelligence and Big Data 87
6 Malware Analysis Techniques in Android-Based Smartphone Applications 89 Geetika Munjal, Avi Chakravarti, and Utkarsh Sharma
6.1 Introduction 89
6.2 Malware Analysis Techniques 93
6.3 Hybrid Analysis 102
6.4 Result 102
6.5 Conclusion 103
7 Cyber Threat Detection and Mitigation Using Artificial Intelligence -- A Cyber-physical Perspective 107 Dalmo Stutz, Joaquim T. de Assis, Asif A. Laghari, Abdullah A. Khan, Anand Deshpande, Dhanashree Kulkarni, Andrey Terziev, Maria A. de Jesus, and Edwiges G.H. Grata
7.1 Introduction 107
7.2 Types of Cyber Threats 109
7.3 Cyber Threat Intelligence (CTI) 116
7.4 Materials and Methods 119
7.5 Cyber-Physical Systems Relying on AI (CPS-AI) 121
7.6 Experimental Analysis 126
7.7 Conclusion 129
8 Performance Analysis of Intrusion Detection System Using ML Techniques 135 Paridhi Pasrija, Utkarsh Singh, and Mehak Khurana
8.1 Introduction 135
8.2 Literature Survey 136
8.3 ML Techniques 137
8.4 Overview of Dataset 140
8.5 Proposed Approach 142
8.6 Simulation Results 143
8.7 Conclusion and Future Work 148
9 Spectral Pattern Learning Approach-based Student Sentiment Analysis Using Dense-net Multi Perception Neural Network in E-learning Environment 151 Laishram Kirtibas Singh and R. Renuga Devi
9.1 Introduction 151
9.2 RelatedWork 152
9.3 Proposed Implementation 153
9.4 Result and Discussion 159
9.5 Conclusion 163
10 Big Data and Deep Learning-based Tourism Industry Sentiment Analysis Using Deep Spectral Recurrent Neural Network 165 Chingakham Nirma Devi and R. Renuga Devi
10.1 Introduction 165
10.2 RelatedWork 166
10.3 Materials and Method 168
10.4 Result and Discussion 173
10.5 Conclusion 176
Part III Applied Artificial Intelligence Approaches in Emerging Cybersecurity Domains 179
11 Enhancing Security in Cloud Computing Using Artificial Intelligence (AI) 181 Dalmo Stutz, Joaquim T. de Assis, Asif A. Laghari, Abdullah A. Khan, Nikolaos Andreopoulos, Andrey Terziev, Anand Deshpande, Dhanashree Kulkarni, and Edwiges G.H. Grata
11.1 Introduction 181
11.2 Background 184
11.3 Identification Function (IF) 185
11.4 Protection Function (PF) 191
11.5 Detection Function (DF) 196
11.6 Response Function (RF) 200
11.7 Recovery Function (RcF) 205
11.8 Analysis, Discussion and Research Gaps 205
11.9 Conclusion 209
12 Utilization of Deep Learning Models for Safe Human-Friendly Computing in Cloud, Fog, and Mobile Edge Networks 221 Diego M.R. Tudesco, Anand Deshpande, Asif A. Laghari, Abdullah A. Khan, Ricardo T. Lopes, R. Jenice Aroma, Kumudha Raimond, Lin Teng, and Asiya Khan
12.1 Introduction 221
12.2 Human-Centered Computing (HCC) 223
12.3 Improving Cybersecurity Through Deep Learning (DL) Models: AI-HCC Systems 229
12.5 Discussion 238
12.6 Conclusion 239
13 Artificial Intelligence for Threat Anomaly Detection Using Graph Databases -- A Semantic Outlook 249 Edwiges G.H. Grata, Anand Deshpande, Ricardo T. Lopes, Asif A. Laghari, Abdullah A. Khan, R. Jenice Aroma, Kumudha Raimond, Shoulin Yin, and Awais Khan Jumani
13.1 Introduction 249
13.2 KGs in Cybersecurity 252
13.3 CSKG Construction Methodologies 254
13.3.1 CSKG Building Flow 255
13.3.2 CS Ontology 255
13.3.3 CS Entities Extraction 256
13.3.4 Relations Extraction of CS Entities 257
13.4 Datasets 258
13.5 Application Scenarios 259
13.5.1 CSA and Security Assessment 259
13.5.2 CTs' Discovery 260
13.5.3 Attack Probing 261
13.5.4 Clever Security Operation 264
13.5.5 Smart Decision-Making 265
13.5.6 Vulnerability Prediction and Supervision 266
13.5.7 Malware Acknowledgment and Analysis 267
13.5.8 Physical System Connection 267
13.5.9 Supplementary Reasoning Tasks 268
13.6 Discussion and Future Trends on CSKG 269
13.7 Conclusion 271
14 Security in Blockchain-Based Smart Cyber-Physical Applications Relying on Wireless Sensor and Actuators Networks 279 Maria A. de Jesus, Asif A. Laghari, Abdullah A. Khan, Awais Khan Jumani, Mohammad Shabaz, Anand Deshpande, R. Jenice Aroma, Kumudha Raimond, and Asiya Khan
14.1 Introduction 279
14.2 Methodology 282
14.3 GIBCS: An Overview 292
14.4 Blockchain Layer 294
14.5 Trust Management 296
14.6 Blockchain for Secure Monitoring Back-End 298
14.7 Blockchain-Enabled Cybersecurity: Discussion and Future Directions 300
14.8 Conclusions 301
15 Leveraging Deep Learning Techniques for Securing the Internet of Things in the Age of Big Data 311 Keshav Kaushik
15.1 Introduction to the IoT Security 311
15.2 Role of Deep Learning in IoT Security 316
15.3 Deep Learning Architecture for IoT Security 319
15.4 Future Scope of Deep Learning in IoT Security 322
15.5 Conclusion 323
References 323
Index 327
1
Analysis of Malicious Executables and Detection Techniques
Geetika Munjal and Tushar Puri
Amity School of Engineering and Technology, Amity University, Noida, Uttar Pradesh, India
1.1 Introduction
An instruction set created to harm a system is known as malware, which is short for malicious software [1]. The production of malware is increasing, making it more challenging for security firms to identify it. Traditionally, security firms and antivirus vendors employed antivirus software to distinguish between dangerous and clean data. Most of these tools compare the malicious programs to a database of well-known malware signatures using a signature-based method to identify them [2, 3]. The signature of an executable file serves as its distinctive identifier, and signatures can be generated using static, dynamic, and hybrid methodologies. However, this technique's drawback is that it is ineffective at detecting new malware samples. Due to the continuous increase in the quantity of new malware samples, these signatures must be continually updated [3].
Static analysis, the method that extracts features from a program's binary code by examining it and building models that illustrate the features, was developed to counter these tactics. These techniques are used to distinguish between hazardous and useful files. However, static analysis is easily evaded since malware authors utilize numerous code obfuscation techniques, like metamorphic and polymorphic approaches. Despite providing valuable insight into the behavior of programs, functions, and parameters, static analysis can still be unreliable [1].
Dynamic analysis, on the other hand, implements the software inside a secure environment to observe its behavior. This method exposes the code obfuscation strategies used by malware authors and works well with compressed files. However, dynamic analysis needs to be carried out within a secure environment to prevent system damage and can be time-consuming. Additionally, malware may behave differently in a virtual (secure) environment compared to an actual environment, leading to an incorrect log of behavior [4].
Combining static and dynamic analysis techniques can result in a more effective and reliable malware detection strategy. The main categories of executable malicious code (MC) are (i) MC that has been injected, such as worms that use buffer overflow exploits to inject their code into active software processes, (ii) dynamically generated malware (MC), and (iii) obfuscated malware (MC), which includes, viruses, Trojan horses, and worms that cloak their code via data manipulations and obscure computations to avoid detection and analysis. Polymorphic viruses or Trojans are an example of obfuscated malware [1]. Static feature-based analysis seems to be effective and efficient, as it enables network detection when the algorithm is loaded into memory [5, 6]. However, when the malicious file or code is compressed or encrypted, it becomes more challenging to detect. As a result, dynamic feature analysis must first unpack or decrypt the CPU instructions before being executed. Dynamic analysis for detecting network malware may not be practical due to the rapidity of network traffic [1].
Malicious executables are classified into three types based on how malware is transmitted: viruses, Trojan horses, and worms [7]. They infect already-running programs, causing them to become "infected" and spread to other programs when they are run. Worms, on the other hand, are standalone programs that propagate throughout a network, usually by taking advantage of bugs in the software that is operating on networked machines. Trojan horses disguise themselves as legitimate applications while carrying out harmful tasks. Malicious executables aren't really usually easily categorized and can behave in a variety of ways. Virus detection tools, including McAfee Virus Scan are extensively used, and Dell suggests Norton Antivirus for any and all new computers [7]. Although the titles of these programs include the term "virus," some also detect worms and Trojan horses. This approach of looking for recognized patterns of MC, called signature-based detection, is effective in detecting previously known threats [8]. However, it is not always effective against new and unknown threats [9]. In response to these limitations, a new approach to virus detection called behavior-based detection has emerged. Based on their behavior, this strategy employs artificial intelligence (AI) and deep learning (DL) algorithms to discover and categorize new and unknown risks [10].
Behavior-based detection relies on monitoring the actions of a piece of software, looking for signs of malicious behavior [8]. If a piece of software is behaving in a way that is deemed suspicious, it can be classified as a potential threat and further analyzed. This approach is more proactive and effective against new and unknown threats than traditional signature-based detection [11]. In recent years, AI and machine learning (ML) algorithms have become more sophisticated, making it possible to automatically detect malware in real-time and without human intervention [12].
1.2 Malicious Code Classification System
A static analysis approach is proposed to automate the discovery and categorization of the type of file without executing it, using a MC classification model. The classification system takes all files, including MC, normal files, and source files, as input data. During the pre-processing step, the portable executable (PE) information extraction module and the picture production module are used to produce input data that is used in the classification stage. In the subsequent classification step, a variety of algorithms, including convolutional neural network (CNN), random forest, gradient boosting, and decision tree algorithms, are used to decide if the input is malicious. The final classification of MC is achieved by integrating the results from each model. The classification outcomes are stored in a database that includes information about the data along with a single value indicating whether or not the data is harmful. The system uses a learning model that has been developed using different algorithms as a preparation step. The input file is processed and converted into input data for the model by extracting hash values, PE data, and performing image conversion.
Hash Extraction: The input data is first transformed into an eigenvalue from its hash value to determine if the input data is duplicated. In the database update step, the classification outcome of newly entered data is incorporated into the database, and duplicate data is updated using the extracted hash value as a primary key.
Data extraction from PE: The header and sections of the PE structure contain the necessary data for PE files to function correctly in Windows. The capability to identify installed dynamic link libraries (DLLs) as well as the functions they perform using the import address table (IAT) inside the PE Header enables the extraction of malignancy-related data from PE structures without the need to execute MC. If the file contains a PE structure, the header and section portions may be used to extract 55 characteristics, including entropy and packers. The binary file's packing information is located using the Yet Another Reverse Engineering Framework (YARA) rule configuration, using signatures to recognize and categorize MC types. The image creation module visualizes and converts the input file for CNN by transforming the input data into a one-dimensional vector [13].
1.3 Literature Review
In the field of malware detection, two major techniques have been employed: static analysis and dynamic analysis. The application of ML methods has been proposed to improve the performance of malware detection. Schultz et al. [1] introduced a method of using ML to detect new malicious executables by using three distinct byte sequences, readable texts, and PE as static features. The method was tested on 4266 different files and achieved an accuracy of 97.11% using the Bayes algorithm for classification. Usukhbayar et al. [2] presented a framework that utilized three static features, including data from the PE Header, application programming interface (API) function calls made by DLLs, and DLLs. They chose the subset of characteristics using data mining techniques like information gain and tested three different classification methodologies: Svms, Naive Bayes (NB), and J48 where maximum accuracy was obtained by J48 at 98%. Tzu-Yen Wang et al. [3] used data contained in the PE Headers to detect malware. Their dataset consisted of 9771 different programs, including backdoors, email worms, Trojan horses, and viruses. The accuracy rates for viruses, email worms, Trojan horses, and backdoors were 97.19%, 93.96%, 84.11%, and 89.54%, respectively, demonstrating high detection rates for email worms and viruses. With the advancement of dynamic malware analysis, researchers have shifted from static feature extraction to dynamic analysis. Tian et al's use of Weka classifiers to extract dynamic characterestics (API call sequences) out of an executable file operating in a virtual environment to separate malware from trustworthy software and identify the malware family. The dataset included 1824 executables, and the accuracy was 97%. Wang et al. [5] also proposed the use...
