Cyber attacks and IoT: the next paradigm, and why you sould care
.. and why AI may be the saviour
Introduction
Cyber security has been at the heart of many news in recent years, with increasingly dangerous consequences. From the hospital paralysed by ransomwares, to the microsoft encryption package being used to make any software “recognised”, and finally the meltdown and spectre cataclysms.
There are countless types of vulnerabilities related to cyber security, but in this article we will focus on remote code injections, a destructive attack if properly enacted. In the simplest case, an attack will be divided into three steps:
- Vulnerability detection
- Exploit
- Payload
Vulnerabilities are pretty much the Achilles heel of the system. It appears in many forms, from trivial bad security practices, to bugs in softwares. These are a lot more common than you’d think: there are databases updated on a daily basis with the recently discovered ones.
Once a vulnerability has been found, we need an arrow to take advantage of it: the Exploit. The exploit is the piece of software which will trigger a vulnerability. For instance, a typical example is badly managed memory: The exploit takes care of overwhelming the computer with pointless data, until it triggers an error, which can be used to inject code.
The Payload is the last piece of the puzzle. It’s the poison at the tip of the arrow, the dynamite of the rocket, the nuclear core of an atomic bomb. It’s the part of the code which will do the actual damage. Depending on the context, this could be data siphoning to spy on competitors, installation of a larger virus, to take control of the computer, or modification to the system, causing complete shutdown of the system.
In reality, attacks are usually more complex than that, and will actually be constituted of multiple steps. An example would be infiltrating the network, moving to a target of interest, getting higher control, and finally executing the core malicious code.
Possibly the most impressive publicly known attack was Stuxnet. It is believed to have been made by an Israel’s government-lead team, possibly with the help of the US. The malware had an array of features, making it extremely accurate and deadly: hiding routines, self-destroy mechanism, low infection rate per network. Furthermore, it would not actually do anything bad until it was sure to have infiltrated the right target: an Iranian nuclear plant centrifuges regulation system.
What about ARM?
ARM is on of the main processor architectures on the markets. It is based on simpler instructions than Intel/AMD, and until recent years was mainly used for smaller electronic devices. For instance, 98% of mobile phones in 2005 were running on an ARM chip.
Nowadays, the architecture has become more and more common: all Mac books starting with the 2020 edition will be running on it, and other large firms are also considering the architecture change. Furthermore, ARM is by far the biggest manufacturer for a market which is inundating our daily lives: IoT devices. These include sensors, smart watches, even pacemakers. This mix becomes particularly dangerous when one realises that all these devices are often interconnected, and can be extremely sensitive.
Furthermore, IoT devices have particular characteristics. They tend to be low performance, therefore common anti-malware softwares are not adapted due to their computationally hungry nature. It may also not be possible to patch them often, therefore known vulnerabilities may still be present for intervals of time after they’ve entered the public domain.
Finally, these devices, due to their generally lower security, may be used as a gateway to infiltrate a network. For instance, the vulnerability in the network might be a printer which has not been updated in a while, and once the printer is infected, it might start sending infected PDFs scans in emails (a common feature these days), and the exploit might be on a PDF viewer, such as Adobe.
RISC Architecture
A common way to detect malwares is by using a signature. A malware’s signature is a pattern found in the machine code which is fundamental to its working.
In Intel/AMD, which use CISC, the base instructions are complex. Basically, this means the building blocks to produce the code are quite large. This implies that patterns are more easily found, since there are less pieces to chose from to achieve the same operation (however these operation may tehmselves be quite complex).
On the other hand, ARM is based on RISC, in which the instruction set is a lot simpler and, therefore, so are the building blocks. This means that the same operation can be written in a multitude of ways, implying there may not be any pattern that fundamentally matches a given ARM malware, since the same code can be written in several different ways.
Detection at the network level
Due to the previously mentioned lack of anti-malware software for IoTs, and because they are often used to penetrate a network, it becomes primordial to be able to detect the malicious code at the network level.
However, this has two main drawbacks. First of all, as previously mentioned, ARM code has a lot higher variance. This makes writing signatures a lot harder, and can easily lead to sub-optimal solutions, both in terms of false positives, as well as missed malwares. Secondly, since it’s at network level, you can’t simply emulate any suspicious code (which is similar to what anti-virus do on computers), since that would create a massive bottleneck on the traffic (and probably end up crashing the server).
This is where AI powered detection comes to the rescue. Machine learning algorithms excel at finding patterns in data, and they can learn features in sequences which massively more complex than what humans can do. Furthermore, many of these algorithms are slow at training, but very fast at execution, and some, such as LSTMs, are adapted to sequential data.
Conclusion
All in all, with the increase in connected devices, ease of attack for hackers, and the critical damage that can be produced by a single exploited vulnerability, it is necessary to develop novel techniques and to take full advantage of machine learning to protect the devices and prevent future attacks.
Signatures, which have been one of the pillars of anti-viruses, are not ready for this challenge due to the addition of automatically generated threats, which can re-write the same code in different ways to remove these basic patterns.
