The COVID-19 pandemic is an earth-shattering, black swan event. Personal lives, societies and businesses are getting severely impacted. As governments, companies, institutions, and other organizations around the world shift their focus and resource allocation from their regular objectives to controlling this pandemic and its impact, it also increases the risk of serious cyber-attacks from rogue actors to take advantage of the current global turbulence, and drive their individual agendas forward.

Hackers, cyber-terrorists, and other cyber-criminals tend to be hyperactive during times of uncertainty, volatility and disruption. The situation today is no different. On March 13, the Brno University Hospital, one of the Czech Republic’s largest COVID-19 testing laboratories, suffered a major cyber-attack. The US Health & Human Services Department was also hit on March 15. In another recent incident, a malicious Android application has been found posing as a COVID-19 Live Tracker from John Hopkins University. Certain companies, particularly from the financial, healthcare, telecom, software and technology infrastructure sectors, are reportedly witnessing a significant spike in cyber-attacks.

While most scamming, spamming, and other low-end hacking efforts can be adequately addressed as part of routine cyber-security exercises, it is the Zero-Day cyber attacks that pose a real threat. In this paper, I discuss how Artificial Intelligence offers a viable option to address these highly advanced cyber attacks.

What is a Zero-Day Cyber Attack?

Zero-day vulnerabilities are major loopholes within a system that are not yet discovered by the system owner (the term ‘Zero-day’ refers to the number of days that the system owner has known about the new vulnerability.) However, these loopholes may be known to the attacker/attacker’s ecosystem, which they attempt to exploit. As a result of this information asymmetry, the system owner (defender) has literally zero-days to develop a patch and take other remedial actions before the attack happens.

Technically, this is known as a Zero-day Event, and it generally consists of three phases:

1. Vulnerability Phase, when the security gap exists in the system but remains unknown to the system owner.
2. Exploit Phase, when the vulnerability is exploited, and the system is breached by the attacking entity.
3. Attack Phase, when the system is maliciously impacted as a result of the exploit.

The Stuxnet Malware, part of the United States’ ‘Operation Olympic Games’ against Iran’s Nuclear Program, is perhaps the most well-known Zero-Day attack in cyber history. It was extremely sophisticated with the malware reportedly exploiting 5 Zero-day vulnerabilities, something that was unheard of in the early 2010s when this attack was reported. Other notable examples include the attacks on the Zero-day vulnerabilities of Adobe Flash Player and Microsoft Windows in 2016. Many Zero-day attacks happen every year though only a few get highlighted in mainstream and social media, and official communications.

The Zero-day Vulnerability Stockpile, and Security Measures

State actors (e.g., governments, semi-government institutions, etc.) and non-state actors (cybersecurity companies, cyber-terrorists, major hacking groups, etc.) may maintain their own stockpiles of Zero-day vulnerabilities. Information on these stockpiles is never made public. Moreover, the Dark Net often serves as the marketplace for the buy/sell/exchange of Zero-day vulnerability data.

At times, these state and non-state actors may be called upon to share critical data about their stockpiles to strengthen their respective ecosystems (e.g., to increase the security of their home nations, or to prevent major cyber-attacks against their financial institutions). This is often a Catch-22 situation – if the actors share critical Zero-day vulnerability data with their ecosystems, there is the risk of information leakage to the broader cyber community, thereby rendering any existing advantage useless. So, these actors need to make a strategic decision if they are willing to reduce their offensive capabilities in order to enhance their (or their ecosystems’) defensive capabilities. This is the Offense-Defense Trade-off.

Most organizations deploy Intrusion Detection and Prevention Systems (IDPS or IDS) as the primary cyber defensive force. These systems generally include Network IDS, Host or VM-based IDS, and Perimeter IDS. They typically operate under two distinct approaches:

(a) Knowledge-based approach, e.g., signature detection

(b) Behavior-based approach, e.g., anomaly detection

Moreover, some organizations also maintain Red and Blue Teams as part of their cyber-security strategy. The Red Team focuses on offensive attacks against external targets, and sometimes even against internal targets (to improve their security capabilities.) The Blue Team focuses on securing the internal systems from external attacks, and from attacks by the Red Team. Some organizations also set up ‘Bug Bounty’ programs to incentivize (or reward) cyber groups and individuals to discover hidden vulnerabilities in their systems.

The Role of Artificial Intelligence in Countering Zero-Day Attacks

The first challenge in defending against Zero-day attacks is the problem of detecting Zero-day vulnerabilities. Discovering (or predicting) serious system vulnerabilities, understanding their severity and impact, and predicting where the attack vectors might originate are critical use cases.

Penetration Testing is the most prominent security strategy that organizations adopt to prepare for cyber attacks. This is primarily an end-to-end simulation of a cyber attack, and involves multiple stages (e.g., Threat Modeling, Vulnerability Analysis, Exploitation, etc.) However, the standard tools and techniques for implementing Penetration Testing may not always be suitable for addressing Zero-day cases. For instance, vulnerability scanning (analysis) processes generally rely on known malware signatures (and their simple or first-order variants) to detect new vulnerabilities. Zero-day vulnerabilities are not previously known, and hence, they are likely to go undetected through such standard measures.

For many years, the general norm was to use rules-based methods, statistical correlation patterns, and regression techniques for threat detection and vulnerability forecasting. Many cyber-security programs also applied classification (e.g. Support Vector Machines) and basic anomaly detection methods. Again, these often ended-up as sub-optimal while dealing with complex attacks. Moreover, the traditional methods of static and dynamic malware analysis (e.g., hash comparison, YARA signatures, PE header examination, memory analysis, evasion techniques like obfuscation & binding, etc.) are largely rules-based (combined with basic classification and regression), and offer very little support in countering Zero-day attacks.

In recent times, Bayesian & Markov models, and different variants of Convolutional & Recurrent Neural Networks are increasingly used in dynamic malware analysis, malware drift tracking, and vulnerability prediction. Natural Language Processing is also increasingly used to determine the malicious nature of files through their content (code-base.) Efforts are also in progress to leverage Generative Adversarial Networks for predicting polymorphic shellcodes and other forms of complex vulnerabilities, particularly those that are likely to feature in high-end Zero-day attacks.

Behavior-based detection is another popular strategy. The objective here is to determine if a particular piece of code exhibits the known malware characteristics based on how it interacts with the system. Machine Learning plays an essential role in this by:

(a) establishing the ground-truth (or pattern) of complex malware characteristics based on the historical malware interaction data, and

(b) enabling the deployment of models that can study the real-time interactions within a system, compare them with the ground-truth, and highlight potential malicious behavior.

Modern Deep Learning architectures (e.g., Long-Short Term Memory Units, and Variational Autoencoders) prove very useful in understanding complex Zero-day behavioral patterns. This is because unlike the rules-based or traditional statistical techniques, Deep Learning networks have the ability to unearth deep latent/hidden patterns with greater accuracy, and become more context-aware, especially as time progresses. Both these aspects are critical to determining Zero-day Event behavior.

The second challenge in defending against Zero-day attacks is the dual problem of determining effective remediation measures and taking dynamic action when the attack actually takes place. Reinforcement Learning is best suited to address this complex problem, and in a much more optimal manner than other known techniques and technologies. This is where the real power of Artificial Intelligence can be harnessed.

For instance, one of the most common exploits during Zero-day attacks is the generation of buffer overflows that forces systems to crash. Deep Q Networks can be deployed to carry out dynamic, real-time remedial action whenever any piece of code continuously adds data to the buffer memory beyond acceptable limits. Similarly, structured exception handler (SEH) over-writes or manipulation, another common exploit during Zero-day attacks, can be dynamically addressed through Deep Q or Deep Deterministic Policy Gradient Networks.

Closing Comments

History repeats itself. In the 6th century, a singular act of two monks smuggling silkworm eggs from China to the Byzantine Empire broke the Chinese monopoly in silk production. A French priest illicitly transferred the Chinese technical knowhow of porcelain-manufacturing to Europe in the early eighteenth century. The emergence of the United States in the late eighteenth and nineteenth centuries as the foremost global industrial leader was largely the result of trade secret smuggling, misappropriation of innovations from Europe, and piracy of intellectual property. (This is well documented by authors like Ben-Atar.) Today, China is charged with doing the same thing to the United States and other Western countries. (Note: this is an observation at arm’s-length, and not a comment on the morality of the case.) What is different now, of course, is the application of highly sophisticated cyber technology, both by state and non-state players, to achieve their intended results.

Crisis and turbulent situations often witness a sharp escalation in wrongful, criminal and rogue acts. Physical violence, cyber-attacks (e.g., DoS/DDoS, malware, MitM, Phishing, SQL & other injections, etc.), Social Engineering and related efforts increase manifold to prey on individuals that are at heightened states of emotional turmoil. Both organizations and individuals need to understand this fact, and take concrete steps to de-risk themselves during this critical time of the COVID-19 pandemic. It is noteworthy that some cyber-crime groups have issued statements of not targeting hospitals/healthcare institutions until the crisis is over. The hope is that they will follow through on their commitments, and perhaps even assist in defending global institutions from serious cyber-attacks by rogue actors.