Application of Machine Learning and Crowdsourcing to Detection of Cyber Threats

Mehrbod Sharifi Eugene Fink Jaime G.

Carbonell

Individual user differences • Security needs - Data confidentiality - Data-loss tolerance - Recovery costs • Usage patterns • Computer knowledge

Different users need different security tools.

Problems • Inflexible engineered solutions with “too much security” - Too high security at high costs - Insufficient customization • “Advanced user” assumption - Complicated customization - Unclear security warnings

Population statistics • Almost everyone uses a computer • Most users are naïve, with limited technical knowledge • Many security problems are due to the user naïveté

Long-term goal

We need an intelligent security assistant that...

•

Learns the user needs

•

Detects complex threats

•

Prevents human mistakes

•

Helps the user to apply available security tools

Initial results • Crowdsourcing architecture • Identification of web scams • Detection of cross-site request forgery

Crowdsourcing architecture Gathering, sharing, and integration of opinions and warnings about web security threats.

Crowdsourcing architecture

Crowdsourcing architecture Web Browser Browser Extension Multiple Users Web Service External Data Sources

Identification of web scams A

web scam

is fraudulent or intentionally misleading information posted on the web (e.g. work at home and miracle cures).

Identification of web scams Machine learning approach: • Collect data about websites, available from various public services • Collect human opinions • Apply machine learning (currently, logistic regression) to recognize scams based on the available data Accuracy: 98%

Detection of cross-site request forgery A

cross-site request forgery

is an attack through a browser, in which a malicious website uses a trusted session to send unauthorized requests to a target site.

… … Email News Ads … Malicious … Bank

Detection of cross-site request forgery Machine learning approach: • Learn patterns of legitimate requests • Detect deviations from these patterns • Warn the user about potentially malicious sites and requests

Future research Application of machine learning and crowdsourcing to detect...

• ... newly evolving threats, not yet addressed by the standard defenses • ... cyber attacks by their observed “symptoms” in addition to using direct analysis of attacking code • ... “nontraditional” threats that go beyond malware attacks, such as scams and other social engineering