Shulou(Shulou.com)06/01 Report--

1. Preface

Artificial intelligence (Artificial Intelligence, referred to as AI) is an important direction in the field of computer science research. Its origin can be traced back to before the modern computer was formally born, but its real extensive practical value should be regarded as the beginning of the 21st century. It can be predicted that in the next few years, with the great improvement of computer hardware technology, the network bandwidth will increase rapidly. The author thinks that artificial intelligence should play the most important role in several subdivisions of computer science, and it will also be widely used by other disciplines, and it can be considered that the 21st century is actually the era of "pan-artificial intelligence".

Compared with artificial intelligence, the branch of information security in the computer field originated later, which should be regarded as a multi-cross and marginal discipline that began to rise in the 1980s and has been developing since the 1990s. It starts from the initial, relatively single antivirus software (together with data encryption can be regarded as the origin of the contemporary information security industry, of course, data encryption and decryption is actually the initial need of information security, but antivirus software is most well known), and then developed firewalls, * detection systems, which together with antivirus software are called the "old three" or "three carriages" of information security products. With the continuous development of information security, severe forms of information security and customer requirements, a single security product has been unable to meet the reality. The author divides the development of information security into the following stages:

The first stage: the stage of single security product, that is, all kinds of information security products are stations, each security product is in charge of one piece, and its form is basically gateway type, mainframe type and so on.

The second stage: integrated security products (including solutions), this kind of products provide some functions that a single security product cannot have, such as UTM products (unified threat gateway), security management center, etc., such products may contain several functions, and they should be able to correlate relevant information and carry out general mining within a certain scope and depth. In order to achieve the task that can not be accomplished by a single product, but its ability should only be within the "certainty".

The third stage: at present, there does not seem to be much conclusion. generally speaking, it may refer to the so-called big data security and cloud security. however, I think that neither big data nor cloud security can accurately describe, describe and solve all kinds of complex security problems we are currently facing, such as zero-day loopholes and social engineering. Whether it is SMS or email, etc.), a large number of malware variants, and so on, so this stage should be called the "artificial intelligence security product" era. Because in the face of such a complex information security situation, such huge data and information, and such a "cunning" means of cyber crime, it is impossible to rely on all kinds of traditional methods (including general association means, etc.).

Of course, artificial intelligence is also unable to solve all the information security problems, and some of the problems still need some management means, but I think that the previously proposed "three-point technology, seven-point management" in the field of information security is open to question. individuals adhere to "seven-point technology, three-part management", because no matter when and on any occasion, "science and technology is the primary productive force", if the technical means are not solved. Then the scope and extent that management means can solve is also quite limited. It should be emphasized that correct, moderate and reasonable management means are essential, otherwise the result is either to increase the load of safety operation and maintenance personnel or to draw wrong conclusions.

two。 The relationship between artificial Intelligence and Information Security products

In fact, through the review of past safety products, we can think that artificial intelligence should be introduced into the "blood" of various types of products as early as possible, and its effect is either shallow or deep, and its effect is either significant or not very obvious. One of the more famous open source anti-spam systems, such as Spam Assassin, which uses some naive Bayesian methods to score and classify spam that may be unknown in the future, this open source project is still well maintained. Through the experiment, the effect seems to be good (but it uses Python for training and recognition, which is a little slower, but it is more than enough to handle email in general).

Through the example in the previous section, we can see that artificial intelligence has a good application in information security, so what other problems can it solve?

In fact, artificial intelligence also includes several different uses, which the author thinks include:

1. Classification: for example, in the above example, the classification of spam, phishing / SMS, that is, to distinguish between security and insecurity; various classification models or algorithms are the most important means or methods for the application of artificial intelligence technology in the field of information security.

two。 Clustering: it has not been widely used in security products.

3. Regression analysis and prediction: this has been widely used in some network types of information security products.

4. Rule mining: in the field of information security, this method does not seem to be widely used, isn't it?

5. Distance analysis (in fact, cluster analysis is also a typical distance analysis): this kind of method has a good application in some network traffic products, but the security is also inseparable from the network.

6. Hypothesis testing: the behavior of some objects can be classified and baselines can be established, and the method of hypothesis testing can be used to predict.

To sum up, there is a close relationship between network security and artificial intelligence, especially "machine learning", in which classification is the most important means; only through the classification of different data can we identify malicious behavior and normal behavior. in order to deal with security problems more effectively, other methods are also more commonly used, and they together constitute the "brain" of security products.

Of course, security products are not just equipped with artificial intelligence, but they need to be combined with some traditional features (such as MD5, etc.), general strategies, reputation technologies (in fact, all kinds of blacklist and whitelist libraries) to give full play to their effectiveness. In addition, information collection, processing (metadata extraction of all kinds of information), identification (such as deep identification technology for network packets), and basic statistics are also essential (because all kinds of artificial intelligence algorithms do not deal with big data). These steps are the "prelude" to big data's security.

So, in some information security products, which problems need to be solved most through artificial intelligence technology? The answer should be the detection of various unknown threats. It is conceivable that if a security product always needs or only relies on all kinds of features to find problems, then its timeliness and effectiveness will have great hidden dangers. To some extent, it is actually the biggest "black hole". In addition, it should be noted that the trained data features need to be upgraded, which may not be competent by a single node.

3. Information security products with "smart brain"

Since there is such a deep relationship between artificial intelligence and information security products, we need to sort out which related technologies should be applied in the current form of information security information (including those that have been used and may need to be used in the future):

1. On the identification of dynamic domain names: at present, * has occupied a dominant position in all kinds of malware (purely destructive viruses, because of interests, the proportion is basically very small). And the main behavior of * is to use remote control methods to manipulate, obtain and steal important information. Most * will use the method of dynamic domain name to interact with the remote server to avoid the detection and blocking of static list, so the recognition of dynamic domain name is an important part of preventing * *. This can only be met through artificial intelligence and static list.

two。 Identification of phishing behavior: at the current stage, using social engineering means to trick users into clicking and downloading malicious software by means of text messages (ordinary text messages and MMS) and e-mails has become a malignant tumor of social information security. however, these phishing methods are not very defensive, such as text is very attractive and many special characters are inserted between text to confuse recognition software, malicious links are hidden in images, and so on. Ordinary victims are simply unable to identify, so in many cases, there is an urgent need for intelligent software to constantly learn and identify these problems.

3. Evolving malware form recognition: at present, due to the covert camouflage methods of malware, such as shell or even private shell, segmented assembly, delayed execution, anti-sandbox or anti-virtualization, although some behaviors can be detected by sandbox, there are two problems: first, the ability of sandbox is very limited, and it may produce more false positives than some false positives, so manual analysis is needed in many cases. The second is that the performance of the sandbox is very limited, and it may take several minutes to run a sample under normal circumstances. If the same sample is placed in different kinds of sandboxes, the resources and time consumed are very astonishing. Therefore, better static identification methods (not just signatures) are needed to reduce the number of sandbox runs.

4. Identification of abnormal traffic: if the enterprise has a good constraint on its own network connection behavior (but this does not rule out the possibility that some legitimate sites are suspended), then the protection requirements for this aspect may not be too high (but it may not be a problem), but from a security point of view, illegal outreach and inconnection are always the biggest source of corporate security problems. This can not put an end to the use of "ferry" to steal sensitive information of enterprises, so the inspection and audit of the growing network connection behavior has become the last way to "block" the disclosure of enterprise information. However, how to effectively describe the network connection, various characteristics of communication, network behavior of each node of the intranet, and network behavior of users has become a very important link. But some artificial intelligence and statistical methods are still needed here.

The above aspects may be just a few important aspects of the many problems that information security products need to solve, but specifically, especially in the current big data and cloud computing environment, an information security product with a "smart brain" should have the following characteristics:

First, it at least has a distributed product architecture, and can analyze and extract features from different kinds of data obtained by multiple capture points.

Second, it has the ability to provide the function of modeling data, of course, it is better to have a user-defined module to provide a modeling method or interface.

Third, and most important, a wealth of artificial intelligence applications should be provided, such as integration such as naive Bayesian method, Bayesian network, Hopfield/BP neural network, convolutional neural network, Boltzmann neural network, deep confidence neural network, n-gram method (see reference [4]), genetic algorithm, simulated annealing, support vector machine (SVM), k-means, LDA, Apriori, etc. To this end, it is also necessary to integrate all kinds of vector / matrix operations (which can support hundreds of dimensions), spatial distance operations (such as Euclidean distance, Mahalanobis distance, etc.), statistical feature analysis, hypothesis test analysis, etc., in order to be able to deal with different problems. The good thing is that many open source libraries have provided these functions, such as R, Octave, libsvm and so on. Generally, all we have to do is to extract features properly and build models properly.

In a word, for an information security product that does not have a "smart brain" but only relies on static features to operate, it will certainly have problems of one kind or another in identifying and defending against "unknown threats", and will not be able to deal with increasingly complex information security problems.

4. Prospects for the future

From the above discussion, we can see that the current artificial intelligence technologies used in information security products (whether defense or active discovery) are mainly based on general machine learning methods. and this kind of machine learning method is still more concentrated in the so-called "teacher (that is, supervised)" learning, and with the continuous development and evolution of technology. Information security products should constantly concentrate new artificial intelligence technologies and means in time, and use more "unsupervised" learning methods to deal with the deteriorating information security situation, that is, to greatly improve the intelligent level of products, so as to further improve the timeliness and effectiveness of dealing with all kinds of problems.

As the saying goes, "as virtue rises one foot, vice rises ten", information security (whether Internet security, intranet security or other security) is always a "war without gunpowder smoke". The theory and practice at both ends (including various technologies, means, methods, etc.) are also constantly developing. It can be predicted that the future information security war is: "artificial intelligence versus artificial intelligence, machine learning versus machine learning." Even robots versus robots. "

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.