What is Defensive AI and how to use it to increase embedded cybersecurity?

In the previous post of this series about Artificial Intelligence in cybersecurity, we explained how attackers can leverage on powerful AI techniques to build new and fast attacks at a very large scale. Use cases for offensive AI are numerous, from social engineering attacks to side channel analysis, including reverse engineering applications. We also showed that AI can automate large and efficient campaigns of attacks, enabling a wider coverage for attackers, and allowing them to overflow the existing detection and prevention tools. This new scale of attacks also makes it difficult for security defense teams to respond efficiently.

What is Defensive AI and why do we need it?

On the other hand, AI can also be used to build powerful protection systems. In fact, AI for cyber defense has been researched and put into practice for decades. However, the high computing resources requirements for such technologies have kept it excluded from the embedded world for a long time, but today the progress in AI acceleration is opening new doors. Also, the lack of interpretability of those “black box” AI models has also been a drag to critical applications, but recent efforts in Explainable Artificial Intelligence (XAI) [1] at academic and industry level are improving the trust in AI-based security technologies.

When talking about AI for security, two types of applications are common: threat detection and threat prevention. Indeed, AI techniques allow to create attack detection models based on datasets of existing data on one hand, and on the other hand to explore and analyse complex data to identify weaknesses and vulnerabilities. Indeed, AI methods have been shown [2] to speed up reverse engineering which is a time-consuming process that can take weeks or months. In this article, we focus mainly on threat detection applications.

Threat detection and Intrusion Detection Systems

AI is useful to create threat detection models mainly in the following applications: spam filtering, phishing detection, virus and malware detection, intrusion detection and anomaly detection [3].

AI techniques have been widely employed for email filtering, particularly for spam detection and for fraudulent email detection. For example, Google anti-spam system has been known to use AI for email classification for a very long time. A benefit of those systems is that they are adaptative, they can learn new classification patterns with the help of user feedback (for instance, when the user manually reports a spam email, the AI algorithm adapts so it will detect similar occurrences in the future). Antimalware systems are also known to include AI components, and it was shown that it is possible to detect ransomware with deep learning-based algorithms [4].

One of the most important fields of application of AI in cybersecurity are Intrusion Detection Systems (IDS). An AI-based IDS usually works by detecting unusual patterns on network traffic analysis: in TCP/IP packets, for example. It is very useful to detect Denial-of-Service (DOS) attacks, port scanning, and other network-based attacks [5]. More recently, AI-based IDS have also been used to monitor in-vehicle communication protocols such as CAN bus [6] and are efficient to detect attacks on connected vehicles like sensor injection or CAN bus flooding attacks. Defensive AI have also been used to detect new microarchitectural attacks like Spectre and Meltdown, by monitoring hardware performance counters [7].

Overall, Artificial Intelligence can protect various entry points of connected devices attack surface and can also aggregate heterogeneous data from various input sources. Therefore, Defensive AI can be used to implement a centralized multi-layered security approach.

The use of AI to detect zero-day attacks

When talking about threat detection, one of the huge benefits of AI is the ability to create a model of the “normal” behaviour of a system or a device using data acquired in controlled environment. This nominal model enables the detection of “abnormal’ situations, and therefore allows to identify unknown attacks, unlike traditional signature-based IDS or antiviruses. It becomes possible to detect Zero Day attacks without requiring any knowledge about what such an attack looks like. Such methods are also suitable for more general anomaly detection and can also be used to detect failures.

How Secure-IC addresses Defensive AI?

Secure-IC’s Securyzr^TM integrated Security Service Platform (iSSP) is an end-to-end solution to manage embedded devices security during all their lifecycle. The solution includes a Root-of-Trust element that protects the overall system from a hardware level. Additionally, it features a secure software agent deployed on the device, enabling trusted remote access to security functions. Securyzr^TM iSSP also encompasses a secure cloud server, hosting zero-touch services for key provisioning, firmware updates, security monitoring, device identity management, and leveraging Defensive AI for enhanced cyber intelligence.

The security monitoring service allows to collect data such as real-time OS activity, temperature, CPU usage, sensors, and device communication (TCP/IP or external buses like CAN). Defensive AI is then used to aggregate these data and correlate the information to identify devices exhibiting unusual behaviour. For instance, an intrusion detection system (IDS) is included in the embedded secure software agent to detect security anomalies & intrusions. Based on the collected data, Defensive AI can provide cyber intelligence & generate relevant alerts. This kind of system is particularly relevant in specific cases such as automotive where large fleets of embedded devices must be managed, and data processing should be optimized between the edge and the cloud.

AI-based techniques and processes are also integrated in Secure-IC’s Laboryzr^TM tools, specifically within the analysis libraries, to enhance accuracy and processing time optimization.

In general, Secure-IC benefits from the expertise of artificial intelligence professionals who strategically combine AI techniques to optimize product performance whenever advantageous.

For more information on this topic, we invite you to read the complete publication of the Security Science Factory (SSF)

Do you have questions on this topic and on our protection solutions? We are here to help.
Contact us

References

[1] Aha, D., et al. “Ijcai-17 workshop on explainable ai (xai).” IJCAI-17 Workshop on Explainable AI (XAI). 2017.

[2] Anderson, Blake, et al. “Automating reverse engineering with machine learning techniques.” Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop. 2014.

[3] Artificial Intelligence and Cybersecurity, June 2023, ENISA Research and Innovation Brief Research

https://www.enisa.europa.eu/publications/artificial-intelligence-and-cybersecurity-research

[4] Aslan, Ömer Aslan, and Refik Samet. “A comprehensive review on malware detection approaches.” IEEE Access 8 (2020): 6249-6271.

[5] Shrivastwa, Ritu-Ranjan, et al. “An Embedded AI-Based Smart Intrusion Detection System for Edge-to-Cloud Systems.” International Conference on Cryptography, Codes and Cyber Security. Cham: Springer Nature Switzerland, 2022.

[6] Lokman, Siti-Farhana, Abu Talib Othman, and Muhammad-Husaini Abu-Bakar. “Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review.” EURASIP Journal on Wireless Communications and Networking 2019 (2019): 1-17.

[7] Choudhari, Amit, Sylvain Guilley, and Khaled Karray. “SpecDefender: Transient Execution Attack Defender using Performance Counters.” Proceedings of the 2022 Workshop on Attacks and Solutions in Hardware Security. 2022.