Since societies have originated there have always been individuals that decided to go against common acceptance of societal rules. In the modern age we face robberies, theft of property, and destruction of property in other forms. These problems are becoming an issue for the digital world. Malicious hackers, sometimes rumored to be funded by government agencies or working on their own, have begun to develop software that unifies Artificial Intelligence (AI) with malicious hacking techniques.
This paper attempts to explore some of the most common and uncommon AI hacking techniques. The first topic to be discussed will be referred to as AI hacking attacks. After that it will discuss techniques that use AI to fight hacking attacks. The penultimate topic it will discuss is “bleeding edge” technology that involves AI and presents new possible concerns for hacking attacks. Finally, a brief summary of what was discussed will conclude the essay.
Known AI Hacking Techniques:
Malware is a growing problem for anyone that accesses the World Wide Web (WWW). It has been estimated that “web based attacks increased 36% with over 4,500 new attacks each day in 2012 .” These increases in attacks are almost inconceivable and the same report states, “In 2011, Symantec Internet Security reported that ∼ 403 million new variants of malware were created, a 41% increase from 2010 .” Clearly, malware could be understated as the new black plague. The majority of attacks demanding accolades are done by highly skilled hackers. “State sponsored highly skilled hackers are developing customized malwares to disrupt industries and for military espionage .” The first generation of malware created had a static structure to its program. With the emergence of second generation malware researchers are finding that the structure of the program is changing in a variant of ways. Second generation malwares are often categorized as the following: encrypted, Oligomorphic, Polymorphic and Metamorphic Malwares .”
Encrypted malware works by using an encryptor and decryptor. It begins by decrypting the main body of the code when the program is run. Each time the malware is run the main body is encrypted in order to hide its signature from the anti-virus software. But, eventually the anti-virus software is able to detect the malware because the decryptor does not change from each version of the malware. According to , the anti-virus software is able to recognize the code pattern through looking for the code signature. Signature detection works by extracting unique bytes from the malware code until enough bytes can be used to create a unique signature. Then the scanner checks the computers programs for these bytes and if it is found then it alerts the user. This is an effective way of detecting known malware. The signature must match exactly in order for the scanner to detect it. Naturally, malicious hackers developed a way to change the decryptor so that it is harder to detect the code.
Oligomorphic means that something can be changed in a few ways; oligomorphic malware does exactly that. Hackers devised ways to create multiple decryptors. “At most this malware can generate few hundred different decryptors, e.g. Win95/Memorial had the ability to build 96 different decryptor patterns .” Inevitably virus scanners eventually detect the malicious software. Oligomorphic software led to the next evolution of malware which is polymorphic malware .
Polymorphic or many forms, is the newest known wave of malware. “In Polymorphic malwares, millions of decryptors can be generated by changing instructions in the next variant of the malware to avoid signature based detection .” The technique involves a “mutation engine that creates a new decryptor which is joined with the encrypted malware body to construct a new variant of malware .” Included in this technique is malware obfuscation. Obfuscation is simply obscuring the code through various means. Some of the techniques are “dead-code insertion, register reassignment, subroutine reordering, instruction substitution, code transposition/integration etc. .” Anti-virus programs use the emulation technique of recognizing code signatures to eventually detect malware.
Metamorphic malware exhibits the ability to change the actual body of the program. All the other techniques mentioned only change the encryptor and/or decryptor. Metaphoric malware is virtually undetectable because the signature can be mutated. Only a few viruses have been considered truly metamorphic. The first was detected was “in 1998 called … Win95/Regswap. In 2000, Win32/Ghost virus was created with 3628800 different variants. One of the strongest metamorphic malware W32/NGVCK was created in 2001 with the help of Next Generation Virus Creation Kit (NGVCK) .” These are clearly the beginning stages of malicious hackers utilizing AI in their programs. AI is also being developed on the other side of the spectrum namely malware detection developers.
Using AI for detection:
Researchers in academia and industry settings have be working together to develop new methods of detection malware. According to , current research involving machine learning claims to be able to exceed 90% detection accuracy through classification methods with only 20 features. This method could even improve the capability to detect future malware before it is widely known. “Popular machine learning techniques among the researchers for the detection of 2nd generation malwares are Naive Bayes, Decision Tree, Data Mining, Neural Networks and Hidden Markov Modes .”
Another method of detecting polymorphic malware is by determining the information sent and the expected information received. For example, A server receives from a client device a hash value and metadata associated with an electronic file. The server determines that the received metadata relates to corresponding metadata stored at a database, the corresponding stored metadata being associated with a further hash value that differs from the received hash value. A determination is made that each of the received hash values have been reported by fewer than a predetermined number of clients and, as a result, it is determined that the electronic file is likely to be polymorphic malware [3:1].
In that example we can see AI being utilized by a program understanding to some degree what the information requested should look like and about how much of it should be received. When using AI for intrusion detection there are generally three principles focused on: “data, classification and modeling techniques and system infrastructure .”
These techniques provide a foundation for AI software to evaluate and find malware. Some of the techniques used are linear modeling methods, non-linear modeling methods, and probabilistic models. An example of a linear modeling method is the principle component analysis. This method uses AI to turn a set of data into uncorrelated latent factors, or hidden variables that are derived from original data, and then a principal component analysis (PCA) is made. The PCA is used to essentially capture as much variation in the data as possible and according to , anomalies are considered outliers which raise the alert that there could be malware detected. Non-linear models are techniques such as, clustering and K-nearest neighbor (KNN), neural networks, fuzzy logic, and many others. Perhaps, the most illustrious probabilistic model is Bayesian networks. There are many techniques that the field of AI has to contribute to malware detection. The general consensus according to , is that anti-malware software is still trying to catch up with malware so hopefully AI researchers will help make significant breakthroughs.
Malware of the future and conclusion:
Futuristic malware may come in new forms. Malware essentially is playing a game of cat and mouse . It needs to hide from the detection software long enough to figure out if it is on the type of system it is targeting. Once malware is discovered it becomes obsolete. Software updates are sent out to users everywhere and systems are updated. To add to the cat and mouse analogy malware does not want to expose itself if it has made its way into a research lab or honeypot that probes for new types of malware. It needs to be able to tell if it is on a real user system or whatever it may be targeting. Some experts believe that malware will come in forms of useful software. Malware may try “to avoid detection, it makes sense to hide its true intentions behind genuinely useful properties … ‘In some cases, it may just be easier for the malware to do useful stuff on our computers – actually cleaning up our hard disks, say – before it later attacks, in order to seem genuine.’ .”
Other experts believe that the future of malware will reside in using social engineering as the prominent attack vector. “‘The lowest hanging fruit is still humans,’ said Ken Westin, a security researcher for Tripwire. ‘As long as attacks against humans still work consistently attackers will use them on their own, or as part of sophisticated, integrated campaigns.’ .” Perhaps, the scariest of attack vectors involving AI and malware is the recent advances in Brain computer interfaces (BCI). BCI technologies may also potentially be vulnerable and expose an individual’s brain to hacking, manipulation and control by third parties. “If the brain can control computer systems and computer systems are able to detect and distinguish brain patterns, then this ultimately means that the human brain can potentially be controlled by computer software .”
1 A. Sharma, S. K. Sahay, “Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey,” in arXiv, online http://arxiv.org/ftp/arxiv/papers/1406/1406.7061.pdf
2 I. You, K. Yim, Malware Obfuscation Techniques: “A Brief Survey”, in IEEE magazine, http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5633410
3 Timo Harmonen, “Identifying Polymorphic Malware,” U.S. Patent 8,683,216, Mar. 25, 2014.
4 Rehman, A., & Saba, T., “Evaluation of artificial intelligent techniques to secure information in enterprises,” in The Artificial Intelligence Review, 42(4), 1029-1044. 2014, doi:http://dx.doi.org/10.1007/s10462-012-9372-9
5 A. Martin, “Future malware might offer real functions to avoid detection,” Oct. 9, 2014, online http://www.welivesecurity.com/2014/10/09/future-malware-might-offer-real- functions-avoid-detection/
6 T. Brandley, “What data breaches teach us about the future of malware: Your own data could dupe you,” Jun. 9, 2014, online http://www.pcworld.com/article/2360762/what-ebay- taught- us-about-malware-your-own-data-can-be-used-to-dupe-you.html
7 M. Xynou, “Hacking without borders: The future of artificial intelligence and surveillance,” Mar. 15, 2013, online http://cis-india.org/internet-governance/blog/hacking-without- borders-the-future-of-artificial-intelligence-and-surveillance