Sometimes the best way to stop a bad machine is with a lot of good machines.
Several companies are applying the techniques of artificial intelligence (AI) to the world of security and they are using a whole bunch of machines strung together in so-called cloud computing networks to do it. Originally the province of university researchers, and now one of the ways Google and other companies figure out what is going on across the Web, AI technology is being employed by security companies, who say they can beat criminals by using many of the same strategies.
Much as Google examines Web sites for significant information and watches the behavior of people searching and surfing the Web, AI security companies look for malicious sites or try to examine and predict the behavior of malware, which is software meant to cause problems.
Illustration: Yusha
“We are looking at about 200,000 samples of malicious code a day, so we can guard maybe 11 million events in a microsecond,” said Tomer Weingarten, the chief executive of a computer security company called SentinelOne.
Staying on top of that volume requires the equivalent of 10,000 computers, Weingarten said.
As computing becomes more pervasive, traditional defenses are proving inadequate. For example, the firewall, which was once an effective safeguard on the perimeter between a corporate network and the world, is now problematic: It has become harder to say where systems begin and end as they become connected to more and more things. In 2013, Target was hacked when criminals entered the main servers through software for a company heating system that was managed by a contractor.
More recently, “sandboxes” have been developed that temporarily isolate incoming programs and files to see if they try something malicious. In response, hackers have written code enabling malware to recognize that it is being quarantined — sometimes by contacting a computer’s operating system directly — so it does not take any suspicious action until it detects that it has been released.
Every day, SentinelOne’s computers scour the many listings worldwide of known malware and attack codes, which are publicly posted by government agencies and private security organizations. Using machine learning, an AI technique of pattern mapping, the computers then look for similarities with known techniques and try to identify similar behaviors that precede attacks.
That information is then loaded into computing “agents” that are inside its clients’ computers. The agents observe events inside a computer almost the moment they occur. If, for instance, a so-called “ransomware” program starts to encrypt a user’s files — to lock up the computer, which will be freed only once the owner pays a ransom — the agent will isolate the program and notify the system administrator.
Often, it can also undo whatever damage was caused by reverting the few files that were affected to an earlier state.
“Sometimes it is easy to see malicious behavior — no legitimate application would just start encrypting everything,” Weingarten said. “Other times, they are ‘spraying the heap,’ looking for all the commands being queued up in the computer so they can rewrite the system and insert their code. Normal applications do not do these things.”
Every piece of malware also has its own biography within the system. Weingarten recently called up a program called Troldesh, which was first observed on the evening of April 9. It created files on the infected computer, then changed the files and notified a server in Russia that it was ready.
“This starts to look suspicious,” Weingarten said.
Signals can be bounced around, so it is hard to say just where Troldesh originated. It also communicated with machines in Hungary, Austria and Germany.
Troldesh was identified and stopped, but a hacker could reuse much of the code in other malware. That is why AI tries to learn hackers’ rules and habits.
Another challenge in protecting today’s computer networks is how poorly understood much of the world’s software is.
“There are 600 million individual files known to be good and a malware universe of about 400 million files, but there are also 100 million pieces of potentially unwanted adware and 200 million software packages that just are not known. It takes a lot of talent to figure out what is normal and what is not,” Gartner analyst Lawrence Pingree said.
The process, which he called “endpoint detection,” looks at and acts on what goes on in individual machines.
Many of the same techniques can also be used on other kinds of bad online behavior. Carlos Guestrin, a well-regarded expert in machine learning, is chief executive and cofounder of a company called Dato. In addition to traditional AI businesses, such as figuring out shopping preferences, he started looking at fraudulent behaviors.
“We caught spam with machine learning by looking at sequences of words. Now, we look for the code in a virus, like DNA, that makes it do unusual things,” Guestrin said. “With human fraud, you look for relationships about who sends money to who, or who is hiding fraudulent transactions. If a finite number of people keep sending each other money, they are probably trying to look like legitimate businesses.”
G2 Web Services, based in Bellevue, Washington, helps banks figure out if a Web site is fraudulent or is selling contraband. Using Guestrin’s product, coupled with human experience, on hundreds of millions of sites, G2 improved its ability to predict fraud and crime by 13 percent. Over millions of transactions, that amounts to quite a lot.
G2 can also flag prohibited content, like child pornography, which exists on about 1.5 percent of all merchant Web sites. Sometimes a criminal would put a link to a store for illegal growth hormones in an otherwise honest site, without the merchants ever knowing about the link placement. Another use for AI is spotting “transaction laundering,” in which an illegal business tries to appear legitimate by processing transactions through a legal site.
The company is making strides against cybercrime, as “the guys who run these illicit sites are also into viruses and malware,” G2 principal data scientist Alan Krumholz said. “It is a cat-and-mouse game. They go from one business into another.”
In their recent op-ed “Trump Should Rein In Taiwan” in Foreign Policy magazine, Christopher Chivvis and Stephen Wertheim argued that the US should pressure President William Lai (賴清德) to “tone it down” to de-escalate tensions in the Taiwan Strait — as if Taiwan’s words are more of a threat to peace than Beijing’s actions. It is an old argument dressed up in new concern: that Washington must rein in Taipei to avoid war. However, this narrative gets it backward. Taiwan is not the problem; China is. Calls for a so-called “grand bargain” with Beijing — where the US pressures Taiwan into concessions
The term “assassin’s mace” originates from Chinese folklore, describing a concealed weapon used by a weaker hero to defeat a stronger adversary with an unexpected strike. In more general military parlance, the concept refers to an asymmetric capability that targets a critical vulnerability of an adversary. China has found its modern equivalent of the assassin’s mace with its high-altitude electromagnetic pulse (HEMP) weapons, which are nuclear warheads detonated at a high altitude, emitting intense electromagnetic radiation capable of disabling and destroying electronics. An assassin’s mace weapon possesses two essential characteristics: strategic surprise and the ability to neutralize a core dependency.
Chinese President and Chinese Communist Party (CCP) Chairman Xi Jinping (習近平) said in a politburo speech late last month that his party must protect the “bottom line” to prevent systemic threats. The tone of his address was grave, revealing deep anxieties about China’s current state of affairs. Essentially, what he worries most about is systemic threats to China’s normal development as a country. The US-China trade war has turned white hot: China’s export orders have plummeted, Chinese firms and enterprises are shutting up shop, and local debt risks are mounting daily, causing China’s economy to flag externally and hemorrhage internally. China’s
During the “426 rally” organized by the Chinese Nationalist Party (KMT) and the Taiwan People’s Party under the slogan “fight green communism, resist dictatorship,” leaders from the two opposition parties framed it as a battle against an allegedly authoritarian administration led by President William Lai (賴清德). While criticism of the government can be a healthy expression of a vibrant, pluralistic society, and protests are quite common in Taiwan, the discourse of the 426 rally nonetheless betrayed troubling signs of collective amnesia. Specifically, the KMT, which imposed 38 years of martial law in Taiwan from 1949 to 1987, has never fully faced its
RSS