Transforming Cybersecurity with AI: How Intelligent Solutions are Shaping a Safer Digital World
Debidutta Barik
Engineering Leader | Generative AI & ML | Data & Platform Engineering | Digital Transformation | Cyber Security | Certified Lean Portfolio Manager| SaFe Agilist | CSPO | CSM
Cybersecurity has become a critical priority across industries as organizations increasingly face sophisticated cyber fraud and attacks, resulting in significant financial losses, reputational Brand damage, and operational disruptions.
Recent incidents, such as ransomware attacks and data breaches, have highlighted vulnerabilities in even the most secure systems, underscoring the urgent need for robust cybersecurity measures.
AI is playing a transformative role in identifying and mitigating cyber threats by analyzing vast amounts of data in real-time, detecting anomalies, and predicting potential attacks before they occur. The growing reliance on AI-driven solutions presents vast opportunities for innovation in threat detection, incident response, and cybersecurity automation, making it a dynamic and essential field for future development.
We must rethink Cybersecurity as at most priority in the AI era, prepared for next generation of threats. Staying one step ahead of cybercriminals , unlocking the new frontiers in proactive continuous threat detection and prevention by applying AI powered cybersecurity technologies.
Generative AI has increasingly become a significant tool in cybersecurity across various domains like Vulnerability detection, Spam detection, IP filtering and Data Protection ,
Vulnerability detection :
Tools/Frameworks : Microsoft CodeQL, GitHub Copilot, Checkmarx, Nessus, OpenVas, Wireshark, Wireshark, Qualysguard, Nikto, Acunetix, Zap, GFI Languard.
Spam Detection
Tools/Frameworks : Guardz, Mailwasher, Eset Protect Mail Plus, Comodo Dome Antispam, ORF Fusion, ZeroSpam, HorentSecurity Email Spam filter, Apache spam assassin, hugging face transformers.
IP Filtering
Tools/Frameworks : Snort, Suricata, Zeek, IP Void IP extractor, Advanced IP Scanner
Data Protection
Tools/Frameworks : Azure information Protection, Trellix Helix, Threat Locker, ManageEngine Endpoint DLP plus, ManageEngine Recovery Manager Plus, N-able Cover Data Protection, IBM Watson Knowledge Catalog, GLP ( Google Cloud Data Loss Prevention)
Security Operations Centers (SOCs) rely on a variety of tools to monitor, detect, and respond to security incidents ;
Note : Its always best preferable to sync, consult and take guidelines from cybersecurity team for any cybersecurity tools / frameworks assessment and usage in the organization.
Sample programs to detect anomalies can be applied at larger scale using encoders and ensembles.
***Anomaly Detection using Isolation Forest***
Isolation forest is the unsupervised ML used to detect anomalies and works very well by isolating observations in the data. This prediction model predicts whether each data point is an anomaly (-1) or normal (1).
from sklearn.ensemble import IsolationForest
import numpy as np
# Sample network traffic data (e.g., number of packets per session, session duration, etc.)
# In a real-world scenario, this data would come from network logs or monitoring tools.
network_data = np.array([
[200, 5], # [Number of packets, Duration (seconds)]
[250, 8],
[190, 4],
[300, 7],
[5000, 200], # Potential anomaly (high number of packets and duration)
[220, 6],
[210, 5],
[180, 4],
[10000, 500], # Another potential anomaly
])
# Create and train the Isolation Forest model
model = IsolationForest(contamination=0.2) # The contamination parameter indicates the expected proportion of outliers.
model.fit(network_data)
# Predict anomalies in the data
predictions = model.predict(network_data)
# Print the results
for i, (data, prediction) in enumerate(zip(network_data, predictions)):
status = "Anomaly" if prediction == -1 else "Normal"
print(f"Data Point {i+1}: {data}, Status: {status}")
Output
Data Point 1: [200 5], Status: Normal
Data Point 2: [250 8], Status: Normal
Data Point 3: [190 4], Status: Normal
Data Point 4: [300 7], Status: Normal
Data Point 5: [5000 200], Status: Anomaly
Data Point 6: [220 6], Status: Normal
Data Point 7: [210 5], Status: Normal
Data Point 8: [180 4], Status: Normal
Data Point 9: [10000 500], Status: Anomaly
****IP Filtering and SQL Injection Detection***
The script iterates over a list of incoming requests. For each request, it first checks if the IP is blocked. If not, it checks for SQL injection attempts in the query string. Based on these checks, the script decides whether to block, flag, or process the request.
The blocked_ips list contains IP addresses that are not allowed to access the system. The script checks each incoming request's IP against this list and blocks the request if the IP is found.
The sql_injection_pattern regex is designed to detect common SQL injection patterns, such as the use of ', --, and SQL keywords like SELECT, DROP, INSERT, etc., within the query string of an HTTP request. The detect_sql_injection function checks if the query string of a request matches the SQL injection pattern.
领英推荐
import re
# Define a list of blocked IPs (for IP filtering)
blocked_ips = ['192.168.1.100', '10.0.0.5']
# Sample incoming HTTP request data
requests = [
{"ip": "192.168.1.101", "url": "/login", "query": "username=admin&password=12345"},
{"ip": "192.168.1.100", "url": "/admin", "query": "username=admin'--"},
{"ip": "10.0.0.1", "url": "/search", "query": "q=SELECT * FROM users"},
{"ip": "10.0.0.5", "url": "/home", "query": "id=1; DROP TABLE users"},
]
# Regular expression to detect SQL injection patterns
sql_injection_pattern = re.compile(r"(?:')|(?:--)|(/\\*.*?\\*/)|(\\b(SELECT|UPDATE|DELETE|INSERT|DROP|ALTER|CREATE|REPLACE)\\b)", re.IGNORECASE)
# Function to check for SQL injection in a query string
def detect_sql_injection(query):
return re.search(sql_injection_pattern, query) is not None
# Process incoming requests
for request in requests:
ip = request['ip']
query = request['query']
# IP Filtering
if ip in blocked_ips:
print(f"Request from IP {ip} is blocked.")
continue
# SQL Injection Detection
if detect_sql_injection(query):
print(f"Potential SQL Injection detected from IP {ip}: {query}")
else:
print(f"Request from IP {ip} processed successfully.")
Output
Request from IP 192.168.1.101 processed successfully.
Request from IP 192.168.1.100 is blocked.
Potential SQL Injection detected from IP 10.0.0.1: q=SELECT * FROM users
Request from IP 10.0.0.5 is blocked.
***Brute-Force Attack and Malicious Code Detection***
The log_entries list represents sample login attempts with details like IP address, username, and status (whether the login was successful or failed).The failed_attempts dictionary counts the number of failed login attempts for each IP and username pair. If the number of failed attempts exceeds the max_attempts threshold (set to 3 in this case), the script identifies it as a potential brute-force attack and prints a warning.
The code_snippets list contains sample Python code snippets that might include malicious commands. The malicious_patterns list includes regular expressions that match common malicious functions or patterns, such as eval(), exec(), and os.system(). The detect_malicious_code function scans each code snippet for these patterns. If a match is found, it prints a warning about potential malicious code.
In real-world scenarios, this logic would be extended to monitor login attempts over time and across multiple systems, possibly integrating with SIEM tools.
In production systems, this logic would be part of a more sophisticated static code analysis tool or integrated into a CI/CD pipeline to automatically scan for insecure coding practices.
import re
from collections import defaultdict
# Sample log entries representing failed login attempts
log_entries = [
{"ip": "192.168.1.101", "user": "admin", "status": "failed"},
{"ip": "192.168.1.101", "user": "admin", "status": "failed"},
{"ip": "192.168.1.101", "user": "admin", "status": "failed"},
{"ip": "192.168.1.102", "user": "guest", "status": "failed"},
{"ip": "192.168.1.102", "user": "guest", "status": "failed"},
{"ip": "192.168.1.101", "user": "admin", "status": "success"},
{"ip": "192.168.1.103", "user": "root", "status": "failed"},
{"ip": "192.168.1.103", "user": "root", "status": "failed"},
{"ip": "192.168.1.103", "user": "root", "status": "failed"},
{"ip": "192.168.1.103", "user": "root", "status": "failed"},
]
# Thresholds for detecting brute-force attacks
max_attempts = 3
# Function to detect brute-force attacks
def detect_bruteforce(log_entries):
failed_attempts = defaultdict(int)
for entry in log_entries:
if entry["status"] == "failed":
failed_attempts[(entry["ip"], entry["user"])] += 1
# Check if the failed attempts exceed the threshold
if failed_attempts[(entry["ip"], entry["user"])] >= max_attempts:
print(f"Brute-force attack detected from IP {entry['ip']} on user {entry['user']}")
else:
# Reset counter on successful login
failed_attempts[(entry["ip"], entry["user"])] = 0
# Sample code snippets to scan for malicious patterns
code_snippets = [
"eval('malicious code here')",
"import os; os.system('rm -rf /')",
"exec('malicious command')",
"username = input('Enter username: ')",
]
# Malicious code patterns (e.g., dangerous functions or suspicious patterns)
malicious_patterns = [
r"eval\(", # Use of eval function
r"exec\(", # Use of exec function
r"os\.system\(", # Use of os.system for shell execution
r"subprocess\.Popen\(", # Use of subprocess for shell execution
r"import os", # Importing os, often used in malicious scripts
r"import subprocess" # Importing subprocess module
]
# Function to detect malicious code
def detect_malicious_code(code_snippets, malicious_patterns):
for snippet in code_snippets:
for pattern in malicious_patterns:
if re.search(pattern, snippet):
print(f"Potential malicious code detected: {snippet}")
# Run detection functions
detect_bruteforce(log_entries)
detect_malicious_code(code_snippets, malicious_patterns)
Output
Brute-force attack detected from IP 192.168.1.101 on user admin
Brute-force attack detected from IP 192.168.1.103 on user root
Potential malicious code detected: eval('malicious code here')
Potential malicious code detected: import os; os.system('rm -rf /')
Potential malicious code detected: exec('malicious command')
***Compromised IoT Device Detection Using Anomaly Detection***
Identifying compromised IoT devices can be challenging due to the diversity and often limited resources of these devices.
However, using machine learning and anomaly detection techniques, it's possible to detect unusual behavior indicative of a compromise. Below is a sample program that demonstrates a basic approach to detecting potentially compromised IoT devices based on network traffic patterns.
Here , the iot_traffic_data array contains synthetic data representing various features of network traffic and device behavior. Each row corresponds to a different IoT device, and columns might include metrics such as packets sent/received, average packet size, session duration, CPU usage, etc. The IsolationForest model is used for anomaly detection.
Devices with abnormal behavior (e.g., significantly higher traffic or resource usage) are flagged as "Compromised." The contamination parameter is set to 0.2, meaning the model expects around 20% of the devices to be compromised.
This value should be adjusted based on the specific environment and threat expectations. The model outputs -1 for anomalies and 1 for normal devices. These are mapped to "Compromised" or "Normal" for clarity.
For practical use, this detection logic would likely be integrated into a broader IoT security framework, where automated responses can be triggered if a device is detected as compromised (e.g., isolating the device from the network, alerting security teams, etc.).
import numpy as np
from sklearn.ensemble import IsolationForest
# Sample IoT device traffic data
# Each row might represent features like [device ID, packets sent, packets received, average packet size, session duration, CPU usage, etc.]
iot_traffic_data = np.array([
[1, 200, 180, 500, 30, 20], # Device 1
[2, 250, 240, 520, 35, 25], # Device 2
[3, 190, 185, 480, 28, 18], # Device 3
[4, 1000, 950, 1000, 500, 80], # Device 4 (Potentially compromised - high traffic and resource usage)
[5, 220, 210, 510, 32, 22], # Device 5
[6, 210, 205, 505, 29, 21], # Device 6
[7, 1500, 1400, 1500, 700, 90], # Device 7 (Potentially compromised - abnormal behaviour)
])
# Initialize the Isolation Forest model
model = IsolationForest(contamination=0.2) # 'contamination' represents the expected proportion of compromised devices
model.fit(iot_traffic_data)
# Predict anomalies (outliers)
predictions = model.predict(iot_traffic_data)
# Map prediction results to 'Compromised' or 'Normal'
results = ["Compromised" if pred == -1 else "Normal" for pred in predictions]
# Display the results
for i, (data, result) in enumerate(zip(iot_traffic_data, results)):
device_id = data[0]
print(f"Device {int(device_id)}: {data[1:]}, Status: {result}")
Output :
Device 1: [200 180 500 30 20], Status: Normal
Device 2: [250 240 520 35 25], Status: Normal
Device 3: [190 185 480 28 18], Status: Normal
Device 4: [1000 950 1000 500 80], Status: Compromised
Device 5: [220 210 510 32 22], Status: Normal
Device 6: [210 205 505 29 21], Status: Normal
Device 7: [1500 1400 1500 700 90], Status: Compromised
****Keylogger Detection Using Python *****
Detecting a keylogger can be challenging, especially if it's a sophisticated or well-hidden one. However, basic methods involve monitoring for suspicious processes, unusual file system activity, or unexpected network traffic that might indicate the presence of a keylogger.
Following is a sample Python program that attempts to detect keyloggers by looking for suspicious processes and monitoring keyboard input hooks .
Here, the detect_suspicious_processes function checks running processes against a list of known suspicious process names. This list should be extended and kept up to date based on threat intelligence. In a real-world scenario, we would also consider checking for unusual processes or those running from unexpected locations. The detect_keyboard_hooks function attempts to detect keyboard hooks, which are often used by keyloggers to capture keystrokes. This uses Windows API calls to check for system-wide hooks. The detect_keyboard_activity function is a placeholder for more sophisticated monitoring of keyboard input, such as detecting an unusually high number of keystrokes in a short period, which might indicate logging behavior.
For practical use, these checks would ideally be part of a real-time monitoring system that continuously watches for signs of a keylogger and triggers alerts or automated responses.
import psutil
import win32api
import win32con
import win32gui
import ctypes
from ctypes import wintypes
# Function to detect suspicious processes that might indicate a keylogger
def detect_suspicious_processes():
# List of known suspicious process names (this is a small example list)
suspicious_processes = ["keylogger.exe", "some_suspicious_process.exe", "unknown_process.exe"]
# Iterate through all running processes
for proc in psutil.process_iter(['pid', 'name']):
try:
process_name = proc.info['name']
if process_name.lower() in suspicious_processes:
print(f"Suspicious process detected: {process_name} (PID: {proc.info['pid']})")
except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
pass
# Function to check for keyboard input hooks (used by keyloggers)
def detect_keyboard_hooks():
# Define necessary Windows API calls
user32 = ctypes.windll.user32
kernel32 = ctypes.windll.kernel32
# Check system-wide hooks
hook_count = 0
for id_hook in range(14): # ID range for global hooks
hook = user32.GetWindowsHookExW(id_hook)
if hook != 0:
hook_count += 1
print(f"Keyboard hook detected with ID: {id_hook}")
if hook_count == 0:
print("No keyboard hooks detected.")
else:
print(f"Total {hook_count} keyboard hook(s) detected.")
# Function to check for suspicious keyboard activity or logging behavior
def detect_keyboard_activity():
# This could be extended with a more sophisticated approach
# Example: monitoring keystrokes over time, detecting high volumes of input
# For demonstration purposes, let's assume we flag abnormal activity
# based on arbitrary detection logic
abnormal_activity_detected = False
if abnormal_activity_detected:
print("Suspicious keyboard activity detected!")
else:
print("No suspicious keyboard activity detected.")
# Run detection functions
detect_suspicious_processes()
detect_keyboard_hooks()
detect_keyboard_activity()
Output
Suspicious process detected: keylogger.exe (PID: 1234)
No keyboard hooks detected.
No suspicious keyboard activity detected.
In conclusion, AI is continuously revolutionizing cybersecurity by enabling faster and more accurate detection of threats through real-time data analysis and predictive analytics. It empowers organizations to proactively identify vulnerabilities, automate responses, and adapt to evolving attack patterns, significantly reducing the window of opportunity for cybercriminals.
As AI continues to advance, it not only strengthens defense mechanisms but also opens new possibilities for innovation in securing digital environments, making it a cornerstone of modern cybersecurity strategies.
Cloud Technology Architect
2 个月Love this