Machine learning algorithm scours the Darknet for zero day exploits before anyone has a chance to abuse them
The machine based search of Darknet – the online hacker marketplaces identifies over 300 significant cyber threats every week! A team at Arizona State University offers a machine learning system that monitors Darknet and Deep web traffic for information about zero-day exploits before the exploits are let loose in the wild.
The stereotype of the lone hacker infecting the planet with malicious code from a dark basement is not realistic. The cyber criminals that attack the world’s computers every minute of every day are much more sophisticated. Criminal hacking is a culture where people share their malicious ideas and information on forums that exist on TOR networks (the Darknet) and websites that are not indexed by search engines (the Deep Web). Malware programs and exploit kits are bought and sold on Darknet markets.
What actually happened
- February 2015, Microsoft identifies a critical vulnerability in its Windows operating system that potentially allowed a malicious attacker to remotely control the targeted computer. The problem affected a wide variety of Windows operating systems designed for servers and mobile computers. It didn’t take long for details of the vulnerability to spread through the hacker community.
- April 2015, cybersecurity experts found an exploit based on this vulnerability for sale on the Darknet marketplace where the seller was asking around $15,000.
- July 2015, the first malware appeared that used this vulnerability. This piece of malware, the Dyre Banking Trojan, targeted users all over the world and was designed to steal credit-card numbers from infected computers.
The episode provided a key insight into the way malware evolves. In just a few months, hackers had turned a vulnerability into an exploit, offered this for sale, and then saw it developed into malware that was released to the Darknet.
When malware exploits previously unknown vulnerabilities, the original software owners have to develop a patch immediately, in literally zero days, hence the name “zero day attacks.”
A key goal for cybersecurity experts is to identify zero day exploits before they can be turned into malware. The case of the Dyre Banking Trojan has provided important inspiration for an entirely new approach to this kind of cybersecurity.
The new cyber threat intelligence-gathering operation uses machine learning to study hacking forums and marketplaces in Darknet and Deep Web. The system hunts for clues about emerging vulnerabilities. The system is off to an impressive start. The system collects on average 305 high-quality cyber threat warnings each week.
The machine-learning algorithm detects relevant products and topics being discussed on the Darknet and Deep Web. They label 25% of the data by hand, pointing out what is relevant and what’s not. It takes a human about one minute to label five marketplace products or to label two topics on a forum, but this can be reduced as the machine learns. They then train the algorithm using this labeled data set and test it on the rest.
Over a 4-week period, 16 zero-day exploits were detected from the marketplace data. This included one significant Android exploit being offered for around $20,000 and one involving Internet Explorer 11 for around $10,000.
If the machine learning solution will spot zero day vulnerabilities before they are developed into malware products, they can help software owners develop patches quickly. And that’s a significant help for security experts.
Of course, this will be part of the cat and mouse game of cybersecurity. It’ll be interesting to see how hackers change their behavior now that they know they are being systematically monitored in this way. And when that happens, there’ll be yet an iteration in game.