As networks increasingly rely on new, primarily software-based architectures, the issue of security cannot be overlooked. Artificial intelligence is one field researchers are exploring to provide sufficient protection for these new networks, such as 5G (and beyond) and constrained networks such as the IoT. An approach explored in particular by cybersecurity researchers at IMT Lille Douai.
“In a matter of a few dozen milliseconds, a well-targeted attack can wipe out an entire network and the services that go with it.” Ahmed Meddahi, a research professor at IMT Lille Douai, offers this frightening reminder about the threats to Internet-of-Things networks in particular. Behind their control screens in their security operations centers, network operators can identify a multitude of diverse attacks in the blink of an eye. Granted, not all attacks are carried out so quickly. But this example is a good illustration of the constraints weighing on the researchers and engineers who develop cyberdefense systems. Such systems must be able to monitor, analyze, sort, detect and react, all in just a few milliseconds.
For this, humans have two complementary technological tools on their side: new network architectures and artificial intelligence. 5G or WPAN (a network technology for the Internet of Things) are based on two important characteristics with cryptic acronyms: SDN — SDN-WISE for the IoT — and NFV. SDN, which stands for software-defined network, “is a network’s capacity to be programmed, configured and controlled in a centralized, dynamic way,” explains Ahmed Meddahi, who has been working on architecture security for the past several years. As for NFV, “it’s the virtualization of the IT world, adapted to the world of networks. The network functions which were purely hardware-based up to now are becoming software functions.” SDN and NFV are complementary and their primary aim is to reduce the development cycle for telecom services as well as the cost of network operations and maintenance.
Read more on I’MTech: SDN and Virtualization : More Intelligence in 5G networks
As far as cybersecurity is concerned, NFV and SDN could serve as a basis for providing an overview of the network, or could take on a portion of the complexity of IoT networks. The network operator in charge of security could therefore establish an overall security policy from his control post, with the rules and basic behavior of the network. He could then allow the network to make its own decisions instantaneously. The goal is to move towards more autonomous network security.
In the event of a threat or an attack, such an organization makes it possible to rapidly deny access or introduce filter rules for computer traffic, and therefore isolate or migrate segments of the network that are under attack. This sort of architecture or approach is an advantage for effectively responding to threats and making the network more resilient. But sometimes, the speed at which humans can analyze situations and make decisions does not suffice. That’s where artificial intelligence comes in.
Detecting more quickly than humans
“It’s one of the major areas of research in cybersecurity: first of all, how can we collect the most relevant information about network activity, out of a huge and widely-varying volume of traffic data, which, on top of that, is ever-growing? And second, how can we detect, identify and isolate an attack that only lasts a fraction of a second, or even anticipate it, to prevent the worst from happening?” says Ahmed Meddahi. New SDN and NFV architectures could help answer this question since these technologies will facilitate the integration of learning algorithms in network control systems. This is another promising new area of research for network and computer security scientists, which is naturally of interest to researchers at IMT Lille Douai.
The first challenge is to choose the right approach. Which algorithms should be used? Supervised, unsupervised or hybrid? And with which data? Traditional learning methods consist of showing the algorithm how the network behaves in a normal situation, and how it behaves in an abnormal situation or when under attack. It will then be able to learn and recognize situations that are almost identical to those it has learned. But there’s a problem: these learning methods based on examples or records are not compatible with the reality of cyberthreats.
“Attacks are dynamic and are constantly changing,” says Ahmed Meddahi. “Hackers can get past even the strongest counter-measures and defenses since they change their approach on a regular basis and constantly change their signature.” But with supervised learning, an algorithm is trained with existing attacks, at the risk of quickly becoming outpaced by the attacks of tomorrow.
That’ s why researchers and industry stakeholders are instead focusing on an unsupervised or hybrid learning approach, and even on new AI algorithms designed especially for cybersecurity purposes. In this case, an algorithm would learn by itself what qualifies as normal or abnormal network operation. Rather than detecting the trace or signature of an attack, it will learn how to recognize the conditions in which an attack has occurred in the past, and notify operators if the same conditions occur or are being brought together.
“The unsupervised approach also poses another problem: it requires constant learning on the network, which implies a significant cost in terms of resources,” says the IMT Lille Douai researcher. That is precisely the challenge facing scientists: finding a realistic approach to learning in an extremely dynamic, ever-changing environment. If researchers are beginning to work on new security issues for 5G and IoT networks, businesses naturally have high expectations. With 5G set to launch in France in 2020, operators and managers of these next-generation networks are more concerned than ever about the security of users and their data.