Unlike a couple of years before, cloud security is not an afterthought anymore. As pointed out in the App-Sec article published recently, it remains in the top 3 priorities of relevant security topics in 2023. Cloud workloads are difficult to protect due to the dynamic behavior and the number of moving parts. On top of that, DevOps teams need to learn to apply security measurements properly. Security teams struggle with the huge number of security incidents that need to be analyzed and processed. Various tasks to automate security incidents can help, but this still requires input from human personnel. Artificial Intelligence and Machine Learning get a foothold in more and more applications to learn, predict and react to situations that happen in software applications. The same applies to security-related topics. In this article, we’ll explore how AI and ML can help in the area of cloud security.
Context and justification
Cybersecurity threats become more sophisticated as we speak. The number of attacks on companies (large and small) increases. It’s not only the cloud-based workloads that are in scope here, but also the supply chains that are the trigger for any new release. With the number of cloud-based components like micro-services and serverless architectures going up securing them also becomes more challenging. AI and ML are on the rise to ease the burden of security teams to streamline the massive amount of security-related information that needs to be processed and analyzed in order to keep workloads secure. Both technologies act as a layer on top of the existing security program which companies run.
One of the key things about AI and ML is that they can find anomalies. This means detecting the behavior of systems and/or humans that is not likely in “normal circumstances”. Many security tools like Prisma Cloud or Sysdig Secure that focus explicitly on the cloud use these kinds of patterns to assist security teams.
A sample use case that heavily depends on anomaly detection is the following:
Alert a human being or another system of suspicious logins (or attempts to log in). Besides alerting, it’s also possible to directly block the malicious actor.
In case a company uses AWS as the cloud provider of choice, this is possible by gathering data from services like AWS Inspector, GuardDuty, and CloudTrail. This is combined with data about common anomalies, policy violations, and the security of business impact to define the risk score. All of this leads to a prioritized list of risk postures about your entire environment.
Based on that security experts can make an informed decision about what to do with the items that need immediate attention. This is rather a reactive approach but very useful for any company that needs to assess a lot of data.
ML and AI are extremely useful when it comes to predicting weaknesses and vulnerabilities which are being exploited right now. While the previous use-case represents a more “reactive” solution, the predictive behavior of the latter one is much more proactive and thus more powerful.
This works by carefully examining all of the data that comes out of protected endpoints not just the “bad data”. This constant stream of data is enriched by other sources and it also detects threads based on known behavior. Furthermore, it identifies known threads based on predictive analysis. All of these combined lead to a high success ratio of spotting the root cause of issues as opposed to reacting to security events that already happened and to which the system can only take action to minimize the damage.
Big data and Machine Learning models
The positive impact of ML and AI doesn’t stop when it comes to spotting security incidents “on time” and predicting potential threads. It also helps to dig through big data sets. For example, Machine Learning models learn from seemingly unrelated pieces of information in telemetry data. It combines raw data and known patterns to generate new information that provides insights for security experts. Effectively it helps to get the “complete picture” of large datasets.
In order to understand these machine learning models and to position them amongst other cloud security topics, it’s great to find an excellent piece of research from the University of Sharjah. In their paper, they provide you with an overview of the different research topics which have already been conducted as well as an overview of the various attack methods which are common nowadays.
However, the research questions and the answers that follow are the heart of the paper. Their research questions are as follows:
- Which cloud security areas are addressed by this review?
- Which machine learning algorithms are used in cloud computing security?
- What is the overall estimation and accuracy of machine learning models?
Especially the last question helps people to find out which Machine Learning model best helps them to overcome security threads for their use cases. The findings that help to answer this question come from many different papers in which various aspects such as the data set of construction and the validation methods are discussed.
All of these aspects make this a valuable paper to study.
Attacking the Machine Learning model
Seven experts connected to Frontiersin wrote an excellent article that goes deeper into the topic of securing Machine Learning (models) and technologies in the cloud. In their article, they presented an evaluation of the existing literature which exists already today about attacks as well as defense systems in this area. One of the key reasons for this research is the growing interest in using Machine Learning technologies and the technical advancements it brings.
The core of the article tends to answer the following research questions:
- What are the well-known attacks on cloud-hosted/third-party ML/DL models?
- What are the countermeasures and defenses against such attacks?
To answer these questions they analyzed 31 articles along with 5 themes of attack themes for ML services. Besides, also 5 themes to defend from these attacks were analyzed. All of the articles were carefully selected based on inclusion criteria while exclusion criteria presented reasons to leave them out. Pitfalls and limitations of the articles were presented as well as open research questions for further investigation.
It’s great to read about different treatment models which apply to Machine Learning techniques and also an extensive list of the variety of attacks that are likely in this domain. The authors used different datasets to validate and analyze the list of articles. If you’re interested in the taxonomy of attacks, be sure to check out section 4.2, which lists a total of 12 different attack methods including evasion attacks, data manipulation attacks, and backdooring attacks.
Section 5.2 continues with the methods to defend your system from ML/AI-based attacks.
Another great source that presents a ton of information about Machine Learning Techniques and Analytics for Cloud Security is the book written by three excellent authors (Rajdeep Chakraborty, Anupam Ghosh, and Jyotsna Kumar Mandal). Their book was published in December 2021 and covers nearly everything that you need to know in terms of securing your cloud workloads using Machine Learning techniques and analytics.
They examine a lot of different use cases based on various large cloud providers. This makes it possible for any cloud user to find a use case that fits their provider of choice and also which might be closely related to their area of interest. Among them are use cases like effective spam detection, and network intrusion detection systems as well as use cases that analyze your mood based on your voice.
All of these use cases are introduced, examined, and explored following a thorough introduction to the conceptual aspects of the Cloud and applications of Machine Learning.
As we’ve seen in this article, there are a lot of literary studies as well as case studies that focus on Machine Learning techniques that can help to identify traditional or zero-day attacks. Machine Learning (models) use algorithms that can learn patterns from (massive amounts) of data and predict the outcome. One of the key strengths is anomaly detection which plays a vital role in cloud-based security systems. It’s about the things which tend to be not so likely, but those kinds of things are actually the ones that require attention.
There are a number of excellent books and papers that focus on different types of attacks and their countermeasures. Every company that works in the cloud, trying to protect their valuable data, can benefit from these (online) resources to better secure their workloads. They can shift their security efforts from reactive to more proactive so they free up time to focus on their business-related aspects.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to firstname.lastname@example.org.