SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Mobile security starts with a powerful AI-based scanning engine
Fri, 17th Nov 2017
FYI, this story is more than a year old

The secret sauce is AI-based zero packet inspection. That's how to secure mobile users, and their personal data and employers' data.

Let's back up a step. Mobile devices are increasingly under attack, from malicious apps, from rogue emails, from adware, and from network traffic. Worse, that network traffic can come from any number of sources, including cellular data, WiFi, even Bluetooth. Users want their devices to be safe and secure. But how, if the network traffic can't be trusted?

The best approach around is AI-based zero packet inspection (ZPI). It all starts with data. Tons of training data, used to train a machine learning algorithm to recognize patterns that indicate whether a device is performing normally – or if it's under attack. Machine learning refers to a number of advanced AI algorithms that can study streams of data, rapidly and accurately detect patterns in that data, and from those patterns, sort the data into different categories.

The Zimperium z9 engine, as an example, works with machine learning to train against a number of test cases (on both iOS and Android devices) that represent known patterns of safe and not-safe traffic. We call those patterns zero-packet inspection in that the objective is not to look at the contents of the network packets but to scan the lower-level underlying traffic patterns at the network level, such as IP, TCP, UDP and ARP scans.

(If you're not familiar with those terms, suffice it to say that at the network level, the traffic is focused on delivering data to a specific device, and then within that device, making sure it gets to the right application. Think of it as being like an envelope going to a big business – it has the business name, street address, and department/mail stop. The machine learning algorithms look at patterns at that level, rather than examining the contents of the envelope. This makes the scans very fast and accurate.)

ZPI in the Real World

Once the machine learning algorithms have been trained to make accurate diagnoses of malicious and non-malicious data traffic in a test environment, it's let loose in the real world, with a small agent installed on the Apple or Android device. The small, efficient agent looks at all incoming traffic using the same AI-based ZPI process, and flag malicious traffic. It's just that easy.

Well, that makes it sound easy, but in reality, it's tricky to create the training sets, fine-tune the machine learning algorithms, and ensure that the engine works with minimal false positives (i.e., traffic flagged as malicious but is actually benign) or false negatives (traffic that's flagged as safe but is actually dangerous). You can do this by deploying the fully-trained engine and then attacking the device, to make sure that malicious traffic, such as network scans that probe for vulnerabilities, are flagged and blocked each and every time.

For a deeper dive inside the AI-based ZPI inside the z9 engine, see these blogs posts: First, “Zero Packet Inspection,” by Yaniv Karta, followed by, “ZPI: One approach to rule them all,” by Nicolás Chiaraviglio.

Deploying AI-Based ZPI in Custom Software

While it's essential to have a fast, accurate engine that can detect malicious network traffic, that's not enough. The engine has to be deployed, such as by being packaged up inside tools or applications that can be downloaded and installed by mobile users.

Without getting into the Zimperium product line, let's call out one particular offering, the Zimperium In-App Protection (zIAP) SDK. Available to both commercial and enterprise software developers, zIAP uses the z9 engine to ensure that mobile applications remain safe by providing immediate device risk assessments and threat alerts.

For example, the developers of a mobile banking app can embed the z9 engine into the app, ensuring that all network traffic going to and from that app is benign – and that the app is not under attack. That way, the mobile user's banking data and transactions will be protected, whether or not there's any broader anti-malware solution installed on the device itself. If the user has anti-malware installed, that's great. If not, at least the banking app is secure.

The same would be true with enterprise apps designed to help mobile employees access systems remotely, such as enterprise resource planning (ERP) or customer relationship management (CRM) tools. In today's BYOD (bring your own device) environment, employees may not have locked-down corporate phones or tablets. No problem: if the enterprise app developer used the zIAP SDK to embed the z9 engine, all of the business's network traffic will be secure.

Going deeper: zIAP embeds the z9 engine, the heart of the zIPS app, inside mobile applications. This means that it can determine if a device is compromised. When a device is under attack, zIAP informs the app and initiates risk mitigation actions, such as invalidating sessions, destroying cryptographic keys, deleting caches, and raising fraud alerts. The SDK is completely configurable by app developers, who can select whatever remedial action should apply to corporate, partner or customer apps.

So, in the mobile banking app above, if the z9 engine determines that an attack is underway, it can delete information about the user's stored credit/debit cards , flush the cache of the user's account name, password, and other personal information, and raise a fraud alert with the bank – while also informing the user that there's a problem.

Protecting Applications, Devices, Clients, and Enterprises

Network traffic is an attack vector into a mobile device, whether that traffic is triggered by web browsing, email, mobile apps, or even the process of signing into a WiFi network. The only way to protect against that is by scanning the network traffic. Overall, the combination of AI-based machine learning with zero packet inspection is the fastest, most accurate, and least intrusive method to protect against mobile threats.