Story image

Opinion: Mobile security starts with a powerful AI-based scanning engine

16 Nov 17

Article by Alan Zeichick, principal analyst at Camden Associates

The secret sauce is AI-based zero packet inspection. That’s how to secure mobile users, and their personal data and employers’ data.

Let’s back up a step. Mobile devices are increasingly under attack, from malicious apps, from rogue emails, from adware, and from network traffic. Worse, that network traffic can come from any number of sources, including cellular data, WiFi, even Bluetooth. Users want their devices to be safe and secure. But how, if the network traffic can’t be trusted?

The best approach around is AI-based zero packet inspection (ZPI). It all starts with data. Tons of training data, used to train a machine learning algorithm to recognize patterns that indicate whether a device is performing normally – or if it’s under attack. Machine learning refers to a number of advanced AI algorithms that can study streams of data, rapidly and accurately detect patterns in that data, and from those patterns, sort the data into different categories.

The Zimperium z9 engine, as an example, works with machine learning to train against a number of test cases (on both iOS and Android devices) that represent known patterns of safe and not-safe traffic. We call those patterns zero-packet inspection in that the objective is not to look at the contents of the network packets but to scan the lower-level underlying traffic patterns at the network level, such as IP, TCP, UDP and ARP scans.

(If you’re not familiar with those terms, suffice it to say that at the network level, the traffic is focused on delivering data to a specific device, and then within that device, making sure it gets to the right application. Think of it as being like an envelope going to a big business – it has the business name, street address, and department/mail stop. The machine learning algorithms look at patterns at that level, rather than examining the contents of the envelope. This makes the scans very fast and accurate.)

ZPI in the Real World

Once the machine learning algorithms have been trained to make accurate diagnoses of malicious and non-malicious data traffic in a test environment, it’s let loose in the real world, with a small agent installed on the Apple or Android device. The small, efficient agent looks at all incoming traffic using the same AI-based ZPI process, and flag malicious traffic. It’s just that easy.

Well, that makes it sound easy, but in reality, it’s tricky to create the training sets, fine-tune the machine learning algorithms, and ensure that the engine works with minimal false positives (i.e., traffic flagged as malicious but is actually benign) or false negatives (traffic that’s flagged as safe but is actually dangerous). You can do this by deploying the fully-trained engine and then attacking the device, to make sure that malicious traffic, such as network scans that probe for vulnerabilities, are flagged and blocked each and every time.

For a deeper dive inside the AI-based ZPI inside the z9 engine, see these blogs posts: First, “Zero Packet Inspection,” by Yaniv Karta, followed by, “ZPI: One approach to rule them all,” by Nicolás Chiaraviglio.

Deploying AI-Based ZPI in Custom Software

While it’s essential to have a fast, accurate engine that can detect malicious network traffic, that’s not enough. The engine has to be deployed, such as by being packaged up inside tools or applications that can be downloaded and installed by mobile users.

Without getting into the Zimperium product line, let’s call out one particular offering, the Zimperium In-App Protection (zIAP) SDK. Available to both commercial and enterprise software developers, zIAP uses the z9 engine to ensure that mobile applications remain safe by providing immediate device risk assessments and threat alerts.

For example, the developers of a mobile banking app can embed the z9 engine into the app, ensuring that all network traffic going to and from that app is benign – and that the app is not under attack. That way, the mobile user’s banking data and transactions will be protected, whether or not there’s any broader anti-malware solution installed on the device itself. If the user has anti-malware installed, that’s great. If not, at least the banking app is secure.

The same would be true with enterprise apps designed to help mobile employees access systems remotely, such as enterprise resource planning (ERP) or customer relationship management (CRM) tools. In today’s BYOD (bring your own device) environment, employees may not have locked-down corporate phones or tablets. No problem: if the enterprise app developer used the zIAP SDK to embed the z9 engine, all of the business’s network traffic will be secure.

Going deeper: zIAP embeds the z9 engine, the heart of the zIPS app, inside mobile applications. This means that it can determine if a device is compromised. When a device is under attack, zIAP informs the app and initiates risk mitigation actions, such as invalidating sessions, destroying cryptographic keys, deleting caches, and raising fraud alerts. The SDK is completely configurable by app developers, who can select whatever remedial action should apply to corporate, partner or customer apps.

So, in the mobile banking app above, if the z9 engine determines that an attack is underway, it can delete information about the user’s stored credit/debit cards , flush the cache of the user’s account name, password, and other personal information, and raise a fraud alert with the bank – while also informing the user that there’s a problem.

Protecting Applications, Devices, Clients, and Enterprises

Network traffic is an attack vector into a mobile device, whether that traffic is triggered by web browsing, email, mobile apps, or even the process of signing into a WiFi network. The only way to protect against that is by scanning the network traffic. Overall, the combination of AI-based machine learning with zero packet inspection is the fastest, most accurate, and least intrusive method to protect against mobile threats.

AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.