sb-nz logo
Story image

Opinion: Mobile security starts with a powerful AI-based scanning engine

16 Nov 2017

Article by Alan Zeichick, principal analyst at Camden Associates

The secret sauce is AI-based zero packet inspection. That’s how to secure mobile users, and their personal data and employers’ data.

Let’s back up a step. Mobile devices are increasingly under attack, from malicious apps, from rogue emails, from adware, and from network traffic. Worse, that network traffic can come from any number of sources, including cellular data, WiFi, even Bluetooth. Users want their devices to be safe and secure. But how, if the network traffic can’t be trusted?

The best approach around is AI-based zero packet inspection (ZPI). It all starts with data. Tons of training data, used to train a machine learning algorithm to recognize patterns that indicate whether a device is performing normally – or if it’s under attack. Machine learning refers to a number of advanced AI algorithms that can study streams of data, rapidly and accurately detect patterns in that data, and from those patterns, sort the data into different categories.

The Zimperium z9 engine, as an example, works with machine learning to train against a number of test cases (on both iOS and Android devices) that represent known patterns of safe and not-safe traffic. We call those patterns zero-packet inspection in that the objective is not to look at the contents of the network packets but to scan the lower-level underlying traffic patterns at the network level, such as IP, TCP, UDP and ARP scans.

(If you’re not familiar with those terms, suffice it to say that at the network level, the traffic is focused on delivering data to a specific device, and then within that device, making sure it gets to the right application. Think of it as being like an envelope going to a big business – it has the business name, street address, and department/mail stop. The machine learning algorithms look at patterns at that level, rather than examining the contents of the envelope. This makes the scans very fast and accurate.)

ZPI in the Real World

Once the machine learning algorithms have been trained to make accurate diagnoses of malicious and non-malicious data traffic in a test environment, it’s let loose in the real world, with a small agent installed on the Apple or Android device. The small, efficient agent looks at all incoming traffic using the same AI-based ZPI process, and flag malicious traffic. It’s just that easy.

Well, that makes it sound easy, but in reality, it’s tricky to create the training sets, fine-tune the machine learning algorithms, and ensure that the engine works with minimal false positives (i.e., traffic flagged as malicious but is actually benign) or false negatives (traffic that’s flagged as safe but is actually dangerous). You can do this by deploying the fully-trained engine and then attacking the device, to make sure that malicious traffic, such as network scans that probe for vulnerabilities, are flagged and blocked each and every time.

For a deeper dive inside the AI-based ZPI inside the z9 engine, see these blogs posts: First, “Zero Packet Inspection,” by Yaniv Karta, followed by, “ZPI: One approach to rule them all,” by Nicolás Chiaraviglio.

Deploying AI-Based ZPI in Custom Software

While it’s essential to have a fast, accurate engine that can detect malicious network traffic, that’s not enough. The engine has to be deployed, such as by being packaged up inside tools or applications that can be downloaded and installed by mobile users.

Without getting into the Zimperium product line, let’s call out one particular offering, the Zimperium In-App Protection (zIAP) SDK. Available to both commercial and enterprise software developers, zIAP uses the z9 engine to ensure that mobile applications remain safe by providing immediate device risk assessments and threat alerts.

For example, the developers of a mobile banking app can embed the z9 engine into the app, ensuring that all network traffic going to and from that app is benign – and that the app is not under attack. That way, the mobile user’s banking data and transactions will be protected, whether or not there’s any broader anti-malware solution installed on the device itself. If the user has anti-malware installed, that’s great. If not, at least the banking app is secure.

The same would be true with enterprise apps designed to help mobile employees access systems remotely, such as enterprise resource planning (ERP) or customer relationship management (CRM) tools. In today’s BYOD (bring your own device) environment, employees may not have locked-down corporate phones or tablets. No problem: if the enterprise app developer used the zIAP SDK to embed the z9 engine, all of the business’s network traffic will be secure.

Going deeper: zIAP embeds the z9 engine, the heart of the zIPS app, inside mobile applications. This means that it can determine if a device is compromised. When a device is under attack, zIAP informs the app and initiates risk mitigation actions, such as invalidating sessions, destroying cryptographic keys, deleting caches, and raising fraud alerts. The SDK is completely configurable by app developers, who can select whatever remedial action should apply to corporate, partner or customer apps.

So, in the mobile banking app above, if the z9 engine determines that an attack is underway, it can delete information about the user’s stored credit/debit cards , flush the cache of the user’s account name, password, and other personal information, and raise a fraud alert with the bank – while also informing the user that there’s a problem.

Protecting Applications, Devices, Clients, and Enterprises

Network traffic is an attack vector into a mobile device, whether that traffic is triggered by web browsing, email, mobile apps, or even the process of signing into a WiFi network. The only way to protect against that is by scanning the network traffic. Overall, the combination of AI-based machine learning with zero packet inspection is the fastest, most accurate, and least intrusive method to protect against mobile threats.

Story image
BayCom partners with NICE inContact to offer cloud contact centre platform in NZ
“With our extensive experience in the industry, BayCom has the ability to design, implement and support CXone nationwide, providing organisations with an industry-leading Contact Centre as a Service (CCaaS) solution to deliver on their customer experience strategies.”  More
Link image
The importance of data resilience in the current cybersecurity climate
Protecting an organisation's data is one of the most crucial functions of any CISO. Strategies should be in place where data is stored securely and cost-effectively.More
Story image
Microsoft takes legal action to disrupt botnet and combat ransomware
Microsoft has announced it took action to disrupt a botnet, Trickbot, one of the world's most infamous botnets and prolific distributors of malware and ransomware.More
Story image
Acronis expands global data centre network, including new facilities in NZ
The expansion ensures that the full range of Acronis Cyber Protection Solutions will be available to partners and organisations around the world.More
Story image
COVID-related email subjects biggest threat in phishing scams
Coronavirus-related email subjects remain the biggest threat in phishing scams, a new study has found.More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More