The evolution of technology requires a parallel shift in each of its fields. This includes cybersecurity, as data breaches, ransomware and hacks have become the norm.
From the viewpoint of the philosophy of science and technology, the emergence of a new technology is never sudden, random or uncertain; it is a systematic step-by-step process. Therefore, by analyzing the status of existing technology as it is developed and deployed, it is possible to predict future trends in technology development.
The Research Institute of New Technology (RINT) at Hillstone Networks has carried out a series of studies on novel technologies, and based on this analysis of the existing cybersecurity landscape, the top emerging cybersecurity technology trends can be identified.
RINT examined approximately 900 papers published in 2022 in the top academic journals in the fields of computers, network security and cryptography and obtained detailed statistics on the technical fields covered in those papers. Based on RINT’s analysis, the most popular research topics in the cybersecurity space in 2022 are shown in figure 1. The top 10 cybersecurity technology trends are based on these topics.
Top 10 Cybersecurity Technology Trends
As technology continues to advance, so do threats to cybersecurity and opportunities for innovation. It is valuable to understand the top technologies that are shaping the way organizations approach security.
1. Four Main Areas Will Dominate Cybersecurity
Nearly half the research papers analyzed focused on four fields: Internet of Things (IoT) security, malware detection, intrusion detection and machine learning (ML).
The other half of the research papers covered dozens of topics, indicating that cybersecurity is a top priority across industries and disciplines and that there are many cybersecurity issues that need to be addressed and resolved. Engineers and product owners in the cybersecurity field have a golden opportunity to leverage lessons learned from these research papers to improve the effectiveness of their security products.
2. “You Cannot Put New Wine in Old Bottles” Will Be the Primary Methodology Applied to Problem Solving
“You cannot put new wine in old bottles” is a proverb that means new problems cannot be solved with old methods.
Some common cybersecurity problems such as intrusion detection and malware detection have existed for many years. The main reason for their persistence is the emergence of endless new attacks and their associated defense techniques. As a result, current detection solutions invariably become obsolete.
In addition, these ongoing problems have never been completely resolved, so they continue to be relevant threats. For example, there is no universal method to effectively detect any zero-day malware.
However, new approaches and tools such as ML can be used to address these problems. ML is based on the concept of using data to train models to make predictions or decisions. As more data become available, the algorithms can be retrained and the parameters adjusted to better fit the new data’s patterns and relationships, resulting in improved accuracy and output.
So-called outdated problems cannot be ignored. Product developers must keep pace with emerging technologies to learn how to use them to better address lingering challenges with more effective solutions.
3. IoT and ICS Security Will Gain Momentum
In 2022, IoT accounted for 15 percent of the research articles analyzed, and industrial control systems (ICSs) accounted for five percent. Some researchers believe ICS is a subset of IoT, so their combined research totaled 20 percent. The rapid implementation of IoT and ICS devices across all industries, including in critical infrastructures, is creating new opportunities for cyberattacks. Due to the growing use and vulnerabilities of IoT and ICS, cybersecurity professionals should pay more attention to them. Their main challenges and research opportunities are shown in figure 2.
Many of these systems were designed and developed without security in mind, and they often suffer from weak authentication and encryption. Many systems are complex and interconnected, and most are not updated or patched regularly. All these challenges, combined with ignorance of security threats and a lack of skills and resources, can lead to rampant exploitation by cybercriminals. An attack on critical infrastructure, for example, can wreak havoc and cause widespread disruption, but any attack on these devices will have an impact.
Cybersecurity practitioners can take several measures to mitigate adverse impacts, including implementing firewalls, intrusion detection systems and antivirus software as minimum protection for these devices. Implementing best practices such as regular vulnerability assessments and maintaining software patches and updates can help identify vulnerabilities that can be potentially exploited to gain access to the infrastructure. Other measures include implementing strict access control policies as well as conducting regular training and driving awareness programs for employees.
4. ZSL Will Be Used in Malware Detection
A zero-shot learning (ZSL) method called Malware-SMELL has been proposed for detecting zero-day malware.1 ZSL allows the system to recognize and classify previously unseen malware samples based on their similarity to known malware families. The Malware-SMELL method uses a combination of deep learning and natural language processing (NLP) techniques to extract attributes from malware samples. It then trains a ZSL model to recognize and classify new samples based on those attributes.
The method uses a similarity measure between two malware samples based on visual representation, including latent feature space and S space representation.
Latent feature space is a representation of the malware samples in a high-dimensional feature space. This approach can be used to extract features or attributes from malware samples and project them onto a high-dimensional feature space. This feature space can be learned through a deep learning model, and the features that are extracted from the malware samples can be used to classify new samples into different types or families of malware.
S space refers to a representation of the malware samples in a lower-dimensional space, where each sample is represented as a sparse binary vector. The S space representation is obtained using natural language processing techniques that process the textual representation of the malware samples.
The combination of these two representations allows the Malware-SMELL method to capture both the structural and semantic characteristics of malware samples, making it more effective in identifying and classifying new malware samples. In the report, it was found that Malware-SMELL can detect previously unknown malware with 84 percent accuracy.2
ZSL appears to be an effective way to resolve extremely imbalanced ratio problems in data sets. When the number of positive (dark) samples is much fewer than the number of negative (white) samples, traditional ML methods can lead to nonrobust performance of the model. ZSL resolves this by allowing the detection of positive samples, even when there are very few of them, by using knowledge of related samples. Therefore, this method can improve the model’s performance even when dealing with highly imbalanced data sets.
The advantage of the Malware-SMELL method is that it can detect zero-day malware without relying on signature-based methods or prior knowledge of the malware, making it a powerful tool for identifying new threats.
5. Intrusion Detection for High-Speed Traffic
Existing intrusion detection and prevention systems (IDPSs) struggle to cope with today’s rapidly increasing network traffic. The Internet Protocol Flow Information Export (IPFIX) standard allows network devices to export traffic flow information that is then used to analyze and detect anomalies.3 Researchers from Paderborn University in Paderborn, Germany, proposed the IPFIX-based and signature-based intrusion detection system (IDS) FIXIDS, which is designed for high-speed traffic.4 In FIXIDS, IPFIX exports traffic flow data to the detection engine, where the data are processed and signature-based detection is applied to identify malicious activity and provide alerts in real time. The detection engine uses a lightweight signature-matching algorithm optimized for high-speed traffic. This allows the system to process traffic at a rate that is four times faster than Snort, a popular IDS, without losing packets.
As network traffic continues to increase exponentially, existing cybersecurity solutions may no longer be effective for high-speed traffic.
FIXIDS is a fast, accurate and reliable IDS that can handle high-speed network traffic without sacrificing performance. The combined IPFIX and signature-based detection makes FIXIDS a powerful tool for detecting and preventing malicious activity on today’s networks.
As network traffic continues to increase exponentially, existing cybersecurity solutions may no longer be effective for high-speed traffic. This is another reason why product owners and developers should keep abreast of new research and industry dynamics to ensure that the solutions they design and deliver effectively address actual problems.
6. Ability to Peek at Encrypted Traffic
According to Google’s network monitoring data, encrypted traffic accounts for more than 95 percent of the traffic flowing through Google servers.5
With more encryption methods carried out at the network, transmission and application layers, a hidden and opaque Internet world is being built from the network traffic perspective. Traditional methods based on payload content analysis (e.g., deep packet inspection) are becoming weaker and less effective because the content of encrypted traffic cannot be easily inspected or analyzed, making it difficult to detect malicious activity within it.
However, ML methods may be the answer. Researchers from the Cyberspace Technology Centre in Singapore propose a general ML-based framework for detecting malware in encrypted traffic.6 The framework consists of six main steps. In the first step, the research target is set, followed by traffic data set collection. Traffic data sets can be collected in two ways: real traffic collection and simulated traffic generation. The subsequent steps include preprocessing, extraction and selection of the feature sets, algorithm selection and performance evaluation.
In the absence of universally recognized data sets and feature sets, the researchers used their own data sets to train this model. Therefore, the results and performance of their models cannot be reliably compared or analyzed. However, they analyzed, processed and combined data sets from five different sources to generate a comprehensive and fair data set, laying the foundation for future research. Furthermore, 10 kinds of encrypted malicious traffic detection algorithms were realized and compared, giving peers an important reference.
Encrypted traffic protects the privacy of users but poses a threat to regulatory policy and national security. Therefore, cybersecurity product owners and developers must look for solutions beyond payload content analysis and take advantage of an ML-based framework to ensure the safety of encrypted traffic and data.
7. More Efficient Detection of APT Attacks
Advanced persistent threat (APT) detection is considered the pinnacle of cybersecurity defense. Because APT attacks involve complex techniques and highly customized tools, they are extremely difficult to detect and defend against. Various real-time detection mechanisms combining contextual information and source maps have been proposed to defend against APT attacks. However, existing real-time APT detection mechanisms have accuracy and efficiency problems due to inaccurate detection models and the increasing size of source maps—that is, the number of network devices and endpoints.
To address accuracy issues, researchers proposed a novel and accurate model for APT detection called CONAN.7
CONAN is a state-based framework in which events are consumed as streams, with each entity represented in a structure such as a file sequence analysis (FSA) data file. The attack scenario is reconstructed by only 1,000th of the events stored in the database. The model was implemented on Windows operating systems and comprehensively tested in real-world attack scenarios. CONAN accurately and effectively detected all APT attacks. In addition, the memory use and central processing unit (CPU) efficiency of CONAN remained unchanged over time. CONAN is now a reference model for detecting known and unknown APT attacks in real-world scenarios.
CONAN is a more effective and efficient model for APT detection because it uses a combination of artificial intelligence (AI) and cognitive security to detect APTs in real time. Cognitive security techniques, which include modeling how security analysts would respond to a threat, help improve accuracy and reduce false positives.
Detecting and preventing APT attacks are difficult tasks for cybersecurity professionals using traditional solutions, making new approaches worth a try.
8. Privacy Protection for ML
Human beings require privacy and so do ML models. The gradient information of deep learning models—changes in the models’ weights during the training process to improve accuracy—can lead to gradient leakage attacks, which are one of the most serious privacy threats in deep learning models. Attackers secretly monitor gradient updates during iterative training without affecting the model training quality. They then use a leaky gradient to secretly reconstruct sensitive training data with a high rate of success.
Researchers from the Georgia Institute of Technology, Atlanta, Georgia, USA, analyzed existing deep learning implementations with differential privacy, using fixed privacy parameters to inject constant noise into the gradient across all layers.8 Despite providing differential privacy protection, these methods had low accuracy and were vulnerable to gradient leakage attacks. The team proposed an elastic deep learning method against gradient leakage based on dynamic privacy parameters, introducing adaptive noise variance. Extensive experiments on six benchmark data sets showed that dynamic privacy parameters for differential privacy deep learning outperformed fixed differential parameters.
The Darknet is considered dangerous, and identifying Darknet traffic is the first step if the goal is to block, trace or regulate it.
Among other approaches to preventing gradient leakage attacks—federated learning, regular auditing, obscuring or removing sensitive data, limiting access controls—varying the amount of noise added to the data based on the sensitivity of the training data can lead to better overall model performance.
As ML becomes more prominent in cybersecurity solutions, caution is advisable when determining which ML models to use, and how, due to privacy implications. The models themselves need to be robust and resilient against cyberattacks to ensure their integrity.
9. The Darknet Will Not Be So Dark
The Darknet is considered a persistent and serious threat by most countries. It is a hotbed of illegal activity and can be a dangerous threat to national security. Traffic classification is the key to identifying anonymous network applications and preventing cybercrimes through the Darknet. Although the combination of ML algorithms and carefully designed spatial-temporal features in network traffic to classify Darknet traffic has achieved remarkable results, current methods either rely too heavily on these handcrafted features or ignore the intrinsic global relationships between local features automatically extracted from different data locations, resulting in limited classification performance.
Spatial-temporal features describe the properties of the network traffic:
- Spatial features relate to the physical properties of the network, such as the source and destination IP addresses.
- Temporal features relate to the timing of network traffic, such as the time of day or the duration of a session.
Spatial-temporal features are important because they can help distinguish normal network traffic from suspicious or malicious traffic, but they need to be integrated and mined for intrinsic relationships and hidden connections.
To solve this problem, researchers from Beihan University, Beijing, China, proposed a method called DarknetSec.9 It is a self-focused deep learning method for Darknet traffic classification and application identification. Side-channel features were extracted from the payload statistics to improve its classification performance. It achieved 92.22 percent multiple classification accuracy and a 92.10 percent F1 score by using the CICDarknet2020 data set to train and test. Moreover, DarknetSec maintained high accuracy when applied to other encrypted traffic classification tasks.
The Darknet is considered dangerous, and identifying Darknet traffic is the first step if the goal is to block, trace or regulate it. DarknetSec appears to be a promising tool to make the Darknet less dark.
10. Saying No to Ransomware
Ransomware has become an increasingly serious threat to governments, businesses and critical infrastructure in the past few years; therefore, understanding how to detect ransomware rapidly and accurately is an important research topic.
The trend is to use deep neural networks to detect ransomware, but the scarcity of training data for ransomware leads to challenges. Researchers from New Zealand proposed a neural network called Siamese that is based on a meta-learning model that can learn from a small number of samples.10 Siamese not only detects ransomware, but also classifies it. The main principle involves obtaining the entropy features—statistical measures of randomness or disorder in data—associated with other ransomware signatures through the ransomware binary files. By extracting entropy features, Siamese can learn to recognize patterns that are common across different types of ransomware. This method achieved an F1 score greater than 0.86 to detect ransomware.
Ransomware is malicious software, and recovery is costly in terms of brand and financial damage. Using deep learning methods to detect ransomware is promising, even with limited training data.
Conclusion
As the world becomes more interconnected and more dependent on technology, cybersecurity becomes a higher priority, especially as cybersecurity itself grows increasingly complex and sophisticated and threat actors become more skilled and creative. Cybersecurity professionals must remain vigilant and proactive in their efforts to secure critical assets. This includes paying close attention to trends, threats, and emerging and novel technologies. It is also important to remember that although these technologies can improve security, they can also be used by bad actors to launch more complex and sophisticated attacks.
These emerging trends should be a top priority for every cybersecurity professional devoted to safeguarding data and protecting against potentially devastating attacks.
Endnotes
1 Barros, P. H.; E. T. C. Chagas; L. B. Oliveira; F. Queiroz; H. S. Ramos; “Malware‐SMELL: A Zero‐ Shot Learning Strategy for Detecting Zero‐Day Vulnerabilities,” Computers and Security, vol. 120, 2022, https://doi.org/10.1016/j.cose.2022.102785
2 Ibid.
3 Trammell, B.; E. Boschi; “An Introduction to IP Flow Information Export (IPFIX),” IEEE Communications Magazine, vol. 49, iss. 4, May 2011, p. 89–95, https://www.researchgate.net/publication/224227148_An_introduction_to_IP_flow_information_export_IPFIX
4 Erlacher, F.; F. Dressler; “On High-Speed Flow-Based Intrusion Detection Using Snort-Compatible Signatures,” IEEE Transactions on Dependable and Secure Computing, vol. 19, iss. 1, 2022, p. 495–506, https://doi.org/10.1109/TDSC.2020.2973992
5 Google Transparency Report, “HTTPS Encryption on the Web,” https://transparencyreport.google.com/https/overview?hl=en
6 Wang, Z.; W. F. Kar; V. L. L. Thing; “Machine Learning for Encrypted Malicious Traffic Detection: Approaches, Data Sets and Comparative Study,” Computers and Security, vol. 113, 2022, https://doi.org/10.1016/j.cose.2021.102542
7 Xiong, C.; T. Zhu; W. Dong; L. Ruan; R. Yang; Y. Cheng; Y. Chen; S. Cheng; X. Chen; “CONAN: A Practical Real-Time APT Detection System With High Accuracy and Efficiency,” IEEE Transactions on Dependable and Secure Computing, vol. 19, iss. 1, 2022, p. 551–565, https://doi.org/10.1109/TDSC.2020.2971484
8 Wei, W.; L. Liu; “Gradient Leakage Attack Resilient Deep Learning,” IEEE Transactions on Information Forensics and Security, vol. 17, 2022, p. 17
9 Lan, J.; X. Liu; B. Li; Y. Li; T. Geng; “DarknetSec: A Novel Self-Attentive Deep Learning Method for Darknet Traffic Classification and Application Identification,” Computers and Security, vol. 116, 2022, https://doi.org/10.1016/j.cose.2022.102663
10 Zhu, J.; J. Jang-Jaccard; A. Singh; I. Welch; H. Al-Sahaf; S. Camtepe; “A Few-Shot Meta-Learning Based Siamese Neural Network Using Entropy Features for Ransomware Classification,” Computers and Security, vol. 117, 2022, https://doi.org/10.1016/j.cose.2022.102691
YUNCHUAN WEI | PH.D.
Is a research analyst at the Research Institute of New Technology (RINT) at Hillstone Networks. His scope of research spans deep neural networks, advanced threat correlation analysis, threat intelligence enrichment and intrusion detection. Over the last several years, Wei has published six academic papers and has been awarded nine patents. He can be reached at https://www.linkedin.com/in/frank-yunchuan-wei-226723144/.