The other day I got a message that some of my credit cards were blocked and could I contact card security? After the expected security questions. they asked if, at a certain date, I had gone online to query a PIN number. No, I would not normally need to do that but – hang on – I did recently lose some data in a burglary and I remember changing all my card passwords. So I might just have checked one of the PIN numbers – my memory is not as good as it once was.
Then they asked about one or two “untypical” online purchase attempts at a women’s fashion website and a cosmetics store. Before they could add any detail I laughed out loud: “No way! Definite fraud”.
What made me so confident? I am married, and I do buy gifts for my wife… but no, I would never do that sort of shopping online. Why not? I have to think about that: for a start, she has strong preferences and would always try things on first… I cannot quite pin it down and yet instantly, without thinking it through, I recognised a fraudulent transaction. It was just not “me”. Would it be possible to train a machine to instantly identify suspicious transactions?
“Deep Inspection” of just those two purchases could uncover a lot of potentially incriminating information. Add to that the vast repository of online personal data that could be gleaned about the cardholder, friends and past purchases. One can imagine a Big Data analysis starting along these lines: male buying female fashion slightly suspicious; cardholder has female partner less suspicious; cloth sizes and styles were inappropriately teenage suspicious; no daughters or nieces more suspicious… At that point the system flags a warning and launches an in-depth analysis of past buying patterns before deciding whether to block the card.
Something like this technique is indeed used to help combat fraud. Card companies know that it was not enough to rely purely on “rule based” security that depends on sets of rules such as “do not allow spending over limit”, “flag warning if money withdrawn in high crime area”, and so on. By the late 1990s, increasing computing power was supporting more intelligent software that could analyse spending patterns, learn what was typical or unlikely for the customer, and flag a warning of suspicious transactions.
Deep Inspection of the actual data, combined with Artificial Intelligence (AI) is now an important technique in combatting all types of computer fraud. Zimperium’s Z9 detection engine is an example of this approach. All communications across a computer network are transported as packets of data and it is possible to search those packets of data and analyse them for the smallest sign of malware. Deep Packet Inspection (DPI) is a very powerful security technique but it would make the network traffic impossibly slow without the very high power, fast processing that is available in today’s data centres.
So what about today’s mobile devices? They are increasingly used for everyday financial transactions – paying restaurant bills, Uber billing and dual factor authentication for mobile banking – but even today’s most powerful mobile devices have nothing like the muscle needed to host DPI security. That makes them a very tempting target. Mobile devices are increasingly under attack, from malicious apps, from rogue emails, from adware, and from many sources of incoming network traffic. We are immersed in an ocean of communication signals – from cellular networks, WiFi, Bluetooth and global positioning satellites – any one of which might be infected with malware. So how can we trust our smartphones to handle bank details?
DPI is out of the question in a little hand-held device, but you can tell a lot from network traffic behaviour without going so deep. I did not need details about the actual stuff purchased on my card to recognise the suspicious pattern. Consider the flow of data inside the device and compare it to the days when mail and memos were communicated on paper by an internal post service. The post boy would pick up the mail, see who was next on the circulation list and take it to their in-tray. If instead he hid a memo under his jacket and went off to the rest room for ten minutes it would be suspicious – he might be copying it. We do not need to know anything about the content of that memo to suspect that something is amiss.
This is the secret behind a powerful new mobile security technique called ZPI. ZPI stands for Zero Packet Inspection – a slightly odd term, but it emphasises that it does not inspect the content, instead it just looks at the routes taken by the packets. Good user experience depends on fast, efficient data transfer and that means data move between apps and peripherals along well-defined paths – no wandering around or suspicious visits to the rest room. The ZPI agent applies its intelligence to studying those movements instead of the actual data, and makes for very fast and accurate diagnoses using surprisingly little processing power.
What the agent learns is patterns of communication. The developers have created training sets, and fine-tuned the machine learning algorithms to make sure that it recognises suspicious traffic behaviour reliably. That means a minimum number of “false positives” where traffic is flagged as malicious when it is actually benign, or “false negatives” where traffic is flagged as safe but is actually dangerous. Then it is tested by generating every sort of attack on the system – for example, a data worm wandering around the device looking for vulnerabilities – and making sure it is correctly diagnosed every time. Zimperium trained the Z9 engine extensively, so as to ensure it recognises suspicious behavioural patterns – whether the threats have already been catalogued or not.
There are a number of ways that ZPI can be deployed in actual mobile systems. For example, the developers of a mobile banking app can embed a DPI agent into the app to make sure that no malicious network traffic passes to and from that app. So the mobile user’s banking data and transactions will be protected from attack, whether or not there’s any broader anti-malware solution installed on the mobile device.
The same could apply to apps such as enterprise resource planning (ERP) or customer relationship management (CRM) tools allowing enterprise employees mobile access using their own devices. As long as the app developer embedded a suitable DPI agent, all of the business’s network traffic will be secure. If a device is under attack, the agent can trigger risk mitigation actions, such as invalidating sessions, destroying cryptographic keys, deleting caches, and raising fraud alerts.
The app developers themselves can select whatever remedial actions are most appropriate. So the mobile banking app might be set to delete information about the user’s stored credit/debit cards, flush the cache of the user’s account name, password, and other personal information, and raise a fraud alert with the bank – while also informing the user that there’s a problem.
People love the convenience of a smartphone but, with justification, many are wary of trusting important data to a tiny device immersed in a treacherous sea of diverse communication signals. DPI has been tested in the field and is proving remarkably good at detecting and thwarting attacks. It can protect personal data without even looking into it, and without the use of DPI and massive processing power.
This is already good news, but it also opens up a whole new arena of opportunity on the expanding Internet of Things (IoT). Simple, low power devices in the field are at risk from attack and cannot support heavyweight defences: connected cars, smart homes and industrial control systems might all be safer thanks to ZPI.