Advancements in digital technology are a keystone of our modern lives. However, these advancements do not come without risks to our security. With more devices connected to the internet and more devices per user, there is a major increase in the data being collected, transported, and stored.

All our social life, work, and movements are stored in our phones and shared with others. In order to early detect malicious infections, intrusions, or data thefts, organizations need to be able to analyze all the data very quickly. New developments in AI and machine learning algorithms have made this protection possible. However, most of the progress in this area has been confined to the corporate world, leaving a key part of our society defenseless.

Protecting civil society at risk

Adding to the problem, it has never been easier for governments to abuse this very technology to surveil, track, spy, and often harm non-governmental organizations (NGO), human rights defenders, political activists, journalists, and lawyers. Civil society has been so far left behind when it comes to digital defense. Working in the field, often in war zones or facing prosecution, individuals at risk make do without the protection of a large organization, without digital defenses (firewalls, endpoint protection, or strict policies), and without resources. Our Civilsphere Project aims to fill this protection gap to civil society.

Since 2018, the Civilsphere project has been a pioneer in the use of machine learning to help civil society. The project is dedicated to providing individuals at risk with free tools to help detect active malware infections, privacy violations, or signs of digital surveillance. There are two main services offered by Civilsphere to individuals at risk: ShouldIClick and AI-VPN.

Should I click?

There are many reasons why a web link may not be safe to click. A large number of attacks, including targeted attacks, start with a link in an email or chat,  generally ending in the full compromise of a device. Can AI help users decide when it is safe enough to click?

The Civilsphere ShouldIClick service combines machine learning, statistical analysis, and security tools to analyze a given link in real time and advise the user if the link is safe to click or not. Through various ensembling of multiple analysis and detection modules, ShouldIClick is designed to look for scams, evil twin attacks, malicious javascript embeddings, and insecure traffic.

Dfv2emp6tfMaitmF EMGmJTEspVMi9tKPsQ3XtDCPFC7tymM5IOoCl5nyHSlyYKVKymsfKjcWnAgPhgRnehprnWEUZqTuPHpqMSIAJqeD3s3KqO5gzu7kmx6iOUkGwREYn I at
ShouldIClick receives a URL, downloads the content of the page, extracts features, and runs detection modules to search for suspicious activity. The results for these detection modules are ensembled to detect specific threats, and a final verdict is reached.

ShouldIClick first generates features from the live website of the URL, including its HTML structure, Javascript, and images. The features from the certificate, keys, and algorithms used for encryption are also very important. The service completely analyzes the website and its behavior and it does not rely on the URL string. These features are used as input for several machine learning algorithms that focus on different aspects of the website, including analyzing the graph structure of the HTML and the similarity to other websites with the same title (in search for the twin website). The final decision is reached through an ensembling.

The ShouldIclick service has been active for two years and has been used to analyze and protect thousands of people at risk.

Is my phone at risk?

The Civilsphere AI VPN service was designed to answer this question. Combining a traditional Virtual Private Network (VPN) with network analytics and state-of-the-art machine learning detection algorithms, the AI VPN provides individuals at risk a free assessment of their mobile network traffic in real time.

The Civilsphere AI VPN works by combining three key elements. First, well-known VPN technologies, such as OpenVPN. Second, a system for capturing and storing the network connections generated by the users, which will be further analyzed to detect suspicious connections. Third, the Stratosphere Linux IPS, a free-software machine-learning-based intrusion prevention system, that performs behavioral analysis of the network traffic and automatic blocking of suspicious connections.

WkjYGP0Rx eINlInguDjMGqtyaPT2vs7aYpGb3n iOb9PMXGxe8qzbFzo8bdLZoJIOjMLtNf8D2q HP 3Ynp6KxbsZe5XeXoqJ XsQeLj4cJvmczzEkYEwNGyqq96QBDaVHg9IP1

The Stratosphere Linux IPS has multiple modules that handle Threat Intelligence feeds, IP enrichment, a LSTM neural net for malicious behavior detection, port scanning detection on flows, long connection detection, and many others. Ensembling algorithms are used to decide the automated blocking of malicious connections. The complete work of Slips is open to the community and published on GitHub.

Protect the vulnerable

Cyber defense is becoming more and more challenging, and more so to those at risk and without resources. Now, there is not only the need to defend devices but also data and even algorithms. With an ever more interconnected software supply chain, it will require a common effort to keep things safe. Combining AI and human experts will allow us to not only improve our security but also protect our most vulnerable groups working in the frontline.

This article was originally published at CyberSec&AI Connected is an annual conference on AI and cybersecurity co-organized by Avast and the Czech Technical University in Prague. Visit the website to learn more about the topic and register your interest for this year's edition!