Detecting Malicious Imitators

Over half a century ago, the great MIT researcher Joseph Weizenbaum created a seminal computer program called ELIZA. Named after the Pygmalion character, the software was designed to interact with a human in a way that would give the impression that ELIZA was, in fact, also a living being. (Human: “I think men are such bores.” ELIZA: “Why do you think men are bores?” Human: “They just are.” ELIZA: “Can you give me example?” and so on.)

Since then, computer scientists and artificial intelligence researchers have carefully studied the subtle interactions between humans and machines – including considerable attention to the familiar Turing Test. As any first-year computer science major will explain, a Turing Test (like a CAPTCHA) is designed to thwart programs such as ELIZA through trickiness. (Human: “Tell me your gut feeling about nuclear weapons in the context of conventional religious doctrine?”)

It was hard to suppress thoughts of artificial intelligence while in discussion last week with the talented principals from Shape Security, including their CEO, Derek Smith. Originally established to identify fake, automated attacks, Shape Security is well-aware of these early efforts by pioneers such as Weizenbaum. More recently, however, the team has greatly expanded its focus to address so-called imitation attacks, which can be quite devastating. I’ll try to summarize what I learned during the session:

“What we do involves algorithmic identification of synthetic network traffic by analyzing many factors,” explained Smith. “This includes carefully watching and measuring actions such as keystrokes, mouse drags, or submit entries. Even if malicious actors try to adjust their behavior to avoid detection – perhaps by introducing delays into activity programmed to look human, our algorithms are so advanced that they easily identify the simulation attempts.”

Shape Enterprise Defense executes in-line for its customers as an appliance which ingests client data in the familiar reverse proxy arrangement in front of a website. Algorithmic focus resides at the application layer, where user behaviors can be measured against known statistical baselines and profiles. Relevant metrics can range from keystroke timing to the rankings of the most popular browsers. The platform ultimately allows, blocks, redirects, or flags user requests.

“Our solution runs in real-time,” said Smith, “so that we can observe all user behavior to and from web and mobile applications. The intelligence of our solution resides in the Shape AI cloud, which is where we analyze all transactions, and where we’ve introduced autonomous capability to deploy new injected countermeasures, based on what we detect. We combine this with our experiences detecting anomalies across our entire customer base in all sectors.”

The specific use of artificial intelligence in the Shape AI cloud involves both supervised and unsupervised machine learning techniques that are designed to deal with the dynamics of an adversary making real-time modifications to an attack approach – usually when something fails or has been discovered. When this occurs, the technology must detect the adversary’s retooling effort, and provide for sufficient countermeasures in the deployed appliance.

The baseline attacks being countered by the detection solution include credential stuffing for account takeover, use of stolen credentials to establish fake accounts, screen scraping programs that collect data from websites, and abuse of on-line marketing such as gift cards and rewards systems. Observers of cyber security will recognize each of these as being central to a growing number of painful attacks experienced by enterprise targets of all sizes.

I was curious how the company dealt with the challenge of encrypted traffic, but was reminded of the reverse proxy arrangement in conjunction with the website. Such intimacy allows for the algorithms to operate on observed traffic – much like traditional web fraud management systems. I was also curious whether cloud-hosted systems posed a problem and the team explained that the appliance integrates with AWS and other systems. That’s the right answer.

One technical advance the team is currently working on involves extending their model toward distributed orchestration of policy management. Everyone dealing with nation state actors knows that gateway security solutions work better when cooperating as a distributed mesh of coordinated entities, rather than in isolation. Shape resonated with this design goal and explained some work they’ve already begin this regard.

The company looks to be in excellent financial shape with strong investor backing, seven years of demonstrated market success, and an experienced management team. With so many cyber attacks now moving in the direction of both pure synthetic automation or faked traffic dynamically driven by a human actor, the Shape solution – not unlike ELIZA in its time – looks like software that correctly captures and addresses one of the major issues of our time.

Have a look at the Shape Security platform (and don’t forget to ask them about their new solution for reducing the risk of compromised, reused credentials), and let us know what you learn.