Malware and the cybercriminals that use it have grown increasingly sophisticated in recent years, becoming stronger and harder to detect. In order to more successfully combat such attack techniques, cybersecurity engineers have begun to create software that is capable of adapting and learning about its environment, making it easier to spot malicious programs and identify suspicious behavior.
One such solution was demonstrated at the Black Hat USA conference in early August. Security researchers have created a cybersecurity tool that enlists machine learning to determine whether new code is malware or not within 100 milliseconds. Using deep learning techniques, researchers created a machine learning module that employs static analysis of segments of code that is able to quickly identify and halt malware infections.
According to Matt Wolff, the chief data scientist behind the project, using a more granular form of machine learning – or deep learning – for use in malware detection allows the application to scan files it has never encountered before and detect malware. Deep learning trains the application's software using legitimate and malicious files, teaching it which is which. By learning to recognize certain patterns and hallmarks, the application is then able to categorize files it has never encountered before.
Taking advantage of emerging technology
While the idea of using machine learning to enhance cybersecurity solutions isn't exactly new, the ability to realistically deploy such a tool has only been around for the last couple of years. The emergence of big data analytics and cloud-based computing options that have made such tools affordable have helped to drive deep learning solutions into the mainstream.
"Advances in processors, memory, etc., lend themselves to help make these techniques more powerful," said Wolff in an interview with Dark Reading. "We don't see anyone [else] applying algorithms to … malware detection. The main premise behind machine learning is matching patterns. When you look at malware, you may not see any patterns. But when you look at a half of a billion samples, there may be tons of patterns that are relatively easy to discern. The goal of this model is to find these patterns."
One of the most beneficial aspects of cybersecurity tools that employ machine learning is that they can help users stay ahead of malware that is becoming increasing polymorphic. Wolff explains that if a malware author creates a new variant of an existing program a few months down the line, a security module using machine learning should be able to detect the new strain because of its predictive capabilities. Defense solutions that are based on recognizing known malware strains don't have this ability, leaving many users vulnerable to frequently updated malware.
According to Wolff, security solutions based on machine learning techniques are primarily about detecting malware for now, and it's up to the organizations using them to decide what to do with the malware they find because of it. In the future, however, deep learning programs could be used to replace the malware detection tools being used today, as machine learning techniques are much more effective than those based on signatures.
Enhanced security solutions are attainable
Luckily for organizations looking to implement a robust, next-gen security solution, help is out there. Security information and event management services like those provided by ArcticWolf use big data analytics to quickly and easily identify threats to enterprise networks. Using security information collected from multiple endpoints, managed SIEM solutions analyze data to identify any anomalous or suspicious behavior that may suggest a malware infection.
SIEM solutions offer businesses many advantages – and all without having to train the system to learn what is normal and abnormal behavior. Using big data cybersecurity techniques enables systems to gather information and learn on their own, no training necessary.
"Organizations can protect themselves if they use tools that learn without being trained," explained Benjamin Powell, director of product marketing for AccelOps, in an interview with Data Center Journal. "That means the system does not need a human to tell it what is normal traffic or behavior in an application or server. Then the system will automatically know what usage patterns are abnormal or unusual."
SIEM services offer enterprises this advantage, allowing companies to not only increase their security but make it possible for in-house IT teams to focus on business-critical processes.
Cybersecurity news and analysis brought to you by ArcticWolf, providers of detection and response security management services.