Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
10/11/2017
01:30 PM
Aviram Zrahia
Aviram Zrahia
Partner Perspectives
50%
50%

Can Machine Learning Outsmart Malware?

Using machine learning in the cybersecurity domain is a growing trend with many advantages, but it also has its risks.

Fighting malware is a modern arms race. Not only has malware evolved to be more evasive and harder to detect, but their vast numbers make it even more difficult to handle. As a result, detecting a malware has become a big data problem which requires the help of self-learning machines to scale the knowledge of analysts, handle the complexity beyond human capabilities, and improve the accuracy of threat detection.

There are number of approaches to this problem; choosing the right algorithm to serve the security engine’s purpose is not an easy task. In this article, we will refer to machine learning (ML) as an application of artificial intelligence (AI) where computers learn without being explicitly programmed. We will look into some use cases and challenges, starting with an interesting question: why do we see this growing trend now? The answer has to do with lower costs and increased availability of private and public cloud technology for collecting, storing and analyzing big data in real time, and the academic research progress in ML and related algorithms such as Deep Neural Networks (DNN).

Putting together a successful ML cybersecurity implementation is a multidisciplinary task, which requires coding capabilities, as well as cyber domain expertise, and deep math/statistics knowledge, originally described by Drew Conway in his data science Venn diagram. ML models can be used to classify malicious files (including ransomwares), analyze abnormal user and network behavior, perform advanced event analytics, identify encrypted malware traffic, synthesize threat intelligence feeds, and fuse in-direct telemetry signals with security events in cloud deployments.

Implementing a complete solution requires embedding the selected ML algorithm into a three-stage workflow of operation. First, the ML engine performs analysis, usually enhanced with other detection technologies to deliver open and integrated defense in depth. Then, enforcement is performed across the entire network preferably in an automatic and unified way. And finally, Cyber Threat Intelligence (CTI) is shared and received with other systems and entities, to further enrich and add context to the next analysis task -- feedback.

Cyber Defense Challenges and Machine Learning

A ML model is only as good as the content from the data sources that feed it (better known as: garbage in, garbage out). Similarly, performing analysis without domain expertise and context can be misleading, and measuring the engine’s performance/accuracy is tricky.

Another challenge is that attackers also use machines for different attack phases, as described by Intel Security in their 2017 threat predictions report. But the most interesting challenge is the risk of attackers actually manipulating ML defense engines. A visible example, as described by Dave Gershgorn in Popular Science last year,  was presented by Google’s researchers who manipulated road signs to deceive a driverless car, using black-box attack principles that can be leveraged also in the cyber domain to fool the machine.

Machines are taking over many aspects of our lives (Did anyone say autonomous cars?), but given the pros and cons described, should we let the machines take over our defense systems? The answer is yes and no. On the one hand, machines can outsmart human capabilities on certain aspects of scale and complexity. On the other hand, they can be manipulated, but so can humans. The debate is ongoing But based on the buzz in the market it's clear that machines are already transforming the way we perform cyber defense.

Aviram Zrahia is a cybersecurity consulting engineer at Juniper Networks, and a research fellow in the Blavatnik Interdisciplinary Cyber Research Center (ICRC) at Tel-Aviv University. His primary research interest is cyber threat intelligence sharing, where he uses technology ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.