Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

bitdefender

1/9/2017
10:00 AM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly
Twitter
Google+
LinkedIn
RSS
50%
50%

How Machine Learning For Behavior Analytics & Anomaly Detection Speeds Mitigation

By relying on artificial intelligence to identify suspicious network activity or behavior, machine learning can adapt to both business needs and new threats.

Businesses and organizations are under heavier fire than usual from cyberattacks, with 57% of CIOs and CISOs reporting at least one significant cybersecurity incident at their companies. Whether the attacks resulted from unaware employees (55%), unauthorized access (54%), or malware (52%), security decision-makers have opted to increase their security budgets to adopt new technologies and cybersecurity defenses.

Business-centric machine learning for behavior analytics and anomaly detection should be adopted by any organization focused on faster detection and mitigation to prevent advanced persistent threats (APTs) from significantly impacting their business. By relying on artificial intelligence to identify suspicious network activity or behavior, machine learning can adapt to both business needs and new threats.

Bitdefender has been developing and using patented machine-learning algorithms since 2009, constantly tweaking and improving them to proactively detect new and never-before-seen malware.

Your Enterprise Network Is Predictable
Starting from the premise that your enterprise network is predictable, deploying behavior analytics technologies requires first observing and learning your organization’s network behavior. Afterward, anything new or out of the ordinary that doesn’t respect the learned behavior will be reported to IT managers.

However, it’s important to note that you can use these technologies for either spotting new processes that are suspicious for that network, or spotting behavior that’s abnormal. For example, after training,  machine learning can create a prediction database that will contain all known applications currently deployed in your organization.

What happens to the prediction database when a company‘s deployed application is updated, after the training process is completed? That’s when the adaptation on variation to the baseline kicks in and machine learning flexes its muscles. When the updated application runs for the first time, the machine-learning detection module checks if the prediction database contains the launched application. If a perfect match isn’t found, it will apply a similarity factor that statistically estimates the chances for the unknown application to be similar to something the database already has. If that similarity percentage passes a specific threshold, the application is considered trusted and the prediction database is updated. If the similarity score is below the threshold, the application is quarantined and the IT administrator is notified.

Application Profiling with Machine Learning
Profiling applications with machine learning requires the use of various algorithms such as binary decision trees, neural networks, and genetic algorithms, but it all starts with building a model that can be used for accurate detection. Because a model is actually an automatically generated mathematical equation that satisfies a set of conditions known to be associated with a malicious file, its purpose is to statistically estimate the chances that an unknown or never-before-seen file is malicious.

Neural networks are among the most commonly used types of machine-learning algorithms, as they can extract file characteristics into features -- file form, emulator information, and compiler type, among others -- and normalize those features into numbers. Of course, not all features are used to train a model, but just a subset of them can actually yield highly accurate results. All these features are placed in N-dimensional matrixes, where N represents the number of features, and then they generate highly complex equations (or models) that accurately identify unknown samples as malicious or not, based on whether the equation is met.

Put another way, if an unknown file reaches an organization’s perimeter and ends up being fed into a machine-learning algorithm that uses such models, the file is tested on whether it resolves a series of mathematical equations known to be resolved only by malicious files or applications.

Is Machine Learning Reliable in Business Environments?
If the average user displays an unpredictable behavior in his or her online and PC activities, the business environment -- from network traffic to endpoint activity -- is pretty much predictable, and therefore a baseline can be performed. Machine learning can sniff through large amounts of data and make an “educated” -- or statistically accurate -- guess on whether something abnormal is going on.

While training the machine model may take some time, the resulted expression (or equation, as previously referred to) is usually just a couple of kilobytes in size, meaning that it’s really fast to compute and has a very low memory footprint. Naturally, having more models specifically trained to analyze specific behaviors is always recommended, as they can cover a wide array of potential attack vectors, warning security teams of impending and potential security threats.

The merging of human and machine learning is vital in training accurate machine-learning models, and organizations have a lot more to gain by working with technology security companies that have been actively involved in machine-learning development for years.

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...