Combating Evolving Cyber Threats with an Artificial Brain
The exponential growth of zero-day threats and increasing risk of Advanced Persistent Threats (APT) – the most sophisticated malware – coupled with the inability of cyber security solutions to detect many of these critical threats has caused companies to follow a “not if but when” approach to cyber security breaches. With the growing sophistication of hackers and cybercrime-as-a-service, offering DIY hacking kits for prices as low as $500, is there a way to turn the tables and properly secure companies against breaches that occupy the headlines on an almost daily basis? We believe that the answer is yes and it lies in applying deep learning to cyber security.
The evolution of cyber security solutions
The detection of malware has evolved over the years. Signature-based solutions (aka legacy solutions) have remained largely unchanged in their protection methods. In signature-based solutions, the antivirus engine compares the contents of an unidentified piece of code to its database of known malware signatures. If the malware has not been seen before, these solutions rely on manually-tuned heuristics to generate a handcraft signature, which is then released as an update to clients. This process is time- consuming, resulting in signatures that are sometimes released months after initial detection. This method cannot keep up with the million new malware that is created daily, leaving organizations vulnerable to the new threats, even those already detected.
Heuristics techniques identify malware based on the behavioral characteristics in the code. This has led to behavioral-based solutions that base their detection of malware on its behavior at run time, as opposed to analyzing the characteristics in the malware’s code. These solutions provide partial protection because they are limited to detecting malware only once its malicious actions have begun. Thus, offering prevention only at a later stage, often when it’s too late.
Newer sandboxing solutions rely on running the malware in a virtual (sandbox) environment to obtain more information about it and determine whether it is malicious or not, instead of detecting the malware’s behavioral fingerprint at run-time. While this allows for more accurate detection, it is achieved at the cost of protection due to the time consuming process that obstructs instant prevention once malware has been identified. Furthermore, malware developers have created newer types of malicious code that can evade sandbox detection by means such as stalling code.
More advanced solutions tout artificial intelligence’s older machine learning technology. These solutions apply elaborate algorithms to classify a file’s behavior as malicious or legitimate according to manually selected features, providing more sophisticated analyses and detection capabilities. However, this process is also time-consuming and requires massive human resources in order for the technology to be told on which parameters, variables or features to focus for file classification. Furthermore, the rate of malware detection using this technology, albeit much higher, is still lacking.
Therefore, even with newer solutions applying more sophisticated technologies with better detection rates, prevention is delayed or detection is far from optimal, leaving organizations exposed to data breaches, data theft, seizure-for-ransomware, data corruption, and infections.
Deep learning: rushing in a new era of proactive protection
The solution for comprehensive protection that can offer real-time detection and prevention lies in the next evolutionary step in cyber security: deep learning. Deep learning is a novel branch of artificial intelligence that is inspired by the brain’s ability to learn to identify an object, turning its identification into second nature. This is very similar to the way our brain learns: just like our brain is fed with raw data from our sensory inputs and learns the high level features on its own, in deep learning, raw data is fed through the deep neural network to result in the technology learning on its own to identify the object on which it is trained.
When applied to cyber security, the deep learning core engine is trained to learn independently, without human intervention, whether a file is malicious or legitimate. This is different than machine learning where feature engineering is conducted manually. The result is highly accurate detection of first-seen malware, even compared to classical machine learning, superseding any solution currently available on the market. Furthermore, since deep learning is data agnostic, the technology is fed with hundreds of millions of files of any type (e.g., EXE, DLL, PDF, DOC, Android APK, etc.). The result of the training is a prediction model that can instinctively detect a malicious file that has never been seen before, whether it is an entirely new one or a slight modification to existing malicious code.
Deep Instinct is the first company to apply deep learning to cyber security, offering real-time detection and prevention of zero-day threats and APT attacks with unmatched accuracy. Its deep learning prediction model is offered as a lightweight agent that can run on endpoints, servers and mobile devices, on any operating system.
When a file is opened, downloaded or copied, the on-device agent analyzes the file by breaking it into the smallest level to determine whether the file is malicious or legitimate. The agent analyzes the static level of files and does not use any sandboxing. This enables real-time detection (only a few milliseconds for prediction, even on the slowest mobile devices) and prevention (deleting or blocking the malware or whichever policy set by the enterprise).
The deep learning module runs in prediction mode on the device without affecting user experience and autonomously from the enterprise’s network or Internet (i.e., without the need to send the suspected files to a cloud or appliance). The deep learning core engine is continuously trained to recognize new malware in order to optimize its prediction model, which is then updated on the agent. However, the on-device agent can operate without updates for months with minimal effect (0.5-1%) on the accuracy of its detection rates.
Deep Instinct also offers an agentless version by connecting to any type of a gateway via APIs or SDKs. It recently expanded its protection solutions to a CASB partnership, enabling enterprises to securely move their activities to the cloud without risking malware penetration, infection, or distribution.
While deep learning has successfully been applied to computer vision, speech, and text understanding, cyber security is a challenging domain which deep learning can potentially revolutionize. Deep Instinct was founded on this belief, and the results obtained have vindicated it.
About the Author
Guy Caspi, CEO of Deep Instinct, is a leading mathematician and a data scientist global expert. Mr. Caspi has 15 years of extensive experience in applying mathematics and machine learning in a technology elite unit of the Israel Defense Forces (IDF), financial institutions and intelligence organizations around the world. Mr. Caspi led some of the largest government cyber and Big Data projects in Israel and other countries. In addition, Mr. Caspi was the president and general manager of a leading division at Comverse/Verint Group.