There is no doubt machine learning has and will continue to revolutionize endpoint security. It’s important for security and IT professionals to understand exactly how this technology actually works. Machine learning is used only if you have Big Data sets. It is not worth to use machine learning for small data solutions as that can be done by a human effortlessly.
Myth #1: Machine learning is a form of protection
Some vendors had been seen perpetuating vague marketing claims that it’s some kind of new product or feature they offer that can keep companies safe. This is perhaps the biggest misunderstanding around machine learning, being the fact that machine learning doesn’t provide protection, it helps inform you about --how existing protection operates. The way it does that is by enabling more in-depth and accurate analysis.
Myth #2: Machine learning is only being used by next generation antivirus solutions
Currently, the most common application of machine learning in endpoint security is analyzing file attributes to predict whether a file on disk is malicious before it has the chance to execute (in other words, the same job antivirus has been doing for years).
But machine learning isn’t just being limited to building a better Antivirus or next-gen Antivirus mouse trap. New solutions are also utilizing machine learning to move endpoint security forward in a different direction. Rather than simply analyzing static file attributes and making a prediction for what a program will do before it’s executed, for example, Machine Learning can analyze program behaviors during runtime, in an effort to identify and block executing malware in the action.
Myth #3: Machine learning is only being applied to analyzing files
While solutions that rely on file scanning (ex: next generation antivirus) have obvious trouble detecting FILELESS ATTACKS — with no file, there’s nothing to scan. However, some other solutions Alert Logic are using machine learning to help them analyze system activity and predict whether any particular combination of system calls and commands are indicative of an attempted attack in progress.
Myth #4: Machine learning models don’t need to be re-evaluated for months
The fact is that machine learning is not “set it and forget it.” Models are only as good as the data they analyze. Improvements to protection depend on frequent, rigorous re-training of the model by providing data with high fidelity to the real world. The more limited the data — in terms of quantity, quality, and frequency — the lower the model’s ability for providing accurate results.
Myth #5: Machine learning-based protection generates a lot of false positives
In addition to training machine learning models to recognize malware, they can also be trained to recognize goodware samples (even custom software unique to specific organizations). This is the approach is actually very good, and it allows your models to adapt to reduce false positives.
Myth #6: Machine learning is a Black Box
A potential downside to machine learning that’s been raised is the fear that once a model is trained and learning on its own, there’s little insight into why it’s making the determinations it’s making. The truth is that while some machine learning models are a black box, others are able to expose their logic, providing more constructive value for researchers.
Myth #7: Everything’s already been thought of
In the majority of spheres where machine learning is used, the object is not changing with time, while in the case of malware things are changing constantly and rapidly. That’s because cybercriminals are highly motivated people (money, espionage, terrorism…). Their intelligence is not artificial; they are actively combating and intentionally modifying malicious programs to get away from the trained model.
That’s why the model has to be constantly taught, sometimes even retrained from scratch. Obviously, with rapidly modifying malware, a security solution based on a model without an antivirus database is worthless. Cybercriminals can think creatively when necessary.
-
QUESTION: Is it possible to develop a security solution that’s based solely on the ML model, without other detection methods?
Why use multi-level protection based on different technologies? Why not put all your eggs in one basket if that basket is so smart and advanced? One algorithm is enough to solve everything. Right?
The thing is most malware belongs to families consisting of a large number of modifications of one malicious program. For example, Trojan-Ransom.Win32.Shade is a family of 30,000 cryptors. A model can be taught with a large number of samples, and it will gain the ability to detect future threats within certain limits. In these circumstances machine learning works well.
BUT, it’s often the case that a family of malwares consists of just a few samples, or even one. Perhaps its author or coder didn’t want to go into battle with security software after his “brainchild” was immediately detected due to its behavior. Instead, he decided to attack those who had no security software installed or those who had no behavioral detection (i.e., those who had put all their eggs in one basket).
These sorts of “mini-families” cannot be used to teach a model – generalization (the essence of machine learning) is impossible with just one or two examples. In these circumstances, it is much more effective to detect a threat using time-tested methods based on the hash, masks, etc.
Another example is 'Targeted Attacks'...
The authors behind these attacks have no intention of producing more and more new samples. They create one sample for one victim, and you can be sure this sample will not be detected by a protection solution (unless it is a solution specifically designed for this purpose, for example, Kaspersky Anti-Targeted Attack Platform). Once again, hash-based detection is more effective.
Conclusion is that different tools should be used in different situations. Multi-level protection is more effective than a single level.
-
A great benefit of ML in cyber security is its capacity to automate repetitive and time-consuming tasks, such as triaging intelligence, malware analysis, network log analysis and vulnerability assessments. By incorporating ML into the security workflow, your organisation can accomplish tasks faster, and act on and remediate threats at a rate that would not be possible with manual human capability alone.
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM