My friends and family find themselves discussing news stories these days that are inundated with futuristic tales of automation and how it is changing their lives in some form while giving them a distinct feeling of being left behind as they age. The media approaches automation from multiple angles, though most publications often address modern day automation as a new frontier taking over mundane tasks now, but possibly our jobs in the future. Today’s automation certainly offers many wonderful benefits, for example, robotics in manufacturing automation, pattern recognition in self-driving cars, or just pre-learned actions such as airplanes flying by wire. One of the key components in all of these automation technologies is machine learning in one form or another. Such a wide variety of machine learning applications and their respective evolutions has become a broad subject resulting in a net positive impact on our society.
Now, imagine combining opportunities for machine learning with a vast ocean of Internet-based activity. Innovations in social media from companies like Google, Facebook and Netflix heavily influence advances in communication, shaping today’s generation and helping to make the world much smaller. Machine learning based applications when married to the Internet has provided a great opportunity to almost anyone in any corner of the world to innovate and facilitate a better life, not just for themselves, but the society around them. Jimmy Pikes, a Forbes contributor says that there is a $1.5 trillion Internet of Things (IoT) market consisting of sensors and kinetic devices. The amount of data generated by these devices alone can only be processed by machine learning methods as we know today. Additionally, all these devices will be vulnerable to cyber threats disrupting everyday lives around the world. Machine learning and its application in cybersecurity is of paramount importance. So, what is machine learning and how does it apply to cyber security?
Machine Learning and Cyber Security
The vast amount of data, in petabytes per second, produced by today’s network of IoTs and other applications, form the launching pad for machine learning applications in cybersecurity. Traditional analysis has a much more difficult time in dealing with such data volumes whereas; machine learning handles this in conjunction with contemporary big data frameworks efficiently. The analysis often takes a multi-pronged approach that spans new opportunities, defends currently valuable assets, and protects against criminal activities. When it comes to cybercrime, machine learning can help protect your assets and business as a whole from ill-intentioned activities through data analysis that offers insights into such activities. From a data perspective, cyber threats are unique because most of the data is normal data and only the smallest amount of data is a representative cyber threat. Even the most sophisticated machine learning techniques will have a harder time identifying such a tiny amount of data, especially if this type of threat has not been seen before. In fact, we have already seen how attackers have become increasingly sophisticated with many state-sponsored initiatives from China and Russia, utilizing such sophistication to exercise their influence on the world stage. The threat is such that the United States has now put together a comprehensive cyber strategy [note: link opens a PDF] with five specific goals depicting the importance of the cyber threat defenses on the national level.
The difficulty in fending off these attacks is not only limited to the identification of new or rare exploits, but the speed by which these exploits can be found. It is imperative that the threat vectors are identified quickly and with confidence. Anything less will certainly increase the amount of damage, the tangible loss and the inability to reverse the damage. The lack of confidence will likely result in increased resource cost, but more importantly shift the focus from real threats to false positives. As one can see, there is a great need to increase the accuracy and confidence of threat detection.
Addressing Speed and False Positives
The two objectives are not quite separate from each other, as reduced false positives will increase the speed of detection given the equivalent resource availability. Thus cyber security defenses should do everything reasonable to generate accurate outcomes in real time. The industry has taken multiple approaches to accomplish the feat; however, it is imperative that comprehensive visibility into all aspects of the underlying environment is available to enable power of machine learning capabilities. Additionally, machine learning needs reinforcement to detect Advanced Persistent Threats (APTs) and eliminate false positives.
Recent WannaCry ransomware attacks have certainly drawn attention squarely to this issue. Ransomware is one of the many methods that an attacker will use to exploit the target of a malware attack. One of the characteristics of a malware threat is that it needs to identify network elements or hosts where the malware can exploit the vulnerability. The identification is established through methods such as network scans. Machine learning with reinforcements like unexpected network scans will only surface the real threat and eliminate false positives. Thus, the real time reinforcement and machine learning outcomes when combined together intelligently can substantially improve accuracy and speed while reducing false positives and its associated analysis effort.
Let’s think about a real-life, common place scenario of a professional going home after a hard day of work. The expected behavior of this individual is to probably freshen up, get a cup of coffee or snack, and maybe prepare dinner. The routine is more or less the same every day. However, if an impersonator intent on stealing something tries to enter the same home, that person’s behavior will entail searching for where the valuables are kept, packing them in a bag and leaving the premises.
In terms of cybersecurity software, the equivalent of the authentic professional going home is an established or learned behavior. The cybersecurity defense systems tend to establish the behavior on a pre-learned basis or via dynamic learning over a reasonable period of time. Such learning encompasses analyzing network, application and user behaviors among many other vectors. Any substantial behavior alteration from these learned behaviors similar to a thief in the above example is in the realm of behavior analytics that can identify potential anomalies among a wide spectrum of facilities that it offers.
Even though User and Entity Behavior Analytics (UEBA) may have attracted many critics and their viewpoints, it is quite clear that all sophisticated attacks need behavior analytics to quickly surface them. Signature-based methods are becoming obsolete and are unable to catch any never-seen-before threats, also known as zero-day attacks. James Scott, senior fellow at the Institute of Critical Infrastructure Technology mentions in his recent presentation of Signature Based Malware Detection is Dead [note: link opens a PDF]:
“Signature and behavioral based anti-malware are no match for next generation adversaries who utilize mutating hashes, sophisticated obfuscation mechanisms, self-propagating malware, and intelligent malware components. It is no longer enough to detect and respond. Artificial intelligence offers the predictive quality that can give organizations a much-needed edge on their more sophisticated, less burdened, and more evasive adversaries”.
Any truly complete solution needs behavior analytics along with reinforcement from additional modeling techniques to be fast, accurate with minimal false positives and able to generate actionable outcomes. Read more