Defense networks leverage machine learning to ferret out adware

Artificial intelligence augments threat research by humans to keep malware at bay

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Machine learn­ing, or arti­fi­cial intel­li­gence, is famil­iar to any­one who shops, search­es or does social media on the internet.

Adver­tis­ers, media com­pa­nies and the tech giants are all about amass­ing mas­sive sets of data, basi­cal­ly every click each one of us does online. That moun­tain of data is then inten­sive­ly mined for pat­terns to help iso­late and pro­file every­one as indi­vid­u­als, the bet­ter to pitch prod­ucts and ser­vices pre­sum­ably match­ing our preferences.

Relat­ed: Machine learn­ing helps detect insid­er threats

Those same data min­ing method­olo­gies are now being brought to bear by cyber­se­cu­ri­ty ven­dors with respect to the oceans of data mov­ing across cor­po­rate net­works every day. Secu­ri­ty ven­dors are hus­tling to infuse machine learn­ing prin­ci­ples into net­work defense sys­tems, the bet­ter to detect cer­tain streams trick­ling into the ocean car­ry­ing mali­cious coding.

Third­Cer­tain­ty recent­ly sat down with Web­root CTO Hal Lonas to dis­cuss how the Broom­field, Col­orado-based anti­mal­ware ven­dor is lever­ag­ing machine learn­ing. This text has been edit­ed for clar­i­ty and length.

Third­Cer­tain­ty: What’s a basic def­i­n­i­tion of machine learning?

Lonas: The best way to think about it is that we use machine learn­ing to aug­ment and lever­age our threat researchers. When these threat researchers find an exploit or some mal­ware, we actu­al­ly take that infor­ma­tion and train machines so that they become like threat researchers on their own. They actu­al­ly incor­po­rate all the learn­ings of all the threat researchers we have and aug­ment that and mag­ni­fy that.

3C: So it’s a way to lever­age the human element?

Lonas: Let’s say you had your ace threat researcher work­ing 9 to 5, and when he’s on duty he’s able to iden­ti­fy and find most threats, even the very nuanced, very sub­tle ones. But then he goes home at 5 o’clock. Now it’s my late shift. Anoth­er threat comes in. Maybe I just don’t have the right per­son on staff to catch that threat. With machine learn­ing, we are able to cap­ture the expert knowl­edge of our ace researcher in the machine. So in effect, he’s work­ing 247. So we see much more consistency.

3C: And defense steadi­ly improves over time?

Lonas: Yes, we catch more things upstream, and can pro­tect peo­ple ear­li­er in the dam­age chain. Instead of block­ing it on the machine where it lands, and we can cer­tain­ly do that, we stop the mal­ware from down­load­ing. You rec­og­nize that it’s a bad IP address, so you don’t need to con­nect to it in the first place. So we can stop it ear­li­er in the kill chain.

Then, of course, you can take that learn­ing and oper­ate it at scale. You can take it to the cloud. You can scale it way up with a bunch of machines. That gives you accu­ra­cy and con­sis­ten­cy we nev­er dreamed of before.

More sto­ries relat­ed to machine learning:
Machine learn­ing helps detect real-time net­work threats
Machine learn­ing keeps mal­ware from get­ting in through secu­ri­ty cracks
Vir­tu­al ana­lysts lever­age human knowl­edge to help solve cyber­se­cu­ri­ty challenges