Machine learning fortifies legacy security methods in detecting advanced threats

Technology focuses on malware that has no signature, doesn’t match patterns

 
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Over the past 10 years or so, machine learn­ing has come to dom­i­nate our dig­i­tal lives.

Com­mer­cial enti­ties crunch moun­tains of data, lever­ag­ing “intel­li­gent” math­e­mat­i­cal algo­rithms at a furi­ous pace. Much of this is done as part of the mas­sive­ly prof­itable endeav­or of shap­ing con­sumer pref­er­ences and behaviors—to a degree unimag­ined by the best-and-bright­est sci-fi authors of just 70 or 80 years ago.

So it’s about time the cyber­se­cu­ri­ty indus­try has joined the par­ty. Indeed, a cot­tage indus­try is thriv­ing com­posed of infor­ma­tion secu­ri­ty com­pa­nies that are increas­ing­ly lever­ag­ing machine learning—even fea­tur­ing it—in net­work defense systems.

Relat­ed arti­cle: Machine learn­ing keeps mal­ware from get­ting in through secu­ri­ty cracks

A start­up called FFRI Inc., and its intrigu­ing founder and CEO, Yuji Ukai, is a new entrant in this field. FFRI hap­pens to be one of the stand­outs in the emerg­ing cyber­se­cu­ri­ty indus­try in Japan. Ukai arrived at Black Hat Vegas this sum­mer hop­ing to make a splash with a new anti-mal­ware prod­uct, which he refers to as the “Yarai,” devel­oped in the land of the ris­ing sun.

Yarai takes new secu­ri­ty tack

Instead of amass­ing and con­tin­u­al­ly expand­ing a black­list of known mal­ware and past-attack pat­terns, as lega­cy antivirus suites do, the Yarai uses machine learn­ing to detect intru­sions by mal­ware for which there are no known sig­na­tures or patterns.

Stop­ping mali­cious code known as “file­less” mal­ware, or “non-mal­ware,” is a fast emerg­ing spe­cial­ty. File­less mal­ware attacks have no sig­na­tures, per se. Instead, they clev­er­ly tap into and make use of exist­ing, autho­rized appli­ca­tions that exist on the com­pa­ny net­work. So there is no need to down­load any mali­cious files.

Yuji Ukai, FFRI founder and CEO

We are just focus­ing on the heuris­tic tech­nol­o­gy and also machine learn­ing tech­nol­o­gy to detect unknown (mal­ware),” Ukai says.

Ukai, a sys­tems engi­neer who got his career start at Kodak’s R&D office in Japan, spent four years at eEYE Dig­i­tal Secu­ri­ty in Orange Coun­ty, Cal­i­for­nia, dur­ing the go-go start­up days of antivirus com­pa­nies. He worked along­side Marc Maiffret, the researcher who uncov­ered the Code Red worm attack.

In 2007, Ukai returned to Japan to scratch his entre­pre­neur­ial itch. At the time, Japan­ese com­pa­nies seek­ing cyber­se­cu­ri­ty solu­tions had no domes­tic sup­pli­ers to choose from, and Ukai saw an oppor­tu­ni­ty in his home­land. “It wasn’t a very good time,” he says. “But the rea­son why I just went back to Japan is that … in Japan, there was no such thing as a soft­ware secu­ri­ty company.”

After 10 years in busi­ness, FFRI now boasts the Japan­ese gov­ern­ment and oth­er large Japan­ese enter­pris­es as customers.

Japan fer­tile ground for startup

Cre­at­ing a cyber­se­cu­ri­ty firm that stayed a few steps ahead was cru­cial giv­en the lack of inno­va­tion in Japan and Japan­ese cus­tomers’ heavy reliance on imports. “If a new cyber threat were to have hap­pened in Japan, we prob­a­bly wouldn’t have any solu­tion if we couldn’t import new tech­nol­o­gy from oth­er coun­tries. That’s why we start­ed the soft­ware R&D com­pa­ny in Japan,” he says.

The name of the firm, FFRI, is an abbre­vi­a­tion for Four­teen­forty Research Insti­tute, a ref­er­ence to a dif­fi­cult jump in snow­board­ing called a “1440.” The jump includes four full 360-degree rotations.

Ukai him­self is an avid snow­board­er, hav­ing caught the bug as a young adult. He’s pro­fi­cient enough, he told me, to have pulled off a few dicey aeri­als, though noth­ing close to a 1440.

FFRI’s main mar­ket­ing pitch revolves around the idea that con­ven­tion­al secu­ri­ty mea­sures, such as antivirus soft­ware, secu­ri­ty patch and site fil­ters, aren’t enough. Advanced mal­ware attacks can pen­e­trate through these cru­cial but often out­dat­ed mea­sures, says Pablo Gar­cia, head of FFRI’s U.S. unit.

Pablo Gar­cia, FFRI North Amer­i­ca CEO

Advanced solu­tion to advanced malware

Our sole focus is advanced mal­ware attacks,” Gar­cia says. “(Giv­en) the amount of advanced mal­ware that’s hit­ting orga­ni­za­tions today, there real­ly need to be solu­tions out there that can for­ti­fy a net­work or pro­tect a net­work in a way that doesn’t require a lot of resources or over­head,” he says.

Tim­ing may be on their side. A series of ran­somware attacks, includ­ing the Wan­naCry and Petya attacks, as well as the recent string of high-pro­file net­work breach­es at Equifax, Deloitte and the U.S. Secu­ri­ties and Exchange Com­mis­sion, is rais­ing more aware­ness of cut­ting-edge attack tactics.

I mean we’ve real­ly been focus­ing on those areas for a while,” Gar­cia says. “The file­less mal­ware has been around for a long time. They’re still occur­ring. It’s almost like the world is try­ing to erad­i­cate measles and you still get cas­es of the measles even though, yes, there are good solu­tions out there for it.”

Ukai says his prod­uct can sit on top of oth­er intru­sion-pre­ven­tion sys­tems to help detect and deter advanced attacks. “It is the biggest dif­fer­ence between just reg­u­lar clas­si­cal antivirus soft­ware and our tech­nol­o­gy,” he says. “We have five kinds of dif­fer­ent engines to detect malware.”

Japan’s noto­ri­ous­ly demand­ing cus­tomers also help FFRI’s oper­a­tions in the Unit­ed States, Gar­cia says. “They focus on those things that, I think, could eas­i­ly be over­looked,” he says. “We’re pur­su­ing this mar­ket with the tech­nol­o­gy that we’re offer­ing. It’s well ahead of what a lot of peo­ple are try­ing to do right now.”

For a deep­er drill down on this dis­cus­sion, please lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to machine learning:
Orga­ni­za­tions use machine learn­ing to fer­ret out data anomalies
As data mul­ti­plies, tech­nol­o­gy helps tack­le more chal­leng­ing secu­ri­ty issues
Machine learn­ing picks up where tra­di­tion­al threat detec­tion ends