A week ago I got a surprise in my email. Someone sent me a gift of malware that purported to be a scanned fax, but which really was a JavaScript file that would download malware to my computer if I clicked on it.
Fortunately, my instincts took over and I was immediately suspicious of the attachments and instead of executing the JavaScript, I inspected it, then sent it off to others for a more thorough look.
It’s worth noting that none of my antivirus packages picked up on this malware. Norton Internet Security, for example, said when I scanned it that the file was perfectly safe. Of course it wasn’t, and this pointed out the reason why you can’t put all of your trust into malware scanners that depend on signature scanning.
But that experience also points out why your instincts can play a vital role in security. Unfortunately, one person’s instincts, which are based on that one person’s experience, can’t possibly detect all of the malware that’s out there.
But there’s a way that instincts can play a critical role in defeating malware and cyber-attacks, and that’s to teach instinctive behavior to a powerful computer and then find a way to share everything there is to know about malware and cyber-attacks with that computer.
This is basically what Israel-based cyber-security company Deep Instinct is trying to do in its effort to apply deep machine learning to security. Deep learning is an area of artificial intelligence in which vast quantities of data are loaded into a computer, which then works to determine what is significant in the data by looking for connections in the way the data behaves.
According to the company’s CTO, Eli David, the company loads decomposed examples of every piece of malware it can find into its deep learning software, which looks for connections and characteristics in the malware so that it can learn what malware looks like in the real world.
The difference is that the deep learning process isn’t the same thing as searching for signatures. The idea instead is to determine what a wide range of malware has in common so that it becomes possible to identify malware just by looking at its components.
Dr. David compared it to being able to identify a photo of a cat by being able to see only portions of a photo of a cat. Once certain characteristics of the cat can be seen, such as the shape of an ear, the pupil of an eye or the pattern of the fur you can tell that it’s a cat. You don’t need to see the whole thing or wait to hear the meow to know this.
‘Deep Learning’ Technology Sees Through Security Software Blind Spots
The advantage of using deep learning is that malware and other cyber-security threats can be identified the first time they appear, reducing or eliminating the chance of a successful zero-day attack, which is what happens when new malware is developed and launched before antivirus software companies develop a signature.
Unfortunately, it takes little effort to make malware unrecognizable to most signature based anti-malware, which is why there are something like 250,000 new malware files with new signatures circulating worldwide every day, according to a recent Panda Labs report. While some of these will still be caught by existing software, not all of them will be.
The idea behind what Deep Instinct is doing with their product is to make it so that the security system instinctively recognizes malware without the need to recognize a signature by recognizing its basic makeup instead. This is vaguely like what I did when I recognized the malware last week, except without the dose of human cynicism, and Deep Instinct works a whole lot faster.
The Deep Instinct learning process accomplishes its mission by learning the characteristics of malware and then breaking them down into a text file that is simply a string of numbers. That string is several million numbers long, but it’s easily contained in a file on a remote computer or even in a mobile device. Then, a remote agent recognizes malware and eliminates it. Next, it follows up with a report of the action sent to the company’s central server appliance.
Every so often the appliance is updated so it can pass updated characteristics to remote sites. However, Dr. David stressed that even without updates Deep Instinct remains highly effective. The company claims that all the updates do is improve its already 99 percent plus effectiveness.
The next obvious question is whether it works. Dr. David says it does, but he’s the company’s CTO, so you’d expect that. He also told me that several financial institutions are already using it to combat breaches and he points out that the company has received significant financial backing.
It’s also true that deep learning is real, and that it’s being used by Google and Facebook, among other companies in areas other than cyber-security.
Right now, though, this is all very new, but it’s also very hopeful. If deep learning as implemented by Deep Instinct turns out to be as effective as it seems to be, then it might prove to be the next big breakthrough in cyber-security.