Deep learning may be the next frontier for a security industry that’s dealing with constant attacks from cyber-criminals who become more sophisticated by the day.
According to a Symantec executive, the company has been working to integrate the whole idea of machine learning into its security services since February 2015. Symantec asserts that the capability, as new as it is, may be the next critical technology to keep cyber-attacks at bay.
Until recently, deep learning has been locked away in the software development labs. A few companies have realized that they can spot malware by its components and its behavior to ferret out most zero-day attacks before they have a chance to cause damage. Because of this, deep learning is now being deployed on the cyber-security battleground.
“As a user, you can’t afford a bad download, and that’s where we need to focus,” said Andrew Gardner, senior technical director of machine learning at Symantec, to explain why the company first focused its efforts on Android. “That’s what deep learning let us do.”
Gardner said that most of the malware files in the Android environment are known, but at any given time two to five percent of the malware in circulation represent what he called low-scoring threats that are often missed by malware scanners. These include zero-day attacks.
However, Gardner noted that because of the seriousness of a malware attack, the customers simply can’t afford any kind of attack, which made preventing zero-day attacks critical. Because machine learning presents the possibility of a very strong defense against zero-day malware attacks, Symantec started there.
Because of this focus, the first Symantec product that actively uses deep learning is Norton Mobile Security for Android. There’s also a version of Norton Mobile Security for iOS, but that version doesn’t make use of deep learning, at least not yet. But that’s just the start.
Symantec has their sights set on bigger goals in the enterprise. The next target will be enterprise email, especially cloud-based email. “We process a lot of the world’s email,” Gardner said. “A lot of attacks enter the enterprise through email. They’re insidious.” He said that by attacking company email systems, cyber-criminals are able to seize critical information and, in addition, able to steal a lot of money through phishing schemes that install malware on company networks.
The problem until now was that a great deal of email analysis required human intervention. “At the end of the day, we had to have analysts go through and score them as attacks,” Gardner said.
Symantec Adds Deep Learning to Anti-Malware Tools to Detect Zero-Days
“This doesn’t scale. We needed technology to let this scale beyond the bottleneck of human review.”
This is the sort of area where deep learning really shines. By feeding the deep learning system a vast quantity of information about email attacks, the deep learning process can learn to recognize an attack, and also learn to recognize when something isn’t an attack. “We can hit 98 percent accuracy over human tests. We can offer something that catches targeted emails,” he said, referring to spear phishing emails.
However, Gardner said that a big part of the challenge is moving beyond the traditional way of looking at security in order to take advantage of the power of deep learning. “My sense is that we have a sort of an echo chamber view of how we go about detecting things,” he said. He noted that humans aren’t scalable, which is why the deep learning process works so well. “Deep learning learns from data,” Gardner said. “The first ingredient is big data. That’s when it takes over and does well.”
Gardner depicts the process of using big data to feed deep learning by describing how someone might want to filter social media data for cat videos. “You can recognize a cat,” he explained, but the difference is that you probably can’t recognize a malware attack. “If I give you tables of security data, how do you make sense of that?” The difference is that with enough security data the deep learning process can tell when a security event is happening and when it’s not.
While Symantec will deploy deep learning in Norton Mobile Security, Symantec plans to offer deep learning as part of its email security.cloud offerings, which work with Microsoft Exchange and Microsoft Office 365 and with Google Apps sometime in 2016. However, Gardner didn’t specify a launch date. A company spokesperson told eWEEK that the new security offering will be available to companies of any size at a reasonable cost.
Gardner cautioned that as powerful as deep learning may be, it can’t be the only security solution. “When we talk about deep learning, it’s about asking how close is it to a targeted attack?” he said. But he also notes that while deep learning may be very close, “You can’t ever prevent all attacks.”
“Farther down the stack, deep learning may not be the only thing you need,” Gardner said, noting that you can’t just look at one type of anomaly. “We have a ways to go before deep learning is available out of the box, but we’re getting there,” he said.