How Machine Learning Works in Cyber Security

Almost every vendor in the tech space is claiming that their offering is powered by artificial intelligence or machine learning. These are buzzwords that marketing departments feel the need to include to make their offerings sound modern and fit for purpose in the digital economy. However, when it comes to machine learning, there are some factors that need to be considered.

Perhaps most importantly is to understand if the use of machine learning were to be suitable for the particular task. The net effect here is not to make an assumption that a product is “great” because it utilises machine learning. By the same token, don’t assume that IT solutions, products or devices that aren’t imbued with AI are no good. It’s important to understand whether the technology in question reaps significant benefit from machine learning.

Next, it is important to understand what machine learning really means and if the “purported machine learning” you are investing in, actually meets the more stringent definition of what machine learning should be. For example, pre-programmed intelligence that does not improve with experience.

Real machine learning usually has some degree of experience and knowledge “programmed into it”, but the real key is that it learns from experience. No new programming is required to improve “intelligence”. Machine learning algorithms ingest data from day to day experiences and learn from that experience to make more accurate decisions, predict outcomes based on events, and even improve abilities such as speech and communication.

When it comes to cyber security, there is no hype. Machine learning is incredibly well suited to cyber defence and when deployed correctly, it becomes a critical element in any rounded cyber security solution.

Strong machine learning (ML) algorithms continue to learn as you feed them with more data. The more they ingest, the better they identify, predict and decide. The best ML algorithms are developed to understand a specific type of information. These tend to be more effective than “broad ML” – or machine learning algorithms that were designed to perform a number of varied tasks which could be applied to a broad set of applications. At the moment, at least, we’re still a long way from broad AI implementations that closely mimic the human brain.

If we think back to the old days, the way to ensure your antivirus solution was capable of fighting the latest virus threats was to ensure you always kept your signature files updated. Effectively this meant that your software vendor needed to identify every virus and malware possible and write a specific signature file so regularly updated software could spot the newest threats.

Today, the thought of signature files seems so dated. Cybercriminals are writing and creating malware at a pace where this reactive approach simply cannot work. A number of sources estimated that in 2017, a new malware variant emerged every 4.2 seconds. In that light, the chances of one single vendor keeping pace by writing new signature files is not only impractical – it is impossible.

When you consider the main attributes of machine learning, you can see it’s not just well suited to the demands of cyber security, it is arguably perfect. The sheer scale and diversity of new malware variants actually plays into the hands of ML algorithms. As ML-powered defences encounter increasing instances of malware, they learn more about how malware behave and become better at spotting new, previously undetected variants. Ironically, more attacks make your defences stronger. Even zero-day attacks become readily identifiable with no need for periodic updates.

CrowdStrike incorporates signatureless machine learning into its Falcon endpoint security platform. In addition to learning at scale, CrowdStrike has tailored its ML capabilities to the demands of security. It performs at pace and as such, can deal with massive attacks in real-time. CrowdStrike also understands that ML is not perfect – it needs to be used as part of a total strategy. As an example, users can “train” the CrowdStrike ML to work with them, balancing security rules against “false positives” that reflects their company’s specific needs.

As cybercriminals work on continually changing the modus operandi of their attacks, machine learning done right has become a critical component of any serious defence.

share us your thought

0 Comment Log in or register to post comments