Partner Perspectives //

bitdefender

1/9/2017
10:00 AM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly
Twitter
Google+
LinkedIn
RSS
50%
50%

How Machine Learning For Behavior Analytics & Anomaly Detection Speeds Mitigation

By relying on artificial intelligence to identify suspicious network activity or behavior, machine learning can adapt to both business needs and new threats.

Businesses and organizations are under heavier fire than usual from cyberattacks, with 57% of CIOs and CISOs reporting at least one significant cybersecurity incident at their companies. Whether the attacks resulted from unaware employees (55%), unauthorized access (54%), or malware (52%), security decision-makers have opted to increase their security budgets to adopt new technologies and cybersecurity defenses.

Business-centric machine learning for behavior analytics and anomaly detection should be adopted by any organization focused on faster detection and mitigation to prevent advanced persistent threats (APTs) from significantly impacting their business. By relying on artificial intelligence to identify suspicious network activity or behavior, machine learning can adapt to both business needs and new threats.

Bitdefender has been developing and using patented machine-learning algorithms since 2009, constantly tweaking and improving them to proactively detect new and never-before-seen malware.

Your Enterprise Network Is Predictable
Starting from the premise that your enterprise network is predictable, deploying behavior analytics technologies requires first observing and learning your organization’s network behavior. Afterward, anything new or out of the ordinary that doesn’t respect the learned behavior will be reported to IT managers.

However, it’s important to note that you can use these technologies for either spotting new processes that are suspicious for that network, or spotting behavior that’s abnormal. For example, after training,  machine learning can create a prediction database that will contain all known applications currently deployed in your organization.

What happens to the prediction database when a company‘s deployed application is updated, after the training process is completed? That’s when the adaptation on variation to the baseline kicks in and machine learning flexes its muscles. When the updated application runs for the first time, the machine-learning detection module checks if the prediction database contains the launched application. If a perfect match isn’t found, it will apply a similarity factor that statistically estimates the chances for the unknown application to be similar to something the database already has. If that similarity percentage passes a specific threshold, the application is considered trusted and the prediction database is updated. If the similarity score is below the threshold, the application is quarantined and the IT administrator is notified.

Application Profiling with Machine Learning
Profiling applications with machine learning requires the use of various algorithms such as binary decision trees, neural networks, and genetic algorithms, but it all starts with building a model that can be used for accurate detection. Because a model is actually an automatically generated mathematical equation that satisfies a set of conditions known to be associated with a malicious file, its purpose is to statistically estimate the chances that an unknown or never-before-seen file is malicious.

Neural networks are among the most commonly used types of machine-learning algorithms, as they can extract file characteristics into features -- file form, emulator information, and compiler type, among others -- and normalize those features into numbers. Of course, not all features are used to train a model, but just a subset of them can actually yield highly accurate results. All these features are placed in N-dimensional matrixes, where N represents the number of features, and then they generate highly complex equations (or models) that accurately identify unknown samples as malicious or not, based on whether the equation is met.

Put another way, if an unknown file reaches an organization’s perimeter and ends up being fed into a machine-learning algorithm that uses such models, the file is tested on whether it resolves a series of mathematical equations known to be resolved only by malicious files or applications.

Is Machine Learning Reliable in Business Environments?
If the average user displays an unpredictable behavior in his or her online and PC activities, the business environment -- from network traffic to endpoint activity -- is pretty much predictable, and therefore a baseline can be performed. Machine learning can sniff through large amounts of data and make an “educated” -- or statistically accurate -- guess on whether something abnormal is going on.

While training the machine model may take some time, the resulted expression (or equation, as previously referred to) is usually just a couple of kilobytes in size, meaning that it’s really fast to compute and has a very low memory footprint. Naturally, having more models specifically trained to analyze specific behaviors is always recommended, as they can cover a wide array of potential attack vectors, warning security teams of impending and potential security threats.

The merging of human and machine learning is vital in training accurate machine-learning models, and organizations have a lot more to gain by working with technology security companies that have been actively involved in machine-learning development for years.

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.
CVE-2019-1681
PUBLISHED: 2019-02-21
A vulnerability in the TFTP service of Cisco Network Convergence System 1000 Series software could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure. The vulnerability is due to improper validation of user-sup...