June 20, 2017
Why Machine Learning Is Critical to Cybersecurity
Updated 15th February, with recent findings from our Ponemon Research, which provides insights into Automation and Security.
Malware writers are always a step ahead of traditional security solutions, creating threats that behave differently from system to system, day to day, and year to year. Newer malware types include adware, botnet loaders, information stealers, tech support scams, and more recently, ransomware, due the recent rise of cryptocurrency. However, a recent industry study found that fewer than one in three enterprises rate their cyberattack protection as highly effective. As cyber risks grow in both volume and sophistication, the tools used to find and eradicate them have to get smarter and scale better, too.
The difficulty lies in the way traditional antivirus systems work, which is based on signature matching. A monitoring system would search for a match to a known malicious software signature. If a match was detected, the system would alert an IT expert and possibly quarantine or block the traffic. However, these systems turned out to be too narrow in their discovery criteria to have a very high success rate at catching malicious software.
Even as antivirus systems evolved to monitor more complex signatures by incorporating new “weighted” rules, they are still quite susceptible to missing a threat. They also tend to generate a very large volume of false positives that must be investigated, squandering the time of valuable security personnel, who then began to regularly ignore alerts. While this is understandable, it defeats the purpose of the security system.
This is where machine learning comes into play. In systems that rely on weighted rules, the weights can now be better optimized by machine learning techniques than by human intuition or pen-and-paper statistics. Such systems continually and dynamically learn what’s “normal” in software structure, software behaviour, and network traffic patterns and usage. Millions of variables and data points can be analysed at once to identify abnormal behaviour that could indicate an attack.
“Millions of variables and data points can be
analysed at once to identify abnormal behaviour
that could indicate an attack.”
One advantage of this approach is that the more data that is fed into the system, the better it can distinguish malicious programs from benign ones. Rules that uniquely identify each malware family no longer have to be manually written. Instead, the system identifies specific useful signals generated from program structure, behaviour on the system, and behaviour on the network, and uses the collected intelligence to separate benign software from malware.
A recent Ponemon study has also found that the majority of respondents agreed that automation reduces the hours required to deal with security exploits with greater accuracy, effectively slashing organizations' operating and personnel costs.
Download an interactive infographic on how Juniper's Machine Learning radically improves cyber security here.
Juniper’s Networks Sky Advanced Threat Protection (ATP) cloud-based solution applies machine learning across all detection techniques including static analysis and sandboxing. Sky ATP includes the information and identifiers that traditional threat prevention tools use but, in addition, takes advantage of ambiguous structural and behavioural properties of potential malware to determine maliciousness. By doing so and more, Sky ATP clearly differentiates itself from its competitors.
Read more about the critical need for machine learning in cyber security and how Juniper’s systems can effectively outsmart malware.
Even now, a new strain of self-replicating ransomware (WannaCry) is affecting computers all over the world, disrupting companies and services for businesses, governments, and consumers. Juniper security customers who have deployed our advanced anti-malware solution Juniper Sky ATP are very likely protected on multiple levels. Assuming Sky ATP did not block the file outright upon download, Sky ATP is designed to identify the new file as malicious and propagate this information to the on-premises SRX device, which in turn will quarantine the malware at the network level.
To find out more, check out the Rapid Response: The WannaCry Ransomware Outbreak, and watch the Webinar: WannaCry. What you want to know.