One of the biggest challenges facing cybersecurity professionals is to stop attacks from previously unseen viruses. Many traditional anti-malware tools are ineffective against zero-day threats, new ransomware and other previously unknown threats because they need signatures of already-identified malware to stop the threats.
That’s where machine learning comes in, using statistical probability computations to find new types of malware and leveraging algorithms trained to compare samples of code against each other to distinguish good from bad. This requires mindboggling amounts of data to perform the calculations accurately.
Machine learning, and its ability to combat cybercrime, has been a hot topic of late. But effective as it can be, it does not operate in a vacuum. The right level of expertise is required to run the models and piles of diverse data from multiple sources.
A Well-Trained Model
One of the reasons successful antivirus offerings are so effective at identifying and blocking new malware is because of its machine learning capabilities. VIPRE, for example, has collected data for about two decades – from endpoints, information-sharing partnerships with other cybersecurity providers and places in the cyber universe where malware authors are known to be active.
“Our research team goes to the dark net to brings things of interest back into the company and we try to identify what they are,” says Paul Apostolescu, principal software engineer for VIPRE.
A proper machine learning engine analyzes two types of data – good and bad. “We observe what bad processes do and what good processes do,” Apostolescu explains. “If you do that, then essentially you will be able to not only identify what’s bad because it looks bad, but also identify what’s bad because it does not match anything that you would consider normal.”
If a process triggers abnormal actions, such as altering or deleting files, modifying the registry or unexpected network communications, that’s a pretty good indication that malware has infiltrated the network. VIPRE’s machine learning model is trained to recognize this activity and flag it as being potentially bad.
What Is ‘Bad?’
Determining what is bad requires observing software samples for two telltale signs – what they look like and how they behave. Effective machine learning engine observes different kinds of data at different stages, inspecting network traffic, file structures, and processes.
What a sample looks like – whether it exhibits traits previously associated with other malware samples – also helps determine whether it’s bad. Those traits may include a code sequence that has appeared in other malware or the presence of a cryptographic method.
By looking at these details, the machine learning engine catches previously unknown threats that otherwise would likely have gone unnoticed. “We move our product from being reactive to proactive,” says Apostolescu. “Future proofing our detection, if you will.”
VIPRE combines machine learning techniques with signature based detection, behavior analysis and real-time monitoring to deliver a layered security approach. On its own, none of these techniques can stop all threats, but together, they provide top-notch security at a tremendous value.