Predictive unknown threat protection now a reality thanks to Deep Learning

Jan 9, 2018 | 216 Views

Almost an year ago around this time, Spora, a sophisticated ransomware was being propagated by spam mails on the internet. Many users were tricked into this and their computers were affected.
Even though anti-virus vendors were losing their mind and pushing updates to their devices to protect against this zero-day attack, a breakthrough technology based on deep learning which had been released 10 months earlier by a cybersecurity firm named Deep Instinct was able to discover and stop this malware, that too with no update.
"The power of our neural network was able to detect and stop that threat without any human intervention and without any updates to any of our endpoints in the way that signature- and heuristic-based anti-virus solutions do," said Stuart Fisher, senior VP for Asia Pacific at Deep Instinct. "The same can be done and said for Wannacry, Petya, NotPetya and Bad Rabbit."

The ability to prevent new threats before samples for analysis are available reduces risks due to the time lag in researching and releasing a patch for current anti-virus and anti-malware solutions. Even after the release of a patch, it takes time for an organization to test and distribute a patch, further increasing the amount of time an environment remains vulnerable to a zero-day threat.

"The mere fact that vendors have to have updates pushed out every hour determines that it is reactive," Fisher added. "They can only push an update out after someone has been hit and the threat becomes known. What if I've been hit first and the rest of the world benefit from that."

In cases like the WannaCry attack last year that distributed ransomware to hundreds of thousands of computers globally via a known vulnerability in Windows, Deep Instinct's neural network, D-Brain, can prevent the new malware payload and stop the attack. The OS patch should then be applied to fix the vulnerability and stop the malware from spreading further.

High detection, low error

This DL capability is timely and critical as new malware are being created at a rate of one million a day and accelerating.

"A lot of vendors are now claiming to have machine learning (ML) capabilities," said Fisher.
"ML is a 50-year-old technology. It has some great applications but it also has some inherent challenges, the biggest of which is its 30-40% error rate in some instances, which translates as a false positive rate.

"ML is about two layers of algorithm. Once you go to 4 or 5 layers of algorithm, it starts to become a neural network and in commercial terms, that's DL. It delivers an error rate of less than 1%."

Deep Instinct's D-Brain prediction model neither uses signatures, heuristics, behavioral analysis and sandboxing, nor requires threat intelligence feeds, connectivity, manual analysis for classification, wait for execution of attack and frequent updates.

"Itâ's the unknown threats that we're absolutely laser-focused on," said Fisher. In third-party, customer and internal tests, both ML and Deep Instinct's DL agents, as expected, easily detected almost all known malware. Strikingly, with unknown malware, Fisher reported that the DL agent maintained a more-than-98% detection rate with less than 0.013% false positive rate. In contrast, ML agents offered less than 62.5% detection rate with a 2.5-to-5% false positive rate.

The capabilities of both ML and DL systems are limited to the "training" provided to them. Deep Instinct's neural network in Tel Aviv is trained via exposure to 30 years - worth of malicious files and legitimate files in the learning phase. While ML algorithms only look at 2.5% to 5% of raw file data, DL takes into account 100% of raw file data as well as non-linear correlations.

The resulting trained module can then be deployed on an on-premise or cloud-hosted appliance. A single appliance supports up to 80,000 devices. A thin sub-50MB agent is installed on each device.

The technology works by assessing any file that's introduced into the system at the binary level. "The agent does a binary assessment of the file, looking for relationships and commonalities for malware that's been seen before with the example files from the training phase," explained Justin Peters, senior director of Sales Engineering and Services at Deep Instinct. "You can't break it down to just a couple of characteristics. You can't go back and list out all of the individual features that led the trained model to arrive at the decision that it did because of the complexity of the algorithm."

The agent can be deployed on any endpoint - laptop, desktop, mobile phones, servers, tablets - running Android, IOS or Windows. "We do static file analysis,"Fisher added. "Before you even hop over to that file in your email, we've scanned it to determine if it's malicious and blocked it. It's already been removed from the system."

Real-time on-device protection means that the agent never has to communicate back to Deep Instinct's site, a console or central management point. "Once we deploy our agent on the device, it's protected, even if you don't have an update for a year," said Fisher.

Durable updates

Deep Instinct employs three threat researchers who continually look into the dark web for emerging threats and train its neural network to ensure that the prediction model still maintains a high level of accuracy. The D-Brain can easily recognize linear mutations of existing malware produced by automation tools as well as more sophisticated malware that may be produced by borrowing different components from previous threats, such as WannaCry.

"Where ML would drop off rapidly from day one, DL over the space of a year may only degrade about 1%," Fisher said. "So, the D-Brain that you have in January is just going to be as effective in December. Our threat researchers will keep testing the model against the most recent threats and if they determine it's come off by 1 or 2%, we may at that point release an update. In fact, the current D-Brain that we've pushed out is 14 months old.

"That means we're very good for air-gap networks, such as military, banking and financial services, that don't want to have that [frequent] update requirement."

"Once we predict a new file is malicious [after static file analysis], it's basically down to the policy that we set from the appliance," said Peters. "[We can] prevent it from running, quarantine it or remove it completely."

Deep Instinct has developed a malware classification model to help Security Operations Center and Incident Response teams understand the malware that has been prevented and evaluate the type of attack that could have been unleashed - even when the malware has not been encountered before. The classification model categorizes malware into seven types: ransomware, backdoor, dropper, virus, worm, spyware and potentially unwanted application.

All information about a threat is sent securely to the appliance. "What you get on the appliance is the event data, i.e. which file is detected, details of the environment like who the user is, where that device is, what type of device it is, which process [or vector] introduced the file," explained Peters. "You get a very quick assessment of the type of threat. Data can be shared with other systems in the enterprise, such as a SIEM or syslog type service being used to correlate and aggregate activity."

A sample of the detected malicious file can also be shared with the forensics team or perhaps other vendors to conduct behavioral analysis by running the file in a sandbox.

"The risk profile for using us is very low," said Fisher. :We can deploy alongside existing endpoint detection and response (EDR) solutions so organizations can implement advanced prevention rapidly rather than wait for current licenses to expire or taking on the overhead of a full rip-and-replace project."

Even so, Deep Instinct is well positioned to fully replace legacy EDR solutions, especially when modern operating systems are increasingly embedded with capabilities previously only available in an endpoint solution, such as encryption, patch management and exploit detection.

"Whether you go with the on-premise or the cloud appliance, it's exactly the same capability and scalability because we're not doing these regular updates and we don't rely on live lookups to help us make decisions," Peters added.

Ramping up

The two markets Deep Instinct is focusing on are North America and Asia Pacific, including Japan. The company has some 60 people developing neural networks in Tel Aviv, Israel, over the last 3 years, building on work done by its co-founder and CTO, Dr Eli David, who is a leading expert in computational intelligence specializing in DL and evolutionary computation.

Fisher said that they had 2-3 early adopters and as many as 20 POC's underway in a wide range of countries in military, government, banking, healthcare & financial sectors.
They began their operations in June last year and have established a regional APJ head office in Singapore. Since it's a two-tier channel business, they are recruiting distributors & making active efforts to on-board partners, system integrators, value added resellers & others. In the next few months, the company plans to hire 10 team members to work with its customers & with the channel across the region.
By harnessing deep learning, Deep Instinct plans to create a paradigm shift in endpoint security. We no longer need solutions that require constant updates & high domain expertise. Neural networks can now enable us with highly predictive capabilities that can stop even unknown threats with minimum human intervention. 

Source: HOB