Over the last few years, the battle between IT and cybercriminals heated up. The attackers, stepping up their game...
to find new and innovative ways to successfully infect endpoints, began to use tactics such as always-changing code, altering command-and-control server locations and evasive methods to avoid detection. As a result, the legacy method of signature-based detection is all but dead. The organization's expectation is always that its endpoint protection software will identify and block previously unseen malware, including new variants designed to evade detection. This means security vendors must find new ways to detect attacks.
So we've evolved from signature-based detection to heuristics-based, which changes detection from exact malware code matches to anything reasonably similar in nature. But because malware coders have access to every endpoint protection product, they have the advantage: They can test out their latest code against the good guys' defenses. And so, malware has been able to evolve so that its behavior can be made to look different each time -- thereby fooling most heuristics checks.
Now, we've got attacks designed to look unique arriving at such a rate that the old method of detection -- hundreds of people in a lab deciphering what is an instance of malware -- just won't cut it.
Enter AI and specifically machine learning in network security.
How machine learning in network security works
Both terms -- artificial intelligence and machine learning -- sound a bit like "marketecture" buzzwords used to get your attention and gain your confidence. But as they've been applied to endpoint protection in just the last few years, they've augmented the value of the products that employ them.
Let's look at what machine learning is and how it's used within the context of endpoint security. Machine learning is a subset of artificial intelligence designed to allow the computer to answer questions on its own without human intervention. In the case of machine learning in endpoint security, the question it answers is simple: Is this malicious?
Before the application of machine learning to network security, humans needed to define what to look for, what relationships should be categorized as bad, how to analyze the data, and what data to use in the first place -- keeping in mind that these definitions changed daily. With machine learning in network security, the local computer can analyze much larger data sets more quickly than humans, extrapolating relevant data, behaviors, attributes, attack methods and more while teaching itself what is benign or malicious.
Specific machine learning execution in endpoint security revolves around analyzing two elements:
- Artifacts: Tangible objects used as part of an attack. An attachment within a phishing email or a downloaded payload file are perfect examples.
- Behaviors: Common actions taken in an attack. While malware is designed today to never look the same twice, there are common actions whose endgame is to infect a particular OS. Since there are only so many ways for an OS to become infected, behaviors repeat. The common actions to be analyzed include contacting a command-and-control server, downloading payloads, saving files in a specific directory and attempting to execute.
Machine Learning in network security: Powerful protection
The goal of machine learning in endpoint security is to empower the endpoint itself to identify every attack with as little assistance as possible. While it's not perfect, the idea of having intelligent protection not just watching but learning to ensure the security of your environment should help you sleep just a little better at night.