Dubai: Growing competence in the area of big data and analytics promises to transform the cybersecurity solution space, said an industry expert.
Harish Chib, vice-president for Middle East and Africa at Sophos, said that while threat actors keep changing their modus operandi and tools for the attack, many modes of operation continue to be carried forward. This consistency in behaviour allows analytical solutions to detect malicious attempts to penetrate a network or an end point.
“Analytical tools usually in the realm of artificial intelligence and machine-learning take into consideration user profiles, user behaviour, business normality to establish thresholds for normal and abnormal behaviour when compared to traditional tools that use predefined signature patterns and scenarios of past attacks to detect and block incoming malicious behaviour, he said.
While using big data to drive results in the cybersecurity solution space, the primary requirements are data sources, storage environment, analytical engine and presentation.
Big data analytics inspects, cleans, transforms and models large data sets for the purpose of discovering information, suggesting conclusions and sustaining decision-making process.
He said that machine learning and artificial intelligence (AI) are the latest tools being applied to big data analytics. These include the decision-tree approach that has been in use since the nineties and deep neural (the brain for AI) networks or deep-learning.
Most security vendors have built their solutions on decision-tree algorithms to detect cybersecurity threats. These are well-understood techniques developed in the 1990s, are relatively easy to use and manage, and provide adequate results.
What is a decision-tree?
A decision-tree typically plays a game of 20 questions to identify and detect malware. A decision-tree is a flowchart-like structure in which, each node represents a test on an attribute, each branch represents the outcome of the test, and each leaf node represents a decision taken after computing all attributes.
The paths from the root to leaf represent classification rules. The limitation of the decision-tree approach is that the algorithm needs to be manually set-up and therefore has inbuilt human limitations.
He said that deep-learning networks allow findings and results to be generated from data without explicit programming. In contrast to the decision-tree approach, deep-learning automates the process. It automatically identifies optimal features using learning methods inspired by the brain.
Activation functions
For this reason, he said that deep-learning networks are overtaking conventional machine-learning across the cybersecurity solution landscape. A deep-learning network consists of simple elements called neurons that receive input, change their internal state based on the input, and produce output determined by the nature of the input and their process of activation.
“The network is formed when this output further becomes the input for selected neurons, which further change their internal state based on predefined weightage and activation functions. The weightage and the functionality of activation can be controlled by an algorithm called the learning rule,” he said.
When deep-learning is applied to the use case of false positives and detection of malicious web links in cybersecurity, he said that deep-learning produces a much higher detection range, less false positives, and smaller footprint on end-points compared to other solutions. A comparison between the efficiencies of deep-learning and machine-learning can be made by taking an X and Y plot of false positives and detection rates. A false positive is the percentage rate at which non-malicious links are classified as malicious based on a particular sensitivity.
Similarly, he said the detection rate is the percentage of malicious web links that are correctly classified as malicious based on a particular sensitivity.
By setting a false positive rate of one per million non-malicious web links, deep-learning can achieve a detection rate of 72 per cent for new malicious web links that do not appear on previously announced threat lists.
The conventional decision-tree approach can also achieve a similar detection rate accuracy, but only by increasing its false positive rate from one per million non-malicious web links to one per thousand non-malicious web links. This is a 1,000 times increase in the span of false positives.
Storage footprint
Other than the significantly different rates of successful detection of malicious web links, he said the performance requirements of deep-learning and decision-tree solutions on end-points also show similar divergence. A deep-learning solution can be set up on a low resource endpoint with a storage footprint of only 10MB.
On the other hand, he said that a solution based on decision-tree approach may not be functional on a commodity end point and may require significantly higher storage capacity.
“The scan times for decision-tree approach solutions differ from deep-learning by a factor of 10X, in other words are ten times slower. This can be a huge performance limitation, especially while scanning millions of web links and other executable files per session,” Chib said.
Moreover, he said cybersecurity vendors investing in deep-learning to enhance their solutions are likely to make significant gains for a number of reasons including the fact that development in artificial intelligence is being built on deep-learning.
However, as a word of caution to customers looking to invest in deep-learning based security solutions, “we recommend that they analyse the real deep-learning approach on the basis of three parameters — attributes, scale and size,” he said.