Introduction to Machine Learning (ML) for Cybersecurity

“The moment ransomware encrypts files and locks victims out of their data, it starts to cause financial damage and business disruption. Catching it at ‘time zero’ is critical”

Source: cyberdefensemagazine

ime to a breach.  Time to detect.  Time to react.  What’s your exposure time?  Gary Miliefsky, the Publisher of this magazine, recently spoke as our Keynote Speaker at a Trend Micro partners conference.  His theme was using Time-based Security to measure risk and begin to better understand how to stop breaches.  I believe the key to stop damages in cyber crime and breaches is ‘time zero’.  The ability to detect and respond to a cyber attack, faster than ever before, has become critical in our battle against the next breach.  Would you believe we’ve been doing A.I. and Machine Learning at Trend Micro for more than 10 years now, with patents to prove it?  So….

Enter Machine Learning (ML).

Machine Learning (ML) appears to have suddenly emerged in security, and almost as quickly it has assumed the mantle of a new “next-generation” tool to tackle cybercrime. In fact, the story is a little more nuanced than that.

“The moment ransomware encrypts files and locks victims out of their data, it starts to cause financial damage and business disruption. Catching it at ‘time zero’ is critical”

Some well-established security companies, including Trend Micro, have worked with machine learning for more than a decade. Until recently, they tended not to discuss this work openly, mainly because of understandable concerns that the technology, applied on its own, flagged too many false positives.

More recently, two things have happened, and I believe they are correlated. One is the rise of ransomware like CryptoLocker around 2014. The other is the emergence of next-generation security vendors who promote machine learning as the “new” control companies must have in order to tackle advanced threats. Many organisations working with established security companies will, in fact, have been applying machine learning in their solutions for many years.

Ransomware changed the game because it made timing a critical part of malware detection. Other types of malware might try to steal intellectual property or start a spambot. Catching them an hour or so after first infection — having vastly minimised the chance of false positives first — may have been an acceptable trade-off. With ransomware, however, there is no room for manoeuvre. The moment it encrypts files and locks victims out of their data, it starts to cause financial damage and business disruption. Catching it at ‘time zero’ is critical.

Around the same time as ransomware started becoming prominent, ‘next-generation’ vendors began actively promoting machine learning in their endpoint security products. It makes sense to harness artificial systems to recognise malware in a climate where threats are multiplying faster than ever. But getting this right, and minimising false positive errors in the process, is not trivial.

The fact is, machine learning is ideal for tackling those critical ‘time zero’ issues like ransomware, but it still leaves the possibility of false positives. Machine learning is best used after other security methods have been applied — and further meta data about the context of the file has been collected. Machine learning is excellent for processing files where the context suggests that they are more suspicious such as those files that arrive via email, downloads or infected USB sticks. Other security layers, a dynamic whitelist and context can be used to make sure that the machine learning is given minimal opportunity to mistakenly flag good files as false positives.

The volume of good and bad files to scan is increasing exponentially. Clearly, we need to augment our current systems of detection to cope with this level of activity. Historically, malware detection has looked in the rear-view mirror. The industry needed a virus sample before it could develop an antidote. But many malware samples we get today are unique. For example, a new instance of the Cerber ransomware is created every 15 seconds. It tells us how profitable ransomware must be, that cybercriminals think this is worth the effort. The thing is, we have seen a similar effect at work with benevolent software too. The growth of DevOps and the cloud model means that new versions of legitimate software such as Google or Dropbox updates appear on an almost hourly basis. More…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: