A machine learning based search and discovery approach is well suited to addressing threats in cyberspace. Machine learning can be used to build software classifiers to distinguish malware from benign software, and search massive volumes of traffic.
Similar to other fields, the classifiers are based on a complex combination of features. A high speed appliance can inspect network traffic, and human analysts can then be tipped to inspect high probability events of interest. This approach has distinct advantages over signature and sandbox-based approaches. First, it scales to very high volumes of traffic while inspecting everything. No pre-filter or other form of upstream thinning is required. This increases the field of view and closes the open doors. Second, the classifiers are resilient to evolving malware and tactics. Unlike signatures, or behaviors, the classifiers can discover threats even after they have changed.
Because classifiers model both benign and malicious aspects of software they provide a fundamentally different approach. This new approach increases both probability of detection and accuracy.
By getting ahead of the threat, defenders can reduce the number of successful attacks and reduce the millions of dollars spent chasing and remediating a breach. One additional benefit of machine learning is the opportunity to develop many equally effective detection models. These models can be derived from samples available only to one user creating a unique defense for every user. Finally, malware authors can be denied their long standing information advantage and defenders can look forward to a fairer fight.
Looking for the comprehensive guide for understanding machine learning? Download the recently updated Guide for Machine Learning for Cybersecurity.