1

It seems that more and more Anti-Virus and other security related business solutions are adding the 'AI' and 'machine learning' buzzwords to their marketing repertoire. However, the only 'AI' I ever saw working was the RITA project, which is available for free.

I was wondering if there really are useful applications to the machine learning that can help detect an intrusion on a network, because it seems that currently, most detection engines are still based on a blacklist of IOC (Indicators of Compromise). If there are popular ways of using AI & machine learning right now, could someone give an example of the detection process?

PositriesElectron
  • 1,595
  • 1
  • 13
  • 17
  • 2
    UBA is the typical application, as is netflow analysis – schroeder Jun 12 '17 at 14:29
  • 1
    have you run a search for "machine learning network intrusion"? There are a ton of high quality hits - each one of my first page Google results could answer your question – schroeder Jun 12 '17 at 14:30

1 Answers1

1

Some antivirus use machine learning (ML) to train their software to classify malware. They can use either supervised or unsupervised ML methods. The malware detection software can be "trained" to recognize heuristics and behavior of malware by observing known malware running in a sandbox (dynamic analysis), or static analysis can be performed by looking at source code, information flow graphs, function calls, and the like. When the observation, training, and classification is done by software without the intervention of humans, it is often said that it uses AI or ML. Modern methods like this are generally more effective and adaptable than the old method of comparing signatures, but are also more resource-hungry. A hybrid method is often used where AI and ML techniques are applied to classify malware on dedicated hardware/software platforms and then the definitions/signatures are updated and pushed out to end users via updates.

GroundRat
  • 136
  • 3
  • I'm not sure if I really understand this. So essentially, instead of getting a database of signatures to scan for, the machine learning engine of the appliance would create it's own list of signatures after sitting in the network for a while? – PositriesElectron Jun 13 '17 at 18:23
  • Oftentimes, it can do both. – GroundRat Jun 13 '17 at 18:43
  • To clarify though, I'm speaking specifically about antivirus. IDS are a little more difficult due to the varied and unpredictable nature of network traffic. It is often better to have a good idea of what malicious network traffic looks like and create Snort rules to counter it. It's also important to mention defense in depth/layered defense here. There is no IDS, IPS, antivirus, firewall, or other device that can catch everything even with advanced methods like ML and AI. – GroundRat Jun 13 '17 at 18:55
  • So at the core of it all is a combination of provided Signatures as well as a 'confidence based' algorithm? – PositriesElectron Jun 13 '17 at 19:01