Category Archives: machine learning

Avoiding a biometric dystopia

In part one of our two-part series, we explored how biometric authentication methods are being defeated. In the second part, we’ll explore how manipulating biometrics can alter society, and what can be done to avoid a biometric dystopia. Biometric authentication secures access to most consumer phones, many laptops and PCs, and even physical access to homes and offices. Many of the consequences of defeating biometric authentication are no different than those of defeating other forms … More

The post Avoiding a biometric dystopia appeared first on Help Net Security.

Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection

While Windows Defender Antivirus makes catching 5 billion threats on devices every month look easy, multiple advanced detection and prevention technologies work under the hood to make this happen.

Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), Microsoft’s unified endpoint security platform. Much like how Microsoft Defender ATP integrates multiple capabilities to address the complex security challenges in modern enterprises, Windows Defender Antivirus uses multiple engines to detect and stop a wide range of threats and attacker techniques at multiple points.

These next-generation protection engines provide industry-best detection and blocking capabilities. Many of these engines are built into the client and provide advanced protection against majority of threats in real-time. When the client encounters unknown threats, it sends metadata or the file itself to the cloud protection service, where more advanced protections examine new threats on the fly and integrate signals from multiple sources.

These next-generation protection engines ensure that protection is:

  • Accurate: Threats both common and sophisticated, a lot of which are designed to try and slip through protections, are detected and blocked
  • Real-time: Threats are prevented from getting on to devices, stopped in real-time at first sight, or detected and remediated in the least possible time (typically within a few milliseconds)
  • Intelligent: Through the power of the cloud, machine learning (ML), and Microsoft’s industry-leading optics, protection is enriched and made even more effective against new and unknown threats

My team continuously enhances each of these engines to be increasingly effective at catching the latest strains of malware and attack methods. These enhancements show up in consistent top scores in industry tests, but more importantly, translate to threats and malware outbreaks stopped and more customers protected.

Here’s a rundown of the many components of the next generation protection capabilities in Microsoft Defender ATP:

In the cloud:

  • Metadata-based ML engine – Specialized ML models, which include file type-specific models, feature-specific models, and adversary-hardened monotonic models, analyze a featurized description of suspicious files sent by the client. Stacked ensemble classifiers combine results from these models to make a real-time verdict to allow or block files pre-execution.
  • Behavior-based ML engine – Suspicious behavior sequences and advanced attack techniques are monitored on the client as triggers to analyze the process tree behavior using real-time cloud ML models. Monitored attack techniques span the attack chain, from exploits, elevation, and persistence all the way through to lateral movement and exfiltration.
  • AMSI-paired ML engine – Pairs of client-side and cloud-side models perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks. These models include a pair of models for each of the scripting engines covered, including PowerShell, JavaScript, VBScript, and Office VBA macros. Integrations include both dynamic content calls and/or behavior instrumentation on the scripting engines.
  • File classification ML engine – Multi-class, deep neural network classifiers examine full file contents, provides an additional layer of defense against attacks that require additional analysis. Suspicious files are held from running and submitted to the cloud protection service for classification. Within seconds, full-content deep learning models produce a classification and reply to the client to allow or block the file.
  • Detonation-based ML engine – Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks.
  • Reputation ML engine – Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Office 365 ATP for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph.
  • Smart rules engine – Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats.

On the client:

  • ML engine – A set of light-weight machine learning models make a verdict within milliseconds. These include specialized models and features that are built for specific file types commonly abused by attackers. Examples include models built for portable executable (PE) files, PowerShell, Office macros, JavaScript, PDF files, and more.
  • Behavior monitoring engine – The behavior monitoring engine monitors for potential attacks post-execution. It observes process behaviors, including behavior sequence at runtime, to identify and block certain types of activities based on predetermined rules.
  • Memory scanning engine – This engine scans the memory space used by a running process to expose malicious behavior that may be hiding through code obfuscation.
  • AMSI integration engine – Deep in-app integration engine enables detection of fileless and in-memory attacks through Antimalware Scan Interface (AMSI), defeating code obfuscation. This integration blocks malicious behavior of scripts client-side.
  • Heuristics engine – Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats.
  • Emulation engine – The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware.
  • Network engine – Network activities are inspected to identify and stop malicious activities from threats.

Together with attack surface reduction—composed of advanced capabilities like hardware-based isolation, application control, exploit protection, network protection, controlled folder access, attack surface reduction rules, and network firewall—these next-generation protection engines deliver Microsoft Defender ATP’s pre-breach capabilities, stopping attacks before they can infiltrate devices and compromise networks.

As part of Microsoft’s defense-in-depth solution, the superior performance of these engines accrues to the Microsoft Defender ATP unified endpoint protection, where antivirus detections and other next-generation protection capabilities enrich endpoint detection and response, automated investigation and remediation, advanced hunting, threat and vulnerability management, managed threat hunting service, and other capabilities.

These protections are further amplified through Microsoft Threat Protection, Microsoft’s comprehensive, end-to-end security solution for the modern workplace. Through signal-sharing and orchestration of remediation across Microsoft’s security technologies, Microsoft Threat Protection secures identities, endpoints, email and data, apps, and infrastructure.

The enormous evolution of Microsoft Defender ATP’s next generation protection follows the same upward trajectory of innovation across Microsoft’s security technologies, which the industry recognizes, and customers benefit from. We will continue to improve and lead the industry in evolving security.

 

Tanmay Ganacharya (@tanmayg)
Principal Director, Microsoft Defender ATP Research

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

The post Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection appeared first on Microsoft Security.

Harnessing Machine Learning and Automation against Advanced Threats

Estimated reading time: 2 minutes

With the specter of advanced cybersecurity threats always on the horizon, enterprises are seriously considering harnessing the power of machine learning and automation to fight against these threats. For good reason too – a cybersecurity survey suggested that organizations with an extensive use of automation rated themselves as much more likely to prevent, detect, respond and contain a cyber attack.

These concepts are getting increasingly important in today’s changing era of fast-growing cyber threats but what do they mean exactly? Machine learning basically refers to computers learning from data instead of receiving explicit programming. Through such machine learning algorithms, computers are fed huge datasets and parse through them to recognize patterns or co-relations through extended data analysis.

The importance of machine learning

Machine learning is becoming a common feature in more and more industries and cybersecurity has not lagged behind. An ABI Research report estimated that machine learning in cybersecurity will boost big data, intelligence and analytics spending to $96 billion by 2021. It is quite clear why there is such extended growth – machine learning allows business to offer a better response and bolster their own defense when it comes to the big, bad world of cyber threats. Security companies are rejigging the solutions they offer in tune with this trend. They are moving from signature-based systems to layered solutions where machine learning systems interpret data to better detect malware.

Some of these advantages are:

Making Sense of Data – The amount of data that can be collected for cybersecurity is humongous. While the sheer size and amount of data may be too much for humans alone to analyze, this is where machine learning can step in. By analyzing and processing big amount of data, it may be possible to find patterns or categories of certain behavior which can be used to fight advanced cybersecurity threats.

Using Automation for Better Protection – Different threats can have different attack points for an enterprise and even one threat may attack different touchpoints in different ways. This is where automation can do a much more effective job. By understanding the predicted behavior and touchpoints of a potential attack, automation can create better protection measures across touchpoints suited to exactly the type of predicted attack.

Using A Cluster-based approach for better detection – Quick Heal already uses machine learning to solve various cybersecurity problems using a cluster-based approach, illustrated in this whitepaper. Sample are clustered through machine learning with each cluster having samples similar to each other. These generated clusters are huge and processing them happens through machine learning where they are aggregated, analyzed and automated. The data is then labeled and processed to generate models. After scrutiny on numerous factors including time, size, quality, they are qualified for endpoint deployment.

Machine Learning and automation will be great weapons in the fight against advanced cybersecurity threats but it also need to be backed up with a combination of data science and human expertise.

 

The post Harnessing Machine Learning and Automation against Advanced Threats appeared first on Seqrite Blog.

What Defines a Machine Learning-Based Threat Intelligence Platform?

Reading Time: ~ 4 min.

As technology continues to evolve, several trends are staying consistent. First, the volume of data is growing exponentially. Second, human analysts can’t hope to keep up—there just aren’t enough of them and they can’t work fast enough. Third, adversarial attacks that target data are also on the rise.

Given these trends, it’s not surprising that an increasing number of tech companies are building or implementing tools that promise automation and tout machine learning and/or artificial intelligence, particularly in the realm of cybersecurity. In this day and age, stopping threats effectively is nearly impossible without some next-generation method of harnessing processing power to bear the burden of analysis. That’s where the concept of a cybersecurity platform built on threat intelligence comes in.

What is a platform?

When you bring together a number of elements in a way that makes the whole greater or more powerful than the sum of its parts, you have the beginnings of a platform. Think of it as an architectural basis for building something greater on top. If built properly, a good platform can support new elements that were never part of the original plan.

With so many layers continually building on top of and alongside one another, you can imagine that a platform needs to be incredibly solid and strong. It has to be able to sustain and reinforce itself so it can support each new piece that is built onto or out of it. Let’s go over some of the traits that a well-architected threat intelligence platform needs.

Scale and scalability

A strong platform needs to be able to scale to meet demand for future growth of users, products, functionality. Its size and processing power need to be proportional to the usage needs. If a platform starts out too big too soon, then it’s too expensive to maintain. But if it’s not big enough, then it won’t be able to handle the burden its users impose. That, in turn, will affect the speed, performance, service availability, and overall user experience relating to the platform.

You also need to consider that usage fluctuates, not just over the years, but over different times of day. The platform needs to be robust enough to load balance accordingly, as users come online, go offline, increase and decrease demand, etc.

Modularity can’t be forgotten, either. When you encounter a new type of threat, or just want to add new functionality, you need to be able to plug that new capability into the platform without disrupting existing services. You don’t want to have to worry about rebuilding the whole thing each time you want to add or change a feature. The platform has to be structured in such a way that it will be able to support functionality you haven’t even thought of yet.

Sensing and connection

A threat intelligence platform is really only as good as its data sources. To accurately detect and even predict new security threats, a platform should be able to take data from a variety of sensors and products, then process it through machine learning analysis and threat intelligence engines.

Some of the more traditional sensors are passive, or “honeypots” (i.e. devices that appear to look open to attack, which collect and return threat telemetry when compromised.) Unfortunately, attack methods are now so sophisticated that some can detect the difference between a honeypot and a real-world endpoint, and can adjust their behavior accordingly so as not to expose their methods to threat researchers. For accurate, actionable threat intelligence, the platform needs to gather real-world data from real-world endpoints in the wild.

One of the ways we, in particular, ensure the quality of the data in the Webroot® Platform, is by using each deployment of a Webroot product or service—across our home user, business, and security and network vendor bases—to feed threat telemetry back into the platform for analysis. That means each time a Webroot application is installed on some type of endpoint, or a threat intelligence partner integrates one of our services into a network or security solution, our platform gets stronger and smarter.

Context and analysis

One of the most important features a threat intelligence platform needs is largely invisible to end users: contextual analysis. A strong platform should have the capacity to analyze the relationships between numerous types of internet objects, such as files, apps, URLs, IPs, etc., and determine the level of risk they pose.

It’s no longer enough to determine if a given file is malicious or not. A sort of binary good/bad determination really only gives us a linear view. For example, if a bad file came from an otherwise benign domain that was hijacked temporarily, should we now consider that domain bad? What about all the URLs associated with it, and all the files they host?

For a more accurate picture, we need nuance. We must consider where the bad file came from, which websites or domains it’s associated with and for how long, which other files or applications it might be connected to, etc. It’s these connections that give us a three-dimensional picture of the threat landscape, and that’s what begins to enable predictive protection.

The Bottom Line

When faced with today’s cyberattacks, consumers and organizations alike need cybersecurity solutions that leverage accurate threat telemetry and real-time data from real endpoints and sensors. They need threat intelligence that is continually re-analyzed for the greatest accuracy, by machine learning models that are trained and retrained, which can process data millions of times faster than human analysts, and with the scalability to handle new threats as they emerge. The only way to achieve that is with a comprehensive, integrated machine-learning based platform.

The post What Defines a Machine Learning-Based Threat Intelligence Platform? appeared first on Webroot Blog.