Sophos' Greg Iddon peels back the layers of jargon surrounding the machine learning field and explains how the security industry is supplementing reactive, human-based malware research with predictive machine learning models to defend against the relentless onslaught of malware.
3. The Threat Landscape Has Shifted
3
Exploits
Most organizations have
no exploit prevention^
83% agree it has become more
difficult to stop threats ^
Advanced Threats
Ransomware
54% of organizations hit
twice on average in 2017^
^Source: The State of Endpoint Security Today SurveySource: SophosLabs
26%
20%
20%
12%
12%
8%
Advanced
Malware
Ransomware
Email
Malware
Web
Malware
Generic
Malware
Cryptocurrency
4. Vulnerabilities Waiting to Be Exploited
4
Software Vulnerabilities Reported by Year
Source information NIST National Vulnerability Database as of 6th January 2018
https://nvd.nist.gov/vuln/search/statistics.
4,639
4,150
5,288 5,187
7,937
6,487 6,447
14,643
5,456
2010 2011 2012 2013 2014 2015 2016 2017 2018
16,368
5. 75%
75% of the malicious files
SophosLabs detects are found
only within a single
organization.
400,000
SophosLabs receives and processes
400,000 previously unseen malware
samples each day.
The Age of Single-Use / Unseen Malware
19. Machine Learning vs Signatures
19
• Machine learning’s
job is to place the
blue line in the best
place possible
• Human analysts do
the same thing: (e.g.
defining that if file
size > 2000000 and
compression level >
0.5, it’s malware)
0
0.2
0.4
0.6
0.8
1
1.2
0 500000 1000000 1500000 2000000 2500000 3000000
CompressionLevel
File Size
?
20. Overfitting
20
• Limited data when
training a model can
result in overfitting
• False Positives are
hard to avoid with
generic machine
learning algorithms
0
0.2
0.4
0.6
0.8
1
1.2
0 500000 1000000 1500000 2000000 2500000 3000000
CompressionLevel
File Size
21. Overfitting
21
• Limited data when
training a model can
result in overfitting
• False Positives are
hard to avoid with
generic machine
learning algorithms
0
0.2
0.4
0.6
0.8
1
1.2
0 500000 1000000 1500000 2000000 2500000 3000000
CompressionLevel
File Size
22. Adding dimensions: A classifier in three dimensions
File size
• The blue plane is the
machine learning model,
defined by a simple
equation
• Humans can still write a
rule that expresses the
same basic idea: (e.g. if file
size > 2000000 and
compression level > 0.5
and number of strings >
1000, it’s malware)
26. Deep Neural Networks are the top performing
classifiers, highlighting the added value of Deep
Neural Networks over other more conventional
methods. Moreover, [Deep Neural Networks]
performed significantly better at almost one
standard deviation higher than the mean
performance.
26
Beyond the hype: deep neural networks
outperform established methods using a
ChEMBL bioactivity benchmark set
Eelke B. Lenselink, Niels ten Dijke, Brandon Bongers, George
Papadatos, Herman W. T. van Vlijmen, Wojtek Kowalczyk,
Adriaan P. IJzerman and Gerard J. P. van Westen
27. Machine Learning vs. Deep LearningDEEPLEARNING
Interconnected Layers of Neurons, Each
Identifying More Complex Features
INPUT OUTPUT
OUTPUT
MACHINELEARNING
Decision Tree
INPUT
Random Forest
OUTPUTINPUT
28. Deep Learning Neural Network
Faster
o DL detections in 20-100 milliseconds per file
o Traditional ML 100-500 milliseconds per file
Smaller
o Deep learning models are about 10-20 MB
o Traditional ML models can get huge
500 MB-10 GB
Smarter
o Deep learning provides proven higher
detection rates that improve with more
data
o Traditional ML has lower detection rates
and diminishing returns with more data
33. Unprecedented Synergies of Man and Machine
LABS: Source 100s of millions of
samples for the best possible
predictions
LABS: Use established Labs
systems and processes to ensure
labeling precision
DATA SCIENCE: Create the most
efficient algorithms for solving
hard cybersecurity problems
DATA SCIENCE + LABS:
Continuously incorporate
feedback to improve system
accuracy and predictive power
Only Sophos has this
critical combination
of Labs Research and
Data Science
For the first time ever, we can memorize
the entire observable threat universe.