Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of "what are the machine learning misunderstandings in network security". The editor shows you the operation process through an actual case, and the operation method is simple, fast and practical. I hope this article "what are the machine learning misunderstandings in network security" can help you solve the problem.

Misunderstanding 1: machine learning in network security is a new thing.

For some reason, artificial intelligence technology in network security has become popular in the past. If you haven't followed this topic for a long time, you may think it's something new.

Some scenarios: the first machine learning algorithm, artificial neural network, was invented in the 1950s.

Interestingly, at that time, it was thought that the algorithm would soon lead to the emergence of "strong" artificial intelligence.

That is, intelligent thinking ability, independent thinking and artificial intelligence that can solve those default programming out-of-program tasks.

But then came the era of "weak" artificial intelligence, which can solve some creative tasks, such as identifying pictures, predicting the weather, playing chess and so on.

Sixty years from now, we will have a better understanding of some basic facts, when the real artificial intelligence may have emerged, and the artificial intelligence we are talking about now is actually more accurately machine learning.

When it comes to the field of network security, machine learning is nothing new. Such algorithms were proposed about a decade ago, when the number of new malware doubled every two years.

But simple automation is not enough for virus analysts, it requires a qualitative leap.

This leap occurs when dealing with virus family samples, where machine learning can be used to search for files similar to the samples that have been identified.

In the end, it was up to people to judge whether a file was malicious or not, but the work was quickly transferred to the machine.

In other words, machine learning is nothing new in the cyber security industry.

Misunderstanding 2: machine learning in network security is simple and straightforward-everything is ready-made.

In some areas, it is true that machine learning has algorithms that have been prepared for a long time. These areas include facial recognition, emotional recognition or distinguishing cats from dogs.

In this case, there are usually some people who do a lot of thinking, determine the necessary identification, select the appropriate mathematical tools, set up the necessary computing resources, and then publish their research results.

Now, everyone who does this work can take advantage of these algorithms.

This leads to the wrong impression that an algorithm to detect malware already exists.

In fact, this is not the case. we spent more than a decade developing this technology at Kaspersky Lab and applied for a lot of patents.

Our ongoing research and coming up with new ideas also have something to do with the next misunderstanding.

Myth 3: machine learning-- just do it once

The conceptual difference between malware detection and face recognition is that the face is always the face, and there will never be any change in this respect.

In most areas where machine learning is used, the purpose does not change over time, but in the area of malware detection, things are changing constantly and rapidly.

Because cyber criminals are often highly motivated people, for money, espionage, terrorism and so on.

Their intelligence is not limited by manpower, and they actively attack and deliberately modify malicious programs to get rid of the detection of existing mature models.

This is why these models need to be constantly learned, revised, and even knocked down. Obviously, in the face of rapidly changing malware, security solutions based on no anti-virus database model are worthless.

When necessary, cyber criminals can respond with creative thinking.

Myth 4: you can let security software learn on the client side.

For example, when dealing with client files, the vast majority of files are secure and only a few are malicious.

The latter can mutate, but the model you design can learn to deal with it.

However, this is not the case. Because the average number of malicious samples through the client is much smaller than that collected by Antivirus lab.

The client will lose the ability to cope because it does not collect samples for learning.

The detection of the "creativity" of the virus author is bound to fail, and the model recognizes the malware as a secure file and will learn something "wrong".

Myth 5: it is enough to develop a model based on machine learning

Why use multi-level protection based on different technologies? If that basket is so smart and advanced, why not put all the eggs in the same basket?

Such an algorithm can solve all the problems.

The problem is that most malware in the same family is modified by a malicious program.

Trojan-Ransom.Win32.Shade, for example, is a family with more than 30, 000 malicious samples.

A model can acquire the ability to detect future threats through a large number of sample training (to a certain extent, see misunderstanding 3).

In these cases, machine learning works well.

However, it is common for a family to include only a few samples, or even one sample.

Perhaps it is because the author does not want his malicious program to fall into a long struggle with security software after malicious behavior is detected.

Instead, he chose to attack people who did not install security software or had no behavioral tests (that is, those who had put all their eggs in one basket).

These various "small families" with only one or two samples can not be applied to the traditional machine learning model of "training-promotion".

In this case, using tried-and-tested hashes and masks may be better at detecting threats.

Another example is targeted attacks, where the people behind these attacks do not intend to create more and more new samples, and each victim uses only one sample. At this point, you can be sure that this sample will not be detected by the protection scheme (unless this is a platform developed for this purpose, such as Kaspersky's anti-attack platform), once again, hash-based detection wins.

This is the end of the content about "what are the misunderstandings of machine learning in network security". Thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.