Security Experts:

The Challenge of Training AI to Detect Unique Threats

In a previous column, I discussed how traditional endpoint security fails because it focuses on detecting known bad instances. As evidenced by the rapid rise of email-based attacks, this is a losing proposition. That is because advanced threats and targeted email attacks change rapidly as attackers dodge detection. While bad changes on a daily basis, good does not. Therefore, modeling what is good and detecting deviations from the good offers a better solution than identifying bad does.

Tragically, many security vendors are hesitant to recognize the inherent drawbacks of blacklisting, which is the detection of known bad. Instead, they are embracing artificial intelligence with the hope that this will help them keep up with adversarial changes.

While machine learning can significantly speed up the reaction to changes by identifying similarities and generalizing, it requires reasonably large training sets to do so. But these often take time to establish, which means that attacks will always remain one step ahead. This is particularly worrisome for low-volume targeted attacks.

The learning phase can be sped up by using a system that is a hybrid between a machine learning system and a rule-based expert system, taking advantage of the “fuzzy” generalization of machine learning and the expert insights encoded in the expert system. Here, the machine learning identifies whether an email is sent from a trusted party, since the notion of “trusted” is well suited for machine learning to identify, but harder for an expert system.

Similarly, the machine learning component determines whether a display name looks “similar enough” to a display name of a trusted party. Here, “similar enough” is another fuzzy decision. But the machine learning system would not be expected to learn what combinations of these events are safe vs. unsafe. That is encoded by the rule-based expert system. In this particular example, the expert system would have a rule stating that if an email is from a party that is not trusted, but the display name looks similar enough to that of a trusted party, then that means a high risk of deception.

Therefore, this will help catch an email that comes from a stranger and has a display name that closely resembles a trusted party – which is what almost all Business Email Compromise attacks do. In contrast, without the hybrid approach, the machine learning engine would have to infer from examples that such combinations are dangerous, requiring much larger training sets than a hybrid approach. For more complex examples, this may not be practically possible.

A hybrid approach requires system designers to carefully deconstruct the problem, instead of just blindly applying machine learning engines to address the problem. Artificial intelligence must be carefully created with concepts and categories that are identified using machine learning. Researchers must first understand the problem, and then design the system.

Let’s consider an example. Say you’re terrified of the prospect of bears with assault rifles. Granted, this is an unusual concern, but it will work as an illustration precisely because it is so unusual. After all, hunting malicious emails is frequently an exercise in the unusual.

For system designers with a “blind” approach to identifying risk, they need a large, labeled training set of pictures and movies of bears with assault rifles, as well as pictures and movies of things that are not bears with assault rifles, to train the machine learning system. But while bears with assault rifles are worrisome, they are also quite rare, so finding such a dataset might take a while.

Likewise, this may be the case in training a dataset with unusual samples of advanced threats and targeted email attacks. Again, the volume of malicious emails is massive, with many hundreds of millions of messages per day – but most of these are bulk, amateur and simple. Existing systems do a remarkable job of identifying repeated bulk attacks, allowing less than 0.1% of the unwanted emails to be delivered to inboxes. Unfortunately, a very small portion of the sophisticated and targeted attacks are detected by traditional security solutions, which further complicates the generation of training sets.

Returning to our examples, the “understand-first” approach would lead to a conclusion that there are three important categories of objects: bears, assault rifles, and everything else. (While abundantly clear in this example, in real life, the deconstruction would be much more complex and not as intuitive.) As these objects won’t be too hard to find, it will be easy to use the machine learning algorithms to identify bears and assault rifles, as well as things that are neither. In addition, you could use a very simple expert system that says something like: if the situation has <positive bear sighting> AND <positive assault rifle sighting> THEN sound the alarm.

It’s obvious that the understand-first approach is superior to the blind approach. However, this insight is lost on many security companies, which use machine learning blindly to address a problem they do not fully understand – and in the process, creating systems that don’t perform or protect well. 

As an end user, you may not worry about what goes into the security system protecting your inbox. But you should. A solution that constantly plays catch-up, whether it uses machine learning or not, will often fail to detect targeted attacks. 

If all you hear about a product are buzzwords, there’s a good chance that nobody knows just what makes it work. That means that once attacks change, which happens constantly, you will only have partial protection until the product is patched. It also means that the protection focus is almost certainly not on targeted attacks, which is the type of attack that enterprises worry most about. And if you hear that a particular product blocks 99% of all threats, but with no mention of which types of attacks, then that probably means that product fails to detect the most dangerous threat: targeted attacks.

view counter
Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist and entrepreneur, studying phishing, crimeware and mobile security. Prior to Agari, Jakobsson spearheaded research in malware, authentication, fraud, user interfaces and security technologies for Qualcomm. He also co-founded three digital startups – ZapFraud, RavenWhite and FatSkunk. Jakobsson has held key roles as Principal Scientist at PayPal, Xerox PARC and RSA Security. He holds more than 100 patents and is a visiting research fellow of the Anti-Phishing Working Group (APWG). He holds a Ph.D. in computer science from the University of California, San Diego and master’s degrees from both the University of California, San Diego and Lund University in Sweden.