If you’re a film buff like me, you’ve probably seen The Imitation Game, with Benedict Cumberbatch in the role of Alan Turing. The movie tells the story of Turing who, In 1939, was recruited by the newly created British intelligence agency MI6 to crack the Nazi’s cryptography machine Enigma, which cryptoanalysts of the day thought unbreakable. In fact, Turing was obsessed with the idea of building a machine that could perform the math and engineering computations that his team of human analysts were doing. In the film, he builds a machine called Christopher (in reality it was actually named Bombe).
Bombe was a computer of sorts, and was used to eventually break the Enigma code and help the Allies win the war. It was also the genesis of the digital revolution. Because of Bombe, Turing is credited as the father of computer science. Today the Turing Award, established in 1966, is considered to be the Nobel Prize of computing. This year, the Turing award and its $1 million prize went to Geoffrey Hinton, Yann LeCun, and Yoshua Bengio for their work on neural networks.
Why is their work on neural networks so significant? The groundbreaking work Bengio, Hinton, and Lecun have done with deep learning and neural networks has paved the way for many technical innovations such as autonomous driving cars, novel cancer treatments, and a variety of image and speech recognition applications. And beyond those high-profile developments, deep learning is proving to be a transformative factor in addressing challenges in cybersecurity.
What is Deep Learning
Since there seems to be a lot of confusion as to what deep learning is and how it’s different from traditional machine learning, let’s set the record straight. Deep learning is a family of methods within machine learning that uses available data to learn a hierarchy of representations useful for certain tasks. While in traditional machine learning, a lot of human expertise is needed to define the set of features to represent the data, there is no feature engineering involved in deep learning. The system learns the best representation of the data by itself to produce the most accurate results. As a result, no human bias is introduced and the deep learning system is inherently more scalable and accurate.
Here’s what I mean: imagine a security product that is being built to identify “threats” by inspecting network traffic. With machine learning, threat analysts are defining what constitutes a threat, and will need to handcraft these manually when a new attack takes place. With deep learning, labeled data constituting “threat” and “not-threat” is used to train the system. This deep learning model can then be used to detect a variety of different threats, even ones that seemingly look novel.
With deep learning, the curation of the threat data used, as well as the “training” and “validation” of the models is vital to the accuracy of the outcomes. In fact, deep learning was stymied for many years until two adjacent developments made it possible to effect deep learning theory in a practical way, propelling this technology to its current applications and successes. These were:
● GPUs – Advancements in processing and the lowering of the costs of the underlying technology made it possible for deep learning model training and validation to be performed in days when it used to take weeks or months.
● Big Data – Enormous threat data sets comprising hundreds of millions of samples are now available. This is a much bigger training set than is available for vision applications and is being used to inform deep learning-based systems to recognize threat patterns, including unique strains of malware.
How Deep Learning Can Help in Cybersecurity
What does all this mean to those facing the challenges inherent with cybersecurity today? It turns out that deep learning is an ideal technology to address the volume and velocity of the current threat environment. Today, hackers are using automation to generate and deliver new strains of malware on a global scale at a rate of almost a million a day. In contrast, our traditional threat defenses based on signatures and sandboxes are manual in nature.
Signature-based threat detection works only for known threats and signature creation takes time once patient zero is detected. Additionally, there are only a limited number of signatures that can be stored on any security product at any time (try multiplying a million variants a day for 365 days). Sandbox-based threat detection that performs dynamic analysis on files in a virtual environment also have limitations. Certain file types (DLL) and large file sizes just cannot be analyzed in malware sandboxes. Hackers have also developed many techniques for evading sandboxes.
All this means a new approach is needed–one that is automated, and can offer the speed and accuracy of threat detection that we defenders need today. Deep learning is not the panacea for all your security problems, but it is ideal for detecting known and unknown network threats, and can do so in a fraction of a second to keep pace with the onslaught of attacks.
The natural reaction to these developments by many CISOs may be skepticism because of the overhyped nature of AI and the history of security systems that have fallen short of expectations. So how do you know if something is legit? In my next column, I’ll talk about evaluating AI claims in security–how to separate fact from fiction.