EDITOR’S QUESTION
From decision trees
to deep learning
Security vendors are moving
away from primitive machine
learning tools towards
deep learning algorithms to
reduce the number of false
positives, explains Harish
Chib at Sophos.
T
he recent replacement of the
decision-making tree with deep-
learning neural networks to build
tomorrow’s cyber security solutions,
promises to be a significant differentiator
amongst security vendors
Analytical tools usually in the realm
of artificial intelligence and machine-
learning take into consideration user
profiles, user behavior, normal business,
to establish thresholds for normal and
abnormal behavior. This is in comparison
to traditional tools that use predefined
signature patterns and scenarios of past
attacks to detect and block incoming
malicious behavior.
Machine learning and artificial
intelligence are the latest tools being
applied to big data analytics. These include
the decision-tree approach that has been
in use since the nineties and deep neural
networks or deep-learning.
Most security vendors have built their
solutions on decision-tree algorithms to
detect cybersecurity threats.
These are well understood techniques
developed in the 1990s, are relatively
easy to use and manage, and provide
adequate results.
A decision-tree typically plays a game
of 20 questions to identify and detect
malware. A decision-tree is a flowchart-
like structure in which, each node
represents a test on an attribute, each
branch represents the outcome of the test,
H
ow is artificial
intelligence
making an impact
on your security
solution portfolio?
and each leaf node represents a decision
taken after computing all attributes.
The paths from root to leaf represent
classification rules. The limitation of
the decision-tree approach is that the
algorithm needs to be manually set up and
therefore has inbuilt human limitations.
Deep-learning networks allow findings
and results to be generated from data
without explicit programming. In contrast
to the decision-tree approach, deep-learning
automates the process. It automatically
identifies optimal features using learning
methods inspired by the brain.
For this reason, deep-learning
networks are overtaking conventional
machine-learning across the cybersecurity
solution landscape.
A deep-learning network consists
of simple elements called neurons that
receive input, change their internal state
based on the input, and produce output
determined by the nature of the input and
their process of activation.
The network is formed when this
output further becomes the input for
selected neurons, which further changes
their internal state based on predefined
weightage and activation functions.
The weightage and the functionality
of activation can be controlled with an
algorithm called the learning rule.
When deep-learning is applied to the
use case of false positives and detection
of malicious web links in cybersecurity,
Harish Chib, Vice President, Middle East and
Africa, Sophos.
deep-learning produces a much higher
detection range, less false positives, and
smaller footprint on end-points compared
to other solutions.
A comparison between the efficiencies
of deep-learning and machine-learning
can be made by taking an X and Y plot
of false positives and detection rates. A
false positive is the percentage rate at
which non-malicious links are classified as
malicious based on a particular sensitivity.
Similarly, the detection rate is the
percentage of malicious web links that are
correctly classified as malicious based on a
particular sensitivity.
By setting a false positive rate of one
per million non-malicious web links,
deep-learning can achieve a detection rate
of 72% for new malicious web links that
do not appear on previously announced
threat lists.
The conventional decision-tree
approach can also achieve a similar
detection rate accuracy, but only by
increasing its false positive rate from one
per million non-malicious web links to one
per thousand non-malicious web links.
This is a 1,000X increase in the span of
false positives.
Cyber security vendors investing in
deep-learning to enhance their solutions
are likely to make significant gains for a
number of reasons including the fact that
development in artificial intelligence is
being built on deep-learning.
49