Having proved itself spotting malware, machine learning has authentication in its sights

Retrospectively applied, 2015-era ML algorithm could detect 2017’s WannaCry and NotPetya attacks

The success of machine learning (ML) in reinventing malware detection may still be causing cognitive dissonance for traditional security customers, but a senior technologist believes ML has gained enough traction for researchers to harness it in reinventing user authentication and denial of service (DoS) protection.

Rather than relying on malware signatures as in the past, ML technology examines a broad range of the attributes of potential malware. These attributes are mathematically modelled and incorporated into an analysis engine that has, Cylance vice president of engineering Milind Karnik told CSO Australia, more than proven itself as a replacement for increasingly ineffectual signature-based detection.

“When we do this mapping of millions of attributes, we see that the types of files cluster themselves into very unique clusters of good or bad clusters,” he explained.

“Mathematically even when you consider a piece of malware that may not be written today – when it gets written, it will probably align itself very closely to one of the known clusters. Adversaries are trying to find creative ways and different avenues to enter systems, but if you’ve designed a state space of attribution that is very large, that is typically difficult for them.”

To test this theory, Cylance had fed recent and savage attacks, such as last year’s WannaCry and NotPetya malware, into its earliest ML models and they had been able to detect the code – using ML techniques developed years before they were unleashed upon the world.

Strong retrospective analysis had repeatedly validated the ML technique and paved the way for ML techniques to be applied to the user authentication space, Karnik said. This included an upcoming product that will monitor a broad range of user attributes – typing speed and cadence among them – to score the likelihood that the person actually interacting with a computer is the person who is currently logged into that computer.

This application of ML theory would underscore continuous authentication, a core capability that would remedy issues with legacy security designs that left networks exposed to unchecked lateral movement once an attacker has compromised a user’s privileged credentials.

Continuous monitoring would help companies embrace zero-trust models that force users – as well as mobile, Internet of Things (IoT) and other smart devices – to continually prove they have the right to be accessing the network.

If a discrepancy is detected, users can be diverted to a 2-factor authentication (2FA) check or simply logged out as a failsafe.

“At times there is almost disbelief that this is possible,” Karnik said. “There are nuanced differences in how each person uses a keyboard or moves a mouse, that are much better than scanning a fingerprint. We’re capturing conduct, and our job is to piece that together.”

The technique will also be applied to detecting behaviour characteristic of denial of service (DoS) attacks, he added, although this was still down the track.

Gartner has previously predicted that 25 percent of security products would have machine learning built into them by this year, with prescriptive analytics used in at least 10 percent of user and entity behaviour analytics (UEBA) tools using machine-language techniques.

Gartner also expects that machine learning will drive an increase in automated penetration testing, with 10 percent of such tests handled through ML-driven automation by 2020.