Machine learning is changing the way industries address critical challenges by using the combined power of automation, cloud-based scalability and specialized programming to surface unexpected relationships and insights. With thousands of new malicious programs emerging every day, security solutions that integrate responsive machine learning can identify and block threats that haven’t been seen before, so long as those systems are trained and tested at an appropriate pace. With this technology, it is now possible to derive value from vast quantities of data in a way that was unimaginable 20 years ago.
Machine Learning in Action
Health care was a natural early application for this breakthrough. First, machine learning was applied to the challenge of understanding the language of medicine. Natural language processing (NLP) evolved from the automated analysis of billions of data points to develop an understanding of common terms and expressions. Whether providing care data or querying sources for diagnostic information, machine learning was the foundation used to interpret and act on specific medical terms and requests.
Research into genetic and environmental causes for illness also accelerated. In traditional epidemiological studies, the near limitless permutations of symptoms, genetics and environment make causal associations obscure, and advancements are slowed by long studies, specific control structures and willing test subjects.
With machine learning, scientists can instead look for related characteristics in existing patients and victims. Patient histories may be analyzed across thousands of subjects, using specific algorithms to identify subtle patterns and highlight the elements that contributed most to the illness under consideration.
Learning the Language of Cybersecurity
Machine learning becomes more informed and accurate over time. The longer a condition is observed or a language is studied, the more precise the model becomes. Why? Because the characteristics or features of the subject under study remain consistent. The elements of language or the characteristics of an illness don’t change much, if at all.
IBM has applied machine learning to the challenge of enterprise protection with Watson for Cyber Security. Using decades of experience in security management, strategy and incident response, IBM trained Watson to understand the language of cybersecurity, recognize root causes, highlight urgent threats and provide answers to security questions for less experienced analysts. As with the health care example, the longer Watson learns, the more informed it becomes. There are always new techniques to add to the existing base that Watson already understands.
The Limits of Conventional Machine Learning
This changes, though, when it comes to endpoint protection — that is, actually protecting businesses and user machines from malware. Maintaining endpoint security in a rapidly changing environment requires testing and training machine learning models in near real time to maintain confidence amid the sheer volume of constantly changing data related to endpoint software and threats.
This is a different type of machine learning challenge because it requires the capability to disambiguate between good applications and malware, or between beneficial and malicious processes. With the high state of sophistication in modern malicious software and techniques, these differences are very subtle and can change frequently. Thousands of new malware variants threaten endpoints daily, and legitimate software is always changing and being used in unique combinations by businesses. Training with both the good and the bad is critical to effectively improving security.
Maintaining coverage against new forms of malware requires models that are continuously trained and tested against the newest threats. Meanwhile, maintaining accuracy and a positive user experience requires training and testing with new and customer-specific goodware to minimize the possibility of false positives.
Without this ongoing training, users are left with aging models, along with the prospect of maintaining whitelists and blacklists, all while waiting months for an updated model.
The Benefits of Responsive Machine Learning
Instead of simply adding more samples into an existing training set, endpoint protection machine learning models must be sensitized to identify new waves of malware while at the same time balancing new or updated desirable software. This requires responsive machine learning. In this approach, automation platforms ingest thousands of samples of malicious software and combine them with up-to-the-minute data on new, good software to create robust training sets.
With this data, models can be generated and tested regularly, rather than treating these updates like product revisions that occur every six months. By fine-tuning the model based on the software characteristics of various business sectors, it can be automatically customized to suit specific applications, ensuring greater accuracy and coverage for users.
Timeliness in data gathering provides real-time protection and responsiveness to meet today’s dynamic endpoint security threats. Machine learning is adaptive to the constant changes in the blurred line between good and malicious software.
What’s Your Security Vendor Selling?
Machine learning is a hot topic at the moment, so every vendor in the market seems to be talking about it. For enterprises evaluating endpoint security solutions, it’s critical to understand the differences between conventional and responsive machine learning. Otherwise, the technology your vendor is selling may not actually provide the protection you think you are buying.
When evaluating security vendors, ask for specifics on how often the model is updated and details about how it is kept up to date. What sources are used? Does the business consider both malware and legitimate software updates when creating new models? Are all customers given their own optimized model, or are they forced to use a common one? Will you be required to mitigate aging models, false positives and negatives through professional services or internal efforts?
Machine learning is rapidly changing the security solution landscape. On the endpoint, where the most important function is judging good or bad, security teams require a comprehensive, responsive approach to machine learning to deliver the forward-looking coverage and customized accuracy that modern businesses need.
Read the IBM Executive report on Cybersecurity in the cognitive era