Malware has proven increasingly difficult to detect via signature or heuristic-based methods, which means most Antivirus (AV) programs are woefully ineffective against mutating malware, and especially ineffective against APT attacks (Advanced Persistent Threats). Typical malware consists of about 10,000 lines of code. Changing only 1% of the code renders most AV ineffective.
Five to six years ago marked the beginning of the use of machine learning to solve non-linear problems such as facial recognition or understanding malware, and what features one needs to extract to uniquely identify such programs. Other techniques, such as sandboxing and machine-based techniques, are not as fast nor as accurate as Deep Learning.
To implement the Deep Learning, Deep Instinct constructed a large neural network in a laboratory, and trained its program against a very large set of malware samples. The training is done on databases of tens of millions of malicious and legitimate files. The output of this continuous training is a prediction model that can be sent to the protected device enabling detection and prevention in real-time.
Because this solution – the neural network instance – itself cannot be updated, it runs very fast, in real time, and uses little computer power. The built –in recognition aspect from all the training is what powers Deep Instinct to claim a very low false positive rate, and conversely, a very high detection rate.But new neural network solutions may be pushed out, and the network administrator decides on the update interval, based on threat ecosystem, and Deep Instinct supplies updates.
In Q2 of this year, Deep Instinct hopes to have a traffic module to detect malware and APTs that it claims could replace a firewall, but it would more likely would serve as a useful adjunct. How do Deep Instinct’s methods compare to notable competitors, particularly to some of the emerging companies using advanced techniques? One such company, UK based Dark Trace, uses threat indicators for traffic and changed its detection method to use machine learning. Cybereason developed a different detection approach: It analyzes other threat patterns, such as external indicators, different domains, and threat intelligence.
According to Guy Caspi, the cyber attack from North Korea against Sony used a new, slight modification of existing malware that was not very sophisticated. The problem of malware detection is increasingly difficult for many companies to solve as the organization perimeter moves. Mobile access and the emergence of new threat actors has moved most organization cyber perimeters.
Some big companies may be investing in Deep Instinct, including Samsung, Qualcomm and Nvidia. There is a fee for the Deep Instinct appliance, and each endpoint will likely be priced at approximately $50-75 per instance, depending on volume. The mobile solution will be priced slightly more. This pricing is competitive with other players in this space.
Signature-based malware detection is becoming increasingly inaccurate and was never scalable. By breaking up malware into tiny “bits” and analyzing them via neural networks, Deep Instinct may have discovered an inherent characteristic of malware, one that can’t be changed by mutation if that malware is to retain its functionality. If true, Deep Instinct’s product is a game changer in the detection marketplace.
Update, 4/4/16, 2:25pm PT: Added clarification on the number of malware samples used. Added clarification on neural network updates. Added update to FireEye sandboxing.