How security vendors are moving away from using decision trees to deep learning
The recent replacement of the decision-making tree with deep-learning neural networks to build tomorrow’s cyber security solutions, promises to be a significant differentiator amongst security vendors. Analytical tools usually in the realm of artificial intelligence and machine-learning take into consideration user profiles, user behavior, normal business, to establish thresholds for normal and abnormal behavior. This is in comparison to traditional tools that use predefined signature patterns and scenarios of past attacks to detect and block incoming malicious behavior.
Machine learning and artificial intelligence are the latest tools being applied to big data analytics. These include the decision-tree approach that has been in use since the nineties and deep neural networks or deep-learning. Most security vendors have built their solutions on decision-tree algorithms to detect cybersecurity threats. These are well understood techniques developed in the 1990s, are relatively easy to use and manage, and provide adequate results.
A decision-tree typically plays a game of 20 questions to identify and detect malware. A decision-tree is a flowchart-like structure in which, each node represents a test on an attribute, each branch represents the outcome of the test, and each leaf node represents a decision taken after computing all attributes. The paths from root to leaf represent classification rules. The limitation of the decision-tree approach is that the algorithm needs to be manually set up and therefore has inbuilt human limitations.
Deep-learning networks allow findings and results to be generated from data without explicit programming. In contrast to the decision-tree approach, deep-learning automates the process. It automatically identifies optimal features using learning methods inspired by the brain.
For this reason, deep-learning networks are overtaking conventional machine-learning across the cybersecurity solution landscape.
A deep-learning network consists of simple elements called neurons that receive input, change their internal state based on the input, and produce output determined by the nature of the input and their process of activation.
The network is formed when this output further becomes the input for selected neurons, which further changes their internal state based on predefined weightage and activation functions. The weightage and the functionality of activation can be controlled with an algorithm called the learning rule.
When deep-learning is applied to the use case of false positives and detection of malicious web links in cybersecurity, deep-learning produces a much higher detection range, less false positives, and smaller footprint on end-points compared to other solutions.
A comparison between the efficiencies of deep-learning and machine-learning can be made by taking an X and Y plot of false positives and detection rates. A false positive is the percentage rate at which non-malicious links are classified as malicious based on a particular sensitivity. Similarly, the detection rate is the percentage of malicious web links that are correctly classified as malicious based on a particular sensitivity.
By setting a false positive rate of one per million non-malicious web links, deep-learning can achieve a detection rate of 72% for new malicious web links that do not appear on previously announced threat lists. The conventional decision-tree approach can also achieve a similar detection rate accuracy, but only by increasing its false positive rate from one per million non-malicious web links to one per thousand non-malicious web links. This is a 1,000X increase in the span of false positives.
Cyber security vendors investing in deep-learning to enhance their solutions are likely to make significant gains for a number of reasons including the fact that development in artificial intelligence is being built on deep-learning.
Security vendors are moving away from primitive machine learning tools towards deep learning algorithms to reduce the number of false positives, explains Harish Chib at Sophos.