If it smells like a phish and looks like a phish, it’s probably a phish, says Marc Lueck, CISO EMEA at the cloud security company Zscaler.
There is a saying that sums up what malware detection is all about: if it smells like a fish and looks like a fish, and acts like a fish, then it is probably a fish. This statement applies not only to fish, but also to phishing and malware in general. This principle is the basis for most modern cyber detection capabilities, and AI relies on it.
AI fundamentally applies human, logical decision-making to malware detection. The big difference, however, lies in the speed of processing and the quantity of information processed. A human, given all the data available from AI, can probably make a good and correct decision about potential malware, in time. However, that information is usually not consumable to a human being, at least not with a lot of interpolation.
In contrast, AI is good at making decisions based on a huge range of data in its native form, which a human cannot recognise at the necessary speed. It can make these decisions in time measured in milliseconds. Today, AI plays an important role in malware detection, delivering human-like decisions, and allowing software to make determinations and outcomes based on those decisions. This includes the ability to check whether something is malware, based on how it feels and the way it looks.
Some of the most successful cybercriminals probably rely on AI and machine learning (ML) to train their tools, so they can manipulate victims successfully through automated attacks or social engineering, and then compromise their infrastructure faster, with less slow human interaction. It will always take a machine to fight a machine. That is why companies should use the same intelligence and speed to detect and defend against these criminal activities. The aim is to enable a system to make semi-human decisions based on a variety of data points. In correlation capability, AI can actually play out its intelligence and contribute to faster detection of malware.
In reality, only a global cloud security platform has enough scale and compute power to apply these decisions at the near instant speed required to be effective. This same cloud approach has a much larger pool of learning data to draw on, to apply the fish test. The aim is not to teach the system unnecessary complexity, but to convey the decisive characteristics such as virtual appearance and smell. This can enrich them with other contextual factors, such as location, deviating behavior patterns, time factor of access to data, and comparison of newly registered domains.
Through the power of a cloud approach and its ability to inline scan data streams, risk transparency can be provided in near real-time. Even before the data reaches the employee, the decision is automatically made as to whether malware is hidden in it. The inline scan can shorten response times for the decision regarding the passage of data streams to the user and block potential malware while allowing genuine content through. By training AI models on the crucial parameters for detecting malware, the manual drill of the permanent tracking of security alerts by the IT team is eliminated, and the rate of false positives should reduce inexorably.
The magic lies in influencing the AI in such a way that it can exploit capabilities to the fullest, and with the richest set of data. Accordingly, we should stop thinking in a complicated way, and just ensure that AI can already play to its strengths today by treating what looks like malware as malware.
