Deep learning is the most advanced subset of AI, leveraging deep neural networks that take inspiration from how the human brain works.
As more data is fed into the neural network, it becomes better at intuitively understanding the meaning of new data – this allows it to predict and prevent increasingly advanced threats. It does not require a (human) expert to help it understand the significance of new features.
Data scientists prepare data samples that are used for training the ‘brain’ or the deep neural network. Those data samples contain millions of labeled files, malicious and benign – including malware “mutations”, scripts, macros etc.
The “self-learning loop” is a process during which the deep neural network is exposed to all the available “raw data” in a file, from which it learns to instinctively identify malicious code. The incorporation of GPUs (Graphic Processing Units) has enabled this training phase to be dramatically reduced. Training takes place within 24-48 hours, instead of months.
As the training phase goes by, the brain begins to instinctively detect and identify malware by scanning the “DNA” or all of the raw features in a file.
The deep neural network has now reached the prediction stage where it can quickly and efficiently predict whether or not a file is a threat. The input agnostic algorithm can apply this knowledge to any sort of file.
This phase compresses the brain with all its abilities into a lightweight and yet highly powerful agent. Turning TeraBytes of insights into MegaBytes of instincts.
The input agnostic algorithm means that the satellite agent can be inserted into any organizational domain, be it end-points and servers or even mobile devices.
Once deployed the agent checks every file, script, macro, etc before execution. The process is very fast (less than 20 milliseconds) causing no discernable impact on user experience or system performance.
The agent is constantly working to detect and prevent any type of malware, whether they’re already known or zero-days and APTs. This means benign files can run while malicious files are prevented.
Using deep learning software and technology, we are able to detect and prevent never seen before and unknown threats, such as zero-days and APTs.
Deep Instinct’s solution is based on a two-phase approach; similar to the way the brain learns and then acts in an instinctive mode.
• Training phase: The training process is performed with hundreds of millions of malicious and legitimate files that take place at Deep Instinct’s headquarters. The output of this process is the prediction model.
• Prediction phase: Once a device has the deep learning prediction model (D-Brain), it becomes an autonomous analysis entity, allowing it to predict in real-time malicious intents and prevent them from executing. There is no need for any supplementary analysis in a remote server or sandboxing appliance.
The entire analysis and the determination of whether it is malicious or benign, are done on the device within milliseconds, effectively enabling zero-time detection.
Training is performed on hundreds of millions of files, half of them malicious and half benign.
The malicious part of the dataset is sourced from different families, representing different attack scenarios and malicious behaviors.
Files are gathered from the following sources:
• Premium repositories: Third-party threat intelligence malware feeds, premium services, malware exchange collaborations.
• Public repositories: Open-source repositories, trackers, etc.
• Darknet: Specific threats collected and bought manually, also from known leads such as exploit kits and from specific leads and forums.
• Deep Instinct Research Lab: New threats that were developed by creating new malware mutations, using proprietary internal tools developed by Deep Instinct and third-party tools found in the cybersecurity industry.
Approximately twice a year.
When Deep Instinct produces a new deep learning prediction model, the D-Appliance receives the update and distributes the brain to all the D-Clients. This is different from AV solutions that require several updates per day, and EDR solutions that requires continuous connectivity in order to receive threat intelligence feeds. With Deep Instinct’s solution, an update is provided once every few months as this is all that is needed to achieve its high prevention rates. According to our tests, if you don’t update the prediction model for 6 months, the detection rate deteriorates by less than 1%.
Unlike machine learning-based solutions, our deep learning-based solution does not rely on feature engineering, which is limited to the knowledge of a security expert. Rather, we use the raw data from files like is done for image recognition where they use the raw data of images (pixels).
No, Deep Instinct provides the customer with a solution that has already been trained and provides immediate protection. All training is performed at Deep Instinct’s lab.
With the use of high-performance servers with GPUs, the training phase typically takes about 24-48 hours. Training occurs at Deep instinct’s Research Lab, and the D-Client on the device encompasses the prediction model, which is the output of the training phase.
Yes, the deep learning model autonomously classifies identified malware into one of seven categories using the Deep Classification module; Ransomware, Worm, Virus, Dropper, Spyware, Backdoor and PUA.
Currently, the deep learning process is applied to static analysis at the endpoint.
Deep Instinct is currently developing the option to also perform a dynamic analysis.
In addition, every malicious file detected or prevented is uploaded to the D-Appliance (optional, as defined in the policy) in order to run additional static and dynamic analyses to provide additional forensic information.