Deep learning is the most advanced subset of
artificial intelligence. Also known as “deep neural
networks,” it takes inspiration from how the
human brain works.
Namely, the more data that is fed into the machine
the better it is at intuitively understanding the
meaning of new data. It, therefore, does not
require a (human) expert to help it understand
the significance of new features.
Using deep learning software and technology, we are able to detect and prevent never seen before and unknown threats, such as zero-days and APTs.
Deep Instinct’s solution is based on a two-phase approach; similar to the way the brain learns and then acts in an instinctive mode.
• Training phase: The training process is performed with hundreds of millions of malicious and legitimate files that take place at Deep Instinct’s headquarters. The output of this process is the prediction model.
• Prediction phase: Once a device has the deep learning prediction model (D-Brain), it becomes an autonomous analysis entity, allowing it to predict in real-time malicious intents and prevent them from executing. There is no need for any supplementary analysis in a remote server or sandboxing appliance.
The entire analysis and the determination of whether it is malicious or benign, are done on the device within milliseconds, effectively enabling zero-time detection.
Training is performed on hundreds of millions of files, half of them malicious and half benign.
The malicious part of the dataset is sourced from different families, representing different attack scenarios and malicious behaviors.
Files are gathered from the following sources:
• Premium repositories: Third-party threat intelligence malware feeds, premium services, malware exchange collaborations.
• Public repositories: Open-source repositories, trackers, etc.
• Darknet: Specific threats collected and bought manually, also from known leads such as exploit kits and from specific leads and forums.
• Deep Instinct Research Lab: New threats that were developed by creating new malware mutations, using proprietary internal tools developed by Deep Instinct and third-party tools found in the cybersecurity industry.
Approximately twice a year.
When Deep Instinct produces a new deep learning prediction model, the D-Appliance receives the update and distributes the brain to all the D-Clients. This is different from AV solutions that require several updates per day, and EDR solutions that requires continuous connectivity in order to receive threat intelligence feeds. With Deep Instinct’s solution, an update is provided once every few months as this is all that is needed to achieve its high prevention rates. According to our tests, if you don’t update the prediction model for 6 months, the detection rate deteriorates by less than 1%.
Unlike machine learning-based soltuions, our deep learning-based solution does not involve any feature extraction at all. Similar to the relevant extraction required for image recognition, which uses the raw data of images (pixels), we use the raw data from files.
No, Deep Instinct provides the customer with a solution that has already been trained and provides immediate protection. All training is performed at Deep Instinct’s lab.
With the use of high-performance servers with GPUs, the training phase typically takes about 24-48 hours. Training occurs at Deep instinct’s Research Lab, and the D-Client on the device encompasses the prediction model, which is the output of the training phase.
Yes, the deep learning model autonomously classifies identified malware into one of seven categories using the Deep Classification module; Ransomware, Worm, Virus, Dropper, Spyware, Backdoor and PUA.
Currently, the deep learning process is applied to static analysis at the endpoint.
Deep Instinct is currently developing the option to also perform a dynamic analysis.
In addition, every malicious file detected or prevented is uploaded to the D-Appliance (optional, as defined in the policy) in order to run additional static and dynamic analyses to provide additional forensic information.
Know the difference?