Using AI to develop improved cybersecurity measures

A Los Alamos National Laboratory research team is using artificial intelligence to address several critical gaps in large-scale malware analysis, making significant progress in classifying Microsoft Windows malware and paving the way for strengthened cybersecurity measures. With their approach, the team set a new world record in classifying malware families.

“Artificial intelligence methods developed for cyber defense systems, including large-scale malware analysis systems, must take into account real-world challenges,” said Maksim Eren, advanced research scientist in cyber systems at Los Alamos. “Our method addresses several of them.”

The team’s paper was recently published in ACM Transactions on Privacy and Security.

This research presents an innovative method using AI that represents a significant advancement in the field of Windows malware classification. The approach achieves realistic classification of malware families by leveraging semi-supervised tensor decomposition methods and selective classification, especially the discard option.

“The reject option is the model’s ability to say ‘I don’t know,’ instead of making a bad decision, thus giving the model the ability to discover knowledge,” Eren said.

Cyber ​​defense teams must quickly identify infected machines and malware. These malware can be designed specifically for their victims, making it difficult to collect large numbers of samples for traditional machine learning methods.

This new method can work accurately with samples containing larger and smaller datasets simultaneously (called class imbalance), allowing it to detect both rare and large malware families. He may also reject predictions if he is unsure of his answer. This could give security analysts the confidence to apply these techniques to practical, high-stakes situations, such as cyber defense, to detect new threats. Distinguishing between new threats and known types of malware specimens is a critical capability for developing mitigation strategies. Additionally, this method can maintain its performance even when limited data is used in its training.

Altogether, using discard and tensor decomposition methods to extract multi-faceted hidden patterns in the data provides superior ability to characterize malware. This achievement highlights the revolutionary nature of the team’s approach.

“To the best of our knowledge, our paper sets a new world record by simultaneously classifying an unprecedented number of malware families, surpassing previous work by a factor of 29, in addition to operating under extremely challenging real-world data conditions. limited, extreme. class imbalance and with the presence of new malware families,” Eren said.

The team’s tensor decomposition methods, featuring high-performance computing and graphics processing unit capabilities, are now available as a user-friendly Python library in GitHub.