Trend Micro researchers are proposing machine learning as a new way to combat threat actors using techniques including polymorphism, encryption, and obfuscation and other tactics to disguise their attacks.
Researchers tested the theory by observing cluster network flows from Gh0st RAT variants in an effort to better spot network anomalies and intrusions and found that multiple versions of Gh0st RAT were clustered together due to the similarities in their payloads, according to a Nov. 13 blog post.
While monitoring the malware, researchers also saw ways machine learning’s ability to cluster data could be used to detect future Gh0st RAT variants, provide insights on different network patterns from malicious traffic, and even show similar characteristics between different malware families within the same classification.
“Using machine learning for analysis vastly improves the speed at which data is organized and conclusions are obtained,” researchers said in their researcher paper, which further detailed their methods. “In addition, the results show how machine learning can be used to efficiently identify a widely used vulnerability as it is spreading, or to recognize a certain vulnerability used in a novel way as part of another malware campaign.”
Researchers also noted they could spot network anomalies by examining flow data which was useful for analyzing the traffic composition of varying applications and services in the network.
Researchers recommend those looking to conduct similar studies to use an approach that can lead to better modeling of malicious flow clustering.
At this stage, they said, the model would benefit the most from examining URLs in the streams, and by conducting other experiments with other features extracted from the header contents, such as measuring string randomness.
Ultimately, researchers argued, machine learning can help cybersecurity pros detect a wide array of malware and organize large amounts of data at a faster pace to offer explanations and aid in analysis to form conclusions faster.