Startup Spotlight: Deep Instinct's AI-Driven Threat Detection
Startup uses artificial intelligence to fight APTs, zero day attacks and other advanced threats.
Dr. Eli David used to conduct an experiment with students in his AI neural networks and evolutionary computation classes by randomly throwing a pen at a student without warning.
"I've been doing this for the past 10 years. In nine out of 10 cases, the student managed to just grab the pen in the air; there was one unfortunate incident," said David, who is now the CTO of enterprise security firm Deep Instinct. "Then I tell them you didn't have time to calculate the trajectory of the pen; it's too complicated. But your brain has already trained on that kind of motion by having things thrown at you throughout your life, so your brain reacted just like an instinct in prediction mode."
That's essentially the type of brain function that deep learning -- a subset of artificial intelligence (AI) -- attempts to replicate, but without human limitations.
Applying AI to Security
David isn't a newcomer to AI. Until he helped found Deep Instinct, he taught at his Ph.D. alma mater, Israel's Bar-Ilan University. It's one of the few research groups to focus on genetic algorithms and neural networks. While there, he wrote more than 20 papers on computational intelligence and worked closely with research students.
When zero-day and APT (advanced persistent threat) attacks started "outsmarting" traditional security approaches a few years ago, David and Deep Instinct CEO and co-founder Guy Caspi saw an opportunity to apply AI to enterprise security. Caspi, a mathematician and data scientist, brought more than 15 years experience in cyber security and machine learning, including serving as a member of Israel Defense Forces's elite cyber team.
"The thing we focus on and care about is new malware," David said. "Bringing the AI ... into this area makes sense because we have huge amounts of data to train from. As a general rule of thumb, the more data we have from a certain field, the more easily it would lend itself successfully to the application of automatic learning and especially deep learning, which is the most successful subfield of machine learning."
How Deep Learning Works
Most artificial intelligence solutions rely on humans at some level, generally for expertise that "informs" the computer's analysis. If you're trying to create facial recognition, for example, a solution would program the computer to look for differences based on what human experts say are the most distinct differences between human faces: the distance between eyes, lip shape and so on.
Deep learning bypasses that by feeding in raw pixels and allowing the deep learning module to learn the importance of linear features for itself, David explained.
"This works great for cyber security because finding what the important features are in a certain file is extremely difficult, and our methods are very limited," he said. "So just feeding the raw files into a deep learning module pays much better results because it is learning the importance of linear features for itself that we humans could never have thought of."
Specifically, Deep Instinct shifts protection from reacting to constantly changing virus signatures to identifying characteristics of acceptable and unacceptable software code, inside and outside the file. It doesn't require constant updates, but it can still identify small evolutions in virus attacks. It also acts proactively by stopping attacks before they execute, even if they're hidden within seemingly harmless .pdf or .doc files.
Building a 'Brain'
The initial learning process requires a substantial neural network. David and Caspi knew a deep learning "brain" could handle the data problem, but the challenge was creating the actual brain. Deep learning brains require tens, if not hundreds, of gigabytes of memory, David said.
"So that was probably the biggest challenge we had in our company. How can we squeeze a deep learning brain into something that takes only a few tens of megabytes," he said.
Their solution was to build a deep but sparse brain modeled on human brains. In human brains, not all the neurons connect. Similarly, Deep Instinct's brain retained only the useful connections.
Another part of the equation was how to deploy what the brain learned in a small footprint. The answer is found in David's pen exercise: Separate the training from the action.
In the training phase, the brain is fed tens of millions of malicious and legitimate files through the company's deep learning brain. That phase can take more than 24 hours and is done on-premise in Deep Instinct's lab, but once it's done, it's good for months, he said. The results are used to create a deep learning prediction module that applies the lessons to the network. Every file is fed through that deep learning filter before it's allowed into the network.
Deep Instinct is based in Israel, where it's possible to attract elite AI and security experts. Two-thirds of the company's 50 current employees have a master's degree or Ph.D. in either AI or security, David said.
It is one of the first companies to bring an AI cyber security solution to market. So far, the move is paying off, David said.
Deep Instinct's predictive approach detects 98 to 99 percent of new malware attacks in the company's benchmarks, he said, which amounts to about a 20 percent better detection rate than its competitors. Deep Learning also boasts a lower false positive than competitors.
Not surprisingly, companies have been skeptical of these claims, which is why Deep Instinct works with potential clients on a proof of concept.
"Like in every field, when the results look too good to be true then the customers like to test them for themselves. In all the cases so far, they have verified that it is as large as we claim it is," David said.
Fast Facts about Deep Instinct
Founders: Guy Caspi, Doron Cohen, Dr. Eli David, Nadav Maman, Yoel Neeman
HQ: Tel Aviv, Israel
Product: A real-time solution that predicts and proactively stops APTs and zero day attacks, as well as more traditional cyber attacks, on any operating system including Android and iOS
Customers: The solution came to market in January, so the company hasn't publicly announced its customers
Funding: Not disclosed
Loraine Lawson is a freelance writer specializing in technology and business issues, including integration, healthcare IT, cloud and Big Data.