Achieving Real-Time Threat Prevention with TippingPoint Machine Learning
Earlier this week, Trend Micro announced its newest capabilities of XGen™ security covering all solutions in the Trend Micro portfolio. XGen security is a unique blend of cross-generational threat defense techniques that is continually evolving and optimized for each layer of security – user environments, networks and hybrid clouds – to best protect against the full range of known and unknown threats. As part of Trend Micro’s XGen™ announcement, we announced our patent-pending machine learning capabilities of our TippingPoint next-generation intrusion prevention system (NGIPS) solutions, making us the first standalone NGIPS vendor to detect and block attacks in-line in real-time using machine learning.
TippingPoint NGIPS is part of the Trend Micro Network Defense solution which, in combination with advanced threat protection, is optimized to prevent targeted attacks, advanced threats and malware from embedding or spreading within a data center or network. Trend Micro Network Defense’s unique blend of threat protection techniques includes network content inspection, next-generation intrusion prevention and web filtering. Undisclosed zero-day vulnerabilities are protected before a patch is available with exclusive vulnerability data from the Zero Day Initiative. TippingPoint Next-Generation IPS can analyze unknown threats with machine learning algorithms to make a real-time decision on whether network traffic is malicious or benign. Advanced threat detection such as network content correlation and behavior analysis can detect more threats and we can also detect unusual lateral movement of data between servers. Last, but certainly not least, customized sandboxing provides the final and most effective detection of unknown threats. All of these cross-generational techniques give our customers the power to defend their networks against known, undisclosed, and unknown threats.
The TippingPoint DVLabs team has been conducting research on machine learning for quite some time and has focused their research in the last year toward a real-time blocking approach using machine learning. With TippingPoint, we can conduct feature extraction, model evaluation and classification in-line in real-time. Feature collection allows us to collect statistical information about web pages and other protocols and make decisions based on models we’ve created using machine learning to determine what is good and what is bad. This can be applied to our Digital Vaccine® (DV) filters to block exploit kits, obfuscated content (e.g. JavaScript, HTML), polymorphic malware, and other malicious content.
The team also uses machine learning techniques to develop DV filters as part of our Threat Digital Vaccine (ThreatDV) service that can detect DNS requests from malware-infected hosts attempting to contact their command and control centers (C&C) using domain generation algorithms or DGAs. DGAs are used by malware to communicate with C&C hosts, allowing them to dynamically change domain names to avoid blacklisting on reputation feeds. ThreatDV DGA Defense filters can detect families of DGAs using a combination of syntactical rules and logistic regression and catch many types of malware whose domain names cannot be encompassed by a regular expression that would not generate a large number of false positives.
If you’re attending the RSA Conference in San Francisco next week, come visit us at the Moscone South Expo Hall at booth #S1107.