To be fair, false positives are really annoying to get as an end user. I don't want to go through hoops to recover my file that I know is safe after dismissing all the warnings.

This. Half my day as an analyst is going through false positives

@@RealCyberCrime only half?

@@elidrissii Yep SentinelOne notorious for it.

The "false positive" has been an issue since the internet went "public"

No. Arcane magic is not computable (as of yet).

Was trying to remember how to call those curves, thanks - the name rings a

@@zzzaphod8507RINGS A WHAT??

@@ilyaSyntax bell

Sir which ML algorithms did you use and did you use ROC/AUC and K-Fold Cross Validation?

If you are an academic Virustotal has repositories of large Malware samples from the last quarter year or so. VirusShare also has large torrents of recent samples.

@@kenbobcorn @Kamik4ze , Indeed you could also use the ISOT dataset, although I think that one is outdated

Surely there is a consistency in what outcomes the malware is trying to achieve that could be used as the basis for detection???

Wouldn't the point of machine learning be for the program to learn how the malware generally behaves in order to accomplish it's goal, and so not rely on the latest samples to identify malware? Because if you always need the latest samples you might as well just have your program check the files directly against your database no? Or am I missing something?

Sounds like fun, things were simpler back in the day..

Hence, ML is not what it is sold to be

Really interesting, thanks

It depends. Massive organizations that don't focus on tech as a core competency can sometimes be very, very slow at adopting the best tools because it is hard for them to even understand what the best tools are, or come up with a framework for comparing tools. Especially governments.

Look at cybersecurity vendors (Fortinet, Palo Alto) - they apply that. It’s natural that MS or Amazon as infrastructure companies have no tradition in this.

@@ZandarKoad I can say, at least for the companies I've consulted for, they use some form of SIEM or other IDS system. A lot of the ML side of things are handled by the SIEM vendors, while they just have to comb through alerts and identify FPs.

Yup! Totally agree that you can detect previously detected 'models' of current threats, but you are still unable to detect an emerging threat using ML. It is an 'informational problem' that this professor clearly discusses.

Well said - all in the name of convenience for the user and exploitation by anyone who handles the data.

Can you give some examples of this? I am curious to read about it

Nope, they don't give up - they have FP's that they sadly don't handle - and this is part of the "lazy" way that was described in the signature approach. Ie - they use to badly written indicators and leave the detection engine with to much weight on that portion. Sometimes it's the odd coding from the program as well..

I'd recommend reading more on ML and what scale is being worked on right now. . .from your comment I felt like you think a billion "parameters" is too much of a challenge, which it isn't. I'd recommend you check out *huggingface

@@prashantd6252 well training billion params is not a problem. Spending 5k$ for AWS/Azure/Google processing power is a problem.

I agree, it is like fingerprints. However, every itteration just like fingerprints are different to an extent that you can't only rely on it.

It would be one facet of detection, like the MO (modus operandi) in a crime. Fingerprinting is "specific" .. I like the MALICIOUS.IDENTITY object ! very handy, you could call it a signature but that wouldn't really be accurate. A specific code execution "process" occurring on the CPU is what is being detected, right ?

Normally cross validation is used for setting hyperparameters to a machine learning model. First you would split your data set into training and test set, say 70/30. Thereafter, you use k-fold cross validation on the training set. What will happen is that a model will be trained k times. (k is a number you choose, the higher k, the better estimates you get for your hyperparameters but the more time you spend cross validating the model as it needs to be retrained) Each time the model is trained, during k-fold cross validation the training dataset, the 70% of all the data you had from the beginning, will be split again. Lets say its split 90/10. The model will then be trained on this 90% and evaluated on the remaining 10% of the validation data. After repeating this k times, we select the hyperparameter value which scored the highest on the 10% validation data. Now to prevent overfitting, we run the model again on the completely unseen test data, the 30% from the original data that we had kept away during training.

@@SuperCaptain4 thanks you so much i got it.

Were you bragging dude? 😂

If only it understood what it's writing...

I guess that's only when you treat it as a black box, in a white box you could know what it is

The computation requirements to run GPT would have to be much less than today, as not all servers have enough computation power to run a model. On the other hand, I can imagine a trained IA model that could analyze the binaries / source code and create zero day approaches based on the input.

You could use the same method as actual viruses and randomly mutate the code 1mil times on all already infected system, until some variant actually works, which is then sent outward to penetetrate new hosts. It's incredibly slow, but requires less computing than GPT.