The Power of Algorithms and Advanced Machine Learning - Bitdefender TechZone

In Cybersecurity, AI and ML are used to learn from data and identify patterns that are difficult and far too time-consuming for humans to detect. Though often, AI and machine learning are terms used interchangeably by the layman, in reality, machine learning is a subset of AI used to make predictions or decisions based on data.

There’s no such thing as one machine learning model that solves all problems.  There are different types of machine learning models we use to aid us in developing technologies that cover different areas of cybersecurity. If the existing models don’t address the problem, our Bitdefender Labs teams then develop new models to target that specific challenge.  This next section outlines some of the ways we use existing machine learning models in our technology.

Bitdefender technologies employ several different types of machine learning for identifying malicious behavior.  Among them are Deep learning, Large Language Models, and machine learning that uses supervised, unsupervised, and self-supervised training methods.

One key example of how we use Deep Learning Models (DL) in several layers of the Bitdefender GravityZone technology stack is in the process of feature extraction.  Just as the human brain is able to recognize patterns and extract features from sensory input, deep learning models are designed to extract features from input data automatically. Our on-access scanning uses feature extraction to help identify malware. We look at things like API calls, code patterns, file header information, network behavior, and more to identify the features and patterns that are characteristics of malware.

Another example of how we use a combination of machine-learning models is in our patented HyperDetect Technology.  HyperDetect uses a combination of supervised and unsupervised machine learning algorithms to analyze the behavior of running processes and identify any suspicious or malicious activity. HyperDetect is able to recognize threats that may not be detected by traditional antivirus software, which relies on known signatures or patterns of malicious code.  Large Language models are used in HyperDetect to identify potential threats by allowing an adjustment to the margin of the “decision boundary” of the model.  The more aggressively that margin is set, the more sensitive HyperDetect becomes in detecting new types of malware that it has never seen before

There are more machine learning models that Bitdefender uses in our technologies, but Bitdefender Labs does not limit itself to established machine learning and AI algorithms.

The Bitdefender Labs team is constantly performing attack research based on data-mining, behavior analysis, and offensive computing.  We use our findings to develop custom machine-learning and AI algorithms. We were among the first to develop machine learning algorithms for malware detection back in 2008, and have published more than 70 academic papers on machine learning.

Bitdefender Labs is deeply committed to machine learning and AI.  Over 50 of our Bitdefender Labs staff teach at major universities in Europe, with some serving as lecturers on neural network courses in Alexandru Ioan Cuza University in Iasi, the oldest university in Romania. This close relationship with academia allows us to use some of the brightest minds in the field to help develop our custom machine learning models.

One of those custom models is used in our powerful File-less Attack Protection.  File-less malware attacks are a type of cyber attack that does not rely on a traditional malware file to infect a system, but instead uses legitimate programs and processes, such as PowerShell and Command-Line, to carry out the attack. These memory-level based attacks are often difficult to detect by traditional antivirus solutions.  Our Bitdefender Labs team was able to develop custom machine learning models that are capable of performing feature extraction from command lines and PowerShell scripts.  This research earned us the title of “Key Innovators” by the European Commission.

The Bitdefender Labs team has also created several other custom machine learning models that we use in our anomaly detection.  Our custom machine-learning models used in anomaly detection are trained individually on each customer’s system. That’s right, each system on each customer’s environment has its own machine learning model, customized for the particulars of that system. The model observes the behavior on the system and compares it against MITRE® indicators of attacks, custom indicators of attacks developed by Bitdefender Labs, and user specific events.  In time the model is adjusted continuously as the baseline of expected versus unexpected behavior changes, and these anomalies are then identified and communicated to the security teams.

Bitdefender technologies exist in consumer, business, and OEM business lines.  This gives us unrivaled threat detection capabilities, but also presents a challenge when creating machine learning models.  We have successfully developed models that can run efficiently on all types of hardware from large-scale servers in datacenters, to a home router.

The success of our innovation is evident in the results. For example, using our ML and custom-developed adversarial AI, we managed to identify the behavioral traits of the WannaCry ransomware in 2014, a whole three years before the malware was seen in the wild. Bitdefender also consistently outperforms competitors in independent evaluations.  In the AV-Comparatives Advanced Threat Protection Tests for example, we reliably stop threats at the pre-execution stage at a greater rate than our competitors. This inspired the AV-Comparatives evaluator to comment, “A good burglar alarm should go off when somebody breaks into your house, not wait until they start stealing things.”.

To learn more about the technology behind the GravityZone platform, we recommend reading the next article Minimizing False Positives.

Bitdefender’s AI official website: AI Advantage Enterprise Cybersecurity