Microsoft started to use deep learning to improve the PowerShell malware detection feature, which is equipped with Microsoft Defender Advanced Threat Protection (ATP).Scientific and technological advancements in deep learning, a category of algorithms within the larger framework of machine learning, provide new opportunities for development of state-of-the art protection technologies.
Deep learning methods are far outweigh traditional methods for solving problems such as image and text classification. Thanks to these developments, there is great potential for creating new methods for detecting threats using deep learning.
Developers believe that malicious PowerShell scripts today represent a critical attack vector. That is why the corporation wants to focus on managing this cyber threat.
“The deep learning model used to detect malicious scripts combines the technology of convolutional neural networks (CNN) and long short-term memory (LSTM)”, — Microsoft said.
Thanks to deep learning, algorithms can work with relatively raw data and extract functions without human intervention.
The American tech giant used the best model developed for Natural Language Processing (NLP) and “set” it on a collection of PowerShell scripts. As a result, the deep learning model began to bring fruits, namely were detected malicious PowerShell scripts that managed to bypass Microsoft Defender ATP.
Since its first deployment, this deep learning model detected with high precision many cases of malicious and red team PowerShell activities, some undiscovered by other methods. The signal obtained through PowerShell is combined with a wide range of ML models and signals of Microsoft Defender ATP to detect cyberattacks.
“Better detection of malicious PowerShell scripts at the endpoints, for which deep learning will be used, will result in more advanced Microsoft Threat Protection”, — the Microsoft Defender ATP team summed up.
Deep learning techniques greatly enhance threat detection. The development and implementation of deep learning systems for cyber defense requires large amounts of data, computation, resources and engineering efforts. And in this case, Microsoft Defender ATP combines data collected from millions of endpoints with Microsoft computing resources and algorithms to provide protection against attacks.