Deep learning is a complex element of machine learning inspired by the function of interconnecting neurons in the human brain. Evolution of Machine Learning and an element of AI, it teaches itself to make more accurate and faster predictions by observing, processing and analysing massive amounts of data.
Sangfor uses Deep Learning to break down cryptic domain names into vectors. Unlike other natural language processing techniques which primarily focuses on determining benign or malicious malware, Sangfor’s Deep Learning models take the malware family into account. Through a process of vector association, we are able to detect domain names used by similar malware families. Over time, Deep Learning teaches itself every time it is executed, resulting in the identification of many previously undetected malicious domain names.
• Visual Calculation:
Families of malware return to their original families or relative domain names for C&C communications. By creating an association map of the domain names, Sangfor is able to detect similar domain names used by malware families.
• Flow Analysis:
Malware typically generates abnormal data traffic when communicating with C&C servers. Sangfor’s ZSand analyses, observes and captures these activities to determine if a system is under attack from a controlled botnet, which would display very different behaviour compared to a human user. The evidence collected is then processed by the flow analysis engine to discover malicious behaviour patterns. Confirmed evidence of IOC of IP, URL and DNS are then shared through the Sangfor Threat Intelligence system for the benefit of all customers.