Transfer learning is not new to information security. It has been in use for many years. For example, anti-malware vendors have exchanged samples of malware between their own proprietary collections of such (so-called zoos). That is a form of transfer learning. Similarly, Snort Community rules are a form of transfer learning. Community rules can be written by anyone, and used by any organization. ISACs are another form of transfer learning. Security-related is shared within a community. All of these examples (zoos, community rules, ISACs) involve known bads (e.g., malware, exploits, IP addresses, domains).
What is new is the use of transfer learning with AI for information security purposes. How is transfer learning in AI different from the above examples? What we are transferring is the ability to detect unknown bads using modeled behavior. Modeled behaviors (“labels”) are not rules or correlations. A rule or correlation looks for a strict string of data. Labels, on the other hand, are looking for a fuzzier type of behavior, rather than a strict string of data.
Transfer learning in AI is important for the benefits it provides.
First, label acquisition is key, and information security (outside of malware) is a very thinly labeled space. Transfer learning provides a method of increasing labels available to an organization through sharing. Numerous organizations participating in transfer learning can greatly increase the number of labels available for organizations to use. This has a direct relation to achieving better detection rates.
Second, transfer learning allows an organization to achieve a warm start, instead of a cold start. Instead of starting with zero labels (cold start), through transfer learning an organization can begin with more labels and higher detection rates than would be available in a cold start. This provides that organization with faster learning.
Transfer learning in AI provides a third important benefit. Unlike the ISAC transfer learning model, no sensitive information is transferred with labels. No private IP addresses, corporate public IP addresses, usernames, or host names are shared with labels. This provides another major inducement to participate in transfer learning.
Just as an organization would almost certainly not deploy all Snort Community rules, an organization might choose not deploy all labels either. Your organization might not allow use of FTP or Telnet, or operate SCADA systems, so deploying rules for such only adds complexity (negative for security). Doing so would simply require more compute capability. Likewise, not all labels might be relevant to an organization’s activities, or might be tolerated, especially between different industry sectors. However, it should be noted that locally produced lables always take precedence over global labels imported through transfer learning.
In short, transfer learning in AI provides some important benefits for organizations. Have you looked into these benefits? Maybe you should, and start by requesting a demo of Virtual Analyst Platform.