E-BOOK

Deep Learning vs.

Machine Learning
in Cybersecurity
Which is Superior for Advanced Threat Prevention?

www.deepinstinct.com
Table of Contents

Introduction 03

The evolution of Artificial Intelligence 04

in cybersecurity solutions
Unknown threats: EDR is not enough 05
Closing the gap: The return to a prevention-first strategy 05

Defining 3 types of Artificial Intelligence 06

1. Basic Artificial Intelligence 06

2. Reactive Artificial Intelligence: Machine Learning 07
3. Proactive Artificial Intelligence: Deep Learning 08

Machine Learning vs Deep Learning: 09

A quick comparison

Deep Learning holds the key to 12

prevention-first in cybersecurity

What should you look for in a DL-based 13

solution?

How do you know it’s truly a DL-based 14

solution?

It’s time to redefine “Threat Prevention” 15

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 02

Introduction
CISOs have been turning to AI-based solutions to augment
their cybersecurity toolboxes as the technology evolves to
deliver greater value in detecting and preventing advanced
threats. Gartner has predicted* that by 2035 90% of
detection and 60% of responses to cyberattacks
will be handled by AI. Cap Gemini reported that nearly
70 percent of enterprise executives believe AI is necessary 70%
to compete with our cyber adversaries with 48 percent of
security leaders saying their budgets for AI in cybersecurity
have increased.
of enterprise executives believe AI
With organizations investing billions of dollars in is necessary to compete with our
cybersecurity, how do you compare AI-based cyber adversaries.**
cybersecurity solutions?

All AI-driven cybersecurity tools aren’t created equal. For

instance, there are real differences in machine learning (ML)

48%
and deep learning (DL), especially in the outcomes they can
each achieve, making it critically important to understand
the key benefits of each approach. Now that cybercriminals
have discovered how to use AI to fool and evade detection
from ML-based security tools, how do you best protect your
organization from compromise?
of security leaders say their budgets
When comparing the best AI cybersecurity solutions, for AI in cybersecurity have
it is important to understand the following: increased.**

How AI has evolved for cybersecurity **Reinventing cybersecurity with artificial intelligence:
the new frontier in digital security, Cap Gemini.

The various types of AI and how they are applied

in cybersecurity

Why DL is different and holds promise to achieve

prevention-first security

We’ll cover these topics in this eBook to help you make

informed choices.

*Unpublished and presented at the 2022 Gartner Security and Risk Summit.

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 03

The evolution of Artificial Intelligence
in cybersecurity solutions
In the early 2000s, personal firewalls and antivirus (AV) software were ubiquitous and promised to keep
us safe. But as new viruses emerged and malware attacks became more prevalent (Remember Nimda
Worm?), it became clear that AV protection alone wasn’t enough.

Traditional AV fails to prevent

As a result, a new class of cybersecurity tools As mistrust in AV prevention grew, “assume
was ushered in. breach” became the de facto mindset among
cybersecurity professionals. The idea was born
First, we saw next-generation antivirus (NGAV), from defenders’ inability to stop attacks until
closely followed by endpoint detection and they were in motion and that they must
response (EDR). assume environments have been infiltrated,
with attackers already on the inside. The advice
NGAV took a small step forward to employ
followed that security teams must focus on
AI analytics driven by ML to identify
monitoring for behaviors that indicated a
known threats by adding pattern
compromise, post-execution.
recognition of known rules and signatures
with cloud threat intelligence. NGAV was
intended to provide root-cause analysis but
is only effective against previously seen
attacks.

NGAV was only as good as the intelligence

it was fed and EDR came along to fill the
gap. EDR was developed to detect threats
using ML algorithms, by monitoring
endpoints to look for suspicious behavior
that would indicate there was an active
attack in progress. This new class of
solutions then assisted in investigation,
threat hunting, response, and
remediation of threats.

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 04

Unknown threats: EDR is not enough
As EDR gained momentum over the past decade, EDR can also be very noisy and suffer
our adversaries have advanced their tactics from high false positives which presents a
to innovate new threats that evade detection. huge challenge for security teams that are
While EDR is good at detecting previously already spread too thin.
known threats and improving the identification
of anomalous behavior patterns, it lacks true An additional challenge for solutions like
prevention capabilities against zero-day threats EDR that rely on ML is that cybercriminals
and never-before-seen malware until the attack are creating new ways to compromise
is already in progress in your environment. algorithms and data. With the ability of
hackers to fool ML, AI defenses are no
As threat actors continue to innovate and invent longer immune to attacks like model
more complex and dangerous attacks, they are tampering and data poisoning.
getting better at evading EDR controls.

While an EDR is an essential part of a

layered approach to cybersecurity, it
primarily excels at the investigation and As an example, during the SolarWinds
response stage, post-compromise, and compromise of 2020, the attacker’s
does not offer sufficient protection on its malware would check for endpoints
own. As threats continue to rise installed with certain EDR tools and
exponentially, it has become even more would not execute until it found an
clear that detection is too late to prevent un-instrumented endpoint.
a breach.

Closing the gap: The return to a prevention-first strategy

A prevention-first approach is needed to stop A DL-based solution can train on 100% of raw
threats before they execute and land inside data with less dependence on hand tailored/
your environment. A prevention strategy that human engineered features making it almost
complements existing EDR solutions provides a impossible to evade, and incredibly difficult
critical missing layer that can significantly improve to fool.
your security posture and lower risk.
DL-based solutions offer the
This is where DL comes in. best hope for pulling ahead
of attackers to prevent
DL is a more advanced and data-driven form of attacks, reduce risk, and
ML that has greater sophistication and accuracy in improve SOC productivity.
predicting future zero-day and unknown attacks.

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 05

Defining 3 types of Artificial Intelligence
As organizations evaluate prevention-first solutions, it's helpful to understand the outcomes of the AI
methodologies you'll encounter. There are three primary implementations of AI: basic, reactive,
and proactive.

As you might imagine, there are significant differences in how they affect your cybersecurity posture.

01
Cons:
Basic AI
Basic AI tools, like traditional antivirus,
will only recognize known threats.
Basic AI involves human-created algorithms
that rely on the use of signatures and scripts The reliance on the cloud for rules and
and requires constant human-in-the-loop intelligence reduces efficacy and slows
updates. Basic AI is limited in its capabilities the process.
and is best for stopping known threats by They also suffer from a high false-positive
recognizing behaviors and patterns flagged rate, zero-day threats and never-before-seen
by checking cloud intelligence feeds. For malware and variants will be missed, and
example, antivirus software with basic AI your SOC’s productivity will be limited.
principles might scan a device, call to the cloud
to compare results with known threats, and
remove potentially malicious files or software.

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 06

 Reactive AI:
02 Machine Learning
Machine Learning (ML) is reactive AI and is the Cons: There are some limitations to achieving
most common type of AI used in cybersecurity promised results when applying ML to cybersecurity.
solutions. ML most often plays a central role in
post-execution threat detection and analytics, ML-focused security tools only detect about
as it’s useful in catching suspicious or malicious 60 percent of unknown attacks post-
behavior once the threat is already inside a execution – meaning that a zero-day threat
network — hence its reactive moniker. or new malware variant has to execute and
exhibit known bad behaviors before it will be
The value of ML-driven technology lies in its detected.
ability to identify anomalous patterns and
malicious links that indicate a potential attack. ML requires significant and frequent human
ML algorithms are trained on continually input to support model updates for new
updated, manually-engineered features so they data or threats. This process requires
can distinguish between benign and malicious significant expertise and is time-intensive
behavior. and subject to human bias and, therefore,
prone to error.

ML-based solutions are known to

record events that lead to 1-2%
in false positive alerts.

The False Positive Problem

26%
While 1-2% false positives might not sound like a lot on the
surface, if your team is dealing with 10,000 alerts a day, that
is the equivalent of 100 to 200 false positives. With a limited
staff, those alerts can backlog quickly and be ignored in
many cases.

Not only is this a burden on the already overworked have turned off alerts due to the
SOC team, but alerting has been known to be turned off high number of false positives.*
altogether when it gets too noisy. *Deep Instinct Voice of SecOps Report, 2022.

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 07

 Proactive AI:
03 Deep Learning
Deep Learning (DL) is a proactive AI that adapts With a DL-based solution, even the fastest-acting
to new data more efficiently and autonomously ransomware can be prevented before it has a
extracts relevant features of attacks to make it chance to execute — this means no exfiltration
easier to predict new threats and prevent them or encryption can take place. DL provides
before they execute and gain access inside your organizations the best chance of staying a step
environment. ahead of bad actors by preventing attacks before
they infiltrate your environment and exfiltrate
DL models can be trained to discover threats far
your data — or worse.
faster with extremely high efficacy and very few
false positives and with far less frequent tuning Cons:
and model updates as compared to ML. It’s
possible for a deep learning model as old as nine DL is a specialized field that requires
months to prevent a zero-day attack. extensive expertise to take full advantage of
the technology and get the desired results.
DL trains on 100% of raw data, both malicious
and benign, providing DL-based solutions with DL also trains on 100% raw data meaning
the ability to predict never-before-seen threats. that the initial training and upkeep of the
models are a time-intensive endeavor.
DL holds the most promise for a true
prevention-first approach.

Is less reliant on humans to constantly

update model features or threat
intelligence feeds to make accurate
decisions quickly.

Can better predict and identify new

variations of ransomware and zero-day
threats without having previous
knowledge of the specific threat.

Can improve both the speed and

accuracy of identifying and
preventing threats.

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 08

 Machine Learning vs Deep Learning:
A quick comparison
There are some basic, but important differences a great deal of manual feature specification on
between ML and DL. While the two terms sound only 1-2% of the data and you end up disregarding
similar and may be used interchangeably, their most of the raw data.
capabilities in data analysis, feature engineering,
the file types they detect, the rate of false DL, on the other hand, trains on the entirety
positives they generate, and their accuracy in of the raw data, enabling it to better learn the
preventing unknown threats are quite different. patterns and principles behind it. This leads
to better generalization capabilities (i.e., its
To apply traditional ML to any problem, you ability to predict on previously unseen data).
first must perform a lot of pre-processing. You This important difference gives DL-based
have to determine in advance the important cybersecurity solutions distinct advantages
properties or features in the problem domain. in preventing attacks.
As mentioned previously, this process requires

Machine Learning (ML) Deep Learning (DL)

Trains on 100% of
Limited training on
available raw data
subset of 2-5% of
with malicious and
available data
benign samples

Manual Feature
Engineering

Vector of
VS
Features

Requires human Makes autonomous

tuning to detect decisions about
ML Model Deep Neural unknown threats
known behaviors
Network without having to
and patterns that
indicate an attack see the entirety of
an attack

UPDATES UPDATES
ACCURACY WITH ACCURACY WITH

DAILY to 3x PER
FALSE POSITIVES FALSE POSITIVES

1-20% <0.1%
UNKNOWN THREATS UNKNOWN THREATS

50-70% weekly >99% YEAR

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 09

 The following table provides a quick reference for
comparing ML-driven and DL-driven solutions:
Machine Learning (ML) Deep Learning (DL)
Cybersecurity Solutions Cybersecurity Solutions

Post-execution Pre-execution
Prevention vs Detection

A malicious file will land in your Prevents unknown threats before they
Unknown Threat

environment before the threat is can enter your environment, eliminating

detected or analyzed and a response is the risk of an active threat and speeding
determined. This slows the speed of the response time.
threat response and increases the risk of
breach.

1-2% of Data 100% of Raw Data

Trains on a pre-determined subset of Multi-layered model that trains on 100%
Model Training

data (less than 2% of available data) of raw data, with millions of both benign
which limits the representation of data and malicious files to understand the DNA
needed for a decision. This means that of an attack and make accurate decisions
the ML model's threat recognition is without seeing the entirety of its contents.
incomplete.

More susceptible to AI-based Greater resiliency to AI-based

attacks like model tampering attacks and tampering
and data poisoning DL models will be more resilient on the
Resilience to Attack

Adversarial methods targeted at fooling whole because of the comprehensiveness

traditional ML methods are likely to be of the data set used during initial training.
more prevalent because of the blind DL models' advantage lies in its
spots due to the previously mentioned much-enhanced predictive analysis.
weaknesses in how the models are
trained.

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 10

 Machine Learning (ML) Deep Learning (DL)
Cybersecurity Solutions Cybersecurity Solutions

Low High
Ability to Prevent Unknowns

Requires humans to manually input The DL model is more complex and

behaviors for each new threat to then uses significantly larger data sets to train,
detect them and relies on intelligence enabling it to be more likely to identify
feeds and cloud lookups to make a never-before-seen attack. More data
decisions. It is only as good as the data results in higher reliability making DL
it is fed and lacks the quantity of data more capable of accurately determining
needed to accurately determine a a potential attack.
potential attack.

>1-2% False Positives < 0.1% False Positives

False Positives

Typically results in >1 to 2% false positives, Less than 0.1% false-positive rate,
leaving cybersecurity teams to manually resulting in tens of thousands fewer alerts,
validate potentially thousands of alerts. improving SOC productivity.

50-70% Accurate >99% Accurate

Unknown Threats
Accuracy of

50-70% of unknown threats will execute Potential to prevent 99% unknown

and bypass controls before it is detected, threats, zero-days, and ransomware prior
increasing the risk of a breach. to execution, significantly reducing risk.

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 11

Deep Learning holds the key to
prevention-first in cybersecurity

“Deep learning is the area of

artificial intelligence where the
real magic is happening right now.” *
*
Forbes

Most of the initial prominent research and innovation around DL revolved around speech and
image recognition and natural language generation. However, more recently DL has been applied to
cybersecurity, making true prevention of unknown and zero-day threats a reality.

A prevention-first approach to cybersecurity – long thought impossible – is now firmly within reach.

A DL-based cybersecurity solution does not need to have previously seen malware, know the entirety of
an attack technique, or watch its behavior to prevent unknowns. DL uses layers of neural networks (the
“Brain”) to understand the DNA of an attack. For organizations concerned about the next big attack,
DL-based solutions have a significantly higher potential to interrupt a supply chain attack, for example, by
predicting and preventing zero-days, ransomware, and never-before-seen malware variants before they
execute and land inside your environment.

In our latest report, the cybersecurity firm Unit

INDEPENDENT 221B validates our threat prevention capabilities.
TESTS CONFIRM

>99%
The claims were validated through tests in
categories including portable, unknown, custom
designed attacks, and Python executables, as well
as static, dynamic, network, behavioral analysis,
and signature detection.
ZERO-DAY
PREVENTION
READ THE REPORT

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 12

 What should you look for
in a DL-based solution?
A DL-based solution needs to be designed from the ground up to take full advantage of the AI. A
cybersecurity solution that adds DL to a portion of its tooling can improve outcomes in a particular area,
but will not realize the full power of DL. In developing a DL-based solution, it’s important to consider the
AI foundation as well.

While there are multiple open-source DL frameworks available, such as TensorFlow and PyTorch that
were built for specific challenges like image recognition and predicating viewer habits, you need a
more dedicated solution. These open-source frameworks are solid, although they were not specifically
developed to solve the unique challenges of cybersecurity. Applying just any framework on its own,
without the backing of DL experts who bring a unique methodology and high caliber cybersecurity
threat research to the challenge at hand, will not achieve the desired results.

Think about it this way:

Would a model built to stop a train
be the same as the model for
landing a plane? Not even close.
You need a framework specifically
designed to address the challenges
of cybersecurity to reap the full
benefits of deep learning.

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 13

 How do you know it's a truly
Deep Learning-based solution?
Deep learning has reached “buzzword” status – with many co-opting the term and causing confusion in
the market. It can be difficult to know whether a solution you might be evaluating is natively developed
using a robust DL framework or if it’s one component bolted on to an existing solution.

A quick word on “self-learning” claims – unless an AI model is truly and completely unsupervised learning,
you can’t claim it to be self-learning.

Here are some questions you can ask to determine if it’s really a deep learning-based solution:

Is it truly Deep Learning?

How much data is consumed to train the AI models?

How much human-led pre-process training is required on the sample sets?

Are the AI models heavily dependent upon the cloud for intelligence to catch the latest threats?

Is it a natively developed Deep Learning-based solution?

How much of the solution is using DL?

Where exactly is DL applied?

Is DL being used for detection (post-execution) or true prevention (pre-execution)?

What is the false-positive rate?

Can it predict and prevent threats before they land?

Can the solution predict an unknown attack without previous knowledge of the malware?

How fast can they stop ransomware?

What percent of attacks can be prevented at the pre-execution level?

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 14

It’s time to redefine “Threat Prevention”
Getting ahead of today’s threats requires an innovative approach. In some cases, it also requires an evolution in
mindset to accept that prevention is even possible.

That’s precisely why Deep Instinct was founded. Deep Instinct is the first cybersecurity company to natively
leverage a deep learning-based neural network that learns and improves dynamically as it’s fed more data.

Deep Instinct developed the world’s only purpose-built DL cybersecurity framework to makes a
prevention-first approach a reality for stopping malware.

750x
PREVENTING LOWERING FALSE

>99%
PREVENTING POSITIVES TO

<0.1%
THREATS IN

<20MS
THAN THE
FASTEST KNOWN OF ALL THREATS —
RANSOMWARE KNOWN, UNKNOWN, THE LOWEST IN
CAN ENCRYPT ZERO-DAY, AND THE INDUSTRY
RANSOMWARE

With security breaches on the rise — increasing 31% from 2020 to 2021 according to Accenture — it’s
become painfully obvious that EDR solutions, alone, aren’t enough.

It’s time to redefine “threat prevention” by investing in deep learning-based cybersecurity solutions that
ensure even the most sophisticated attackers never make it inside the network.

DEEP LEARNING VS MACHINE LEARNING IN CYBERSECURITY eBook 15

Have questions about DL, or want to
know more about how Deep Instinct
can dramatically enhance your security
efforts and reduce your risks?

REQUEST A DEMO

Deep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world’s first purpose built,
deep learning cybersecurity framework. We predict and prevent known, unknown, and zero-day threats in <20 milliseconds, 750X
faster than the fastest ransomware can encrypt.

Deep Instinct has >99% zero-day accuracy and promises a <0.1% false positive rate. The Deep Instinct Prevention Platform
is an essential addition to every security stack — providing complete, multi-layered protection against threats across hybrid
environments.

www.deepinstinct.com | info@deepinstinct.com

© Deep Instinct Ltd.