From the Field: Machine Learning and Artificial Intelligence for Malware Prevention

For many years, the main threat protection products were based on signatures. Today, malware changes every day, every hour, making signature-based prevention tools obsolete. It's time to think beyond the traditional antivirus (AV).

I recently participated in proof-of-concept (PoC) testing of the CyancePROTECT® agent and was deeply impressed with the product’s AI-driven malware prevention capabilities in comparison to more traditional approaches. The following are some key observations of the PoC outcomes.

Traditional Model: Antivirus Signature and Heuristics

For those of you who probably don’t know, heuristics has been a technology designed to proactively detect malicious code, without having to have a specific signature. In this vein, the security solution analyzes a file and compares its behavior against certain patterns that may indicate the presence of a threat. Each action performed by the file is assigned a score, so if this number exceeds a certain value, it is classified as a “likely new malware”.

On the other hand, signatures require a considerably longer period. You must first receive the sample, then develop a detection, send it to the server, and wait until the user's computer is updated with the new database. The time required to receive the sample, and the time lapse between when the update is published and installed on the user's computer is a window of opportunity for something bad to happen.

In short, signature-based antivirus is akin to the police searching all the photos of criminals in a giant book and seeing if anyone there fits the description, and to be effective they must have photos of all known criminals available (signatures updated) in order to find a match (to be able to block). Alternately, heuristic analysis analyzes suspicious behaviors and makes a conviction based on known bad behavior that has been seen before. Both of these approaches are limited to “knowing” a great deal about the suspects (or malware) before they can be effective, and thus fall short of being truly effective in today’s threat landscape, where hundreds or even thousands of new pieces of malware emerge daily.

Artificial intelligence (AI) and machine learning (ML) provide a much-needed alternative, where a malicious file (and fileless attacks for that matter) that have never before been seen (not in the criminal database, not exhibiting known bad behaviors) are blocked in milliseconds, providing what I would consider high-end antivirus.

In addition, AI/ML solutions are also effective in combating zero-day attacks. Zero-day threats could be defined as security holes on an operating system or application that haven’t been explored nor documented. The developer is not usually very knowledgeable in terms of bypassing security when it comes to actual/functional development, which means there is no known method of preventing the attack. An AI-based next generation antivirus can identify and prevent these threats well, unlike traditional solutions.

Our PoC with BlackBerry’s CylancePROTECT® vs. Four Traditional AV Products

CylancePROTECT leverages machine learning and artificial intelligence and has been very effective in terms of performance, low processor consumption, low RAM memory consumption, and has excellent granularity to configure policies as the business needs it.

Our testing was conducted with a malware base of 284 samples in a virtual machine (VM), each being executed on the endpoint. With CylancePROTECT, the machine's performance did not diminish and the product identified and quarantined 280 of the samples.

The other AV products tested consumed most of the computer’s resources, and we thought the machine would crash. The process took a long time, and only identified in the range of 200 of the malicious samples, Worse yet, in the middle of testing, a ransomware sample infected the systems, requiring us to recover from backup - and yes, these other antivirus products were primarily dependent on signatures and heuristics.

Strengths of CylancePROTECT:

  • Controls where, how and who can run scripts
  • Manages the use of USB devices by prohibiting the use of unauthorized devices
  • Eliminates the ability of attackers to use fileless malware attack techniques on your endpoints
  • Prevents malicious email attachments from detonating payloads
  • Predicts and prevents successful zero-day attacks
  • Uses AI, not signatures, to identify and block both known and unknown malware from running on your endpoints
  • Provides prevention against common and unknown (zero-day) threats without a cloud connection
  • Continuously protects the endpoint without disrupting the end user
  • Unmatched efficiency with minimal system impact

BlackBerry Cylance's effectiveness compared to these other AV products was simply excellent. The product is based on mathematical calculations, and you don't need to be Internet-connected to keep what could be considered a “database” up to date because the solution only needs to be updated about every six months (or even longer) and even then mostly for software tuning - unlike the other antivirus products that you have to keep updating on a daily basis.