In a lot of security companies, those with the role of "researcher" largely hand-classify risks and threats in order to generate content for their company's products. Wherever the course of the security river runs—or at least his company's tributary of it—the researcher is either swept along with the current or paddles furiously to keep up with both competitors and criminals alike. Whether it's flotsam from an incident or new threats pulled from the nets, the day's catch must be collected and cataloged, a piece of content created and an update published.
In a past life, I worked in vulnerability assessment, creating checks mostly to detect missing patches. Every patch published meant at least one new check; the only occurrence worse than a surprise update was the dread of an impending update deluge. Extending the metaphor further, each Microsoft Patch Tuesday was like racing Scylla and Charybdis down an Escher waterfall in an overloaded wagon, at least once a month, every single month.
I was never involved in anti-malware signature creation, but it must surely be even more turbulent. Malware authors and their victims generally don't adhere to a disclosure timeline, so emergency signature creation occurs frequently and unpredictably, like every time a new species of malware starts making headlines, or a large, hysterical customer suddenly discovers an undetected and metastasized infection.
On the Infinity Team, research is different. Instead of individuals raking the muck and panning for individual samples to scrutinize, picture something closer to the Large Hadron Collider collaboration, where researchers build and install detectors and computing clusters designed to operate at a level inaccessible to humans. Samples are injected into the system en masse and converted to information at a torrential rate, and people analyze the machine's analyses of the data to make higher-level discoveries and advances in the cybersecurity sciences.
In Infinity, the detectors we create are file processors capable of extracting more features from samples and making ever more intelligent observations. Understandably all the best stuff is trade-secret, but as a watered-down example, let's say that we program a file processor to identify the sections in a Windows executable, extract their sizes as features, and additionally express as a feature how much file content falls outside of any section. Sometimes these extra bytes might constitute a malicious payload, other times not. To Infinity, it's just additional dimensions of data contributing to the next model, which will be trained to consider that as one more drop in the bucket when weighing all the available evidence.
In fact, that's the joy of Infinity research: we aren't writing signatures for individual samples, we're finding new techniques to squeeze richer details out of all samples and distill them into better models. These techniques, and the models they feed, will be as effective on yesterday's threats as on tomorrow's. In this way, our incarnation of research is a more creative and constructive endeavor—a bit like having confluences of researcher streams of consciousness—with each incremental iteration multiplied by the full force of Infinity. And as we steam ahead, more and more malware will become derelict, and the less hardy competitors and criminals will find themselves left in Infinity's wake.
- Derek Soeder
Sr. Researcher
