The anti-virus business has been booming in the last few years. According to Gartner, security software worth RM97.8 billion were sold throughout the world in the year 2015 alone. However, no matter how much money companies and private users spend, there’s no such thing as total security.
In particular, anti-virus developers have their hands full with one specific type of malware:
Ransomware. In just the third quarter of last year, 821,865 ransomware attacks targeting
users of Kaspersky programmes were blocked. What’s really scary is how successful the
attackers are. According to Kaspersky, every third victim had to pay the hackers a ransom
because of a lack of countermeasures.
300,000 new types of malware crop up every day. For anti-virus software, it’s like a
constant game of cat and mouse. The risk can’t be overcome with the help of
conventional signature databases, so modern protective software rely on a behavior-based approach that checks for suspicious activity on a computer. If it encounters any, the virus monitor stops the programme and informs the user. However, the problem is that attackers have developed methods of circumventing such heuristic approaches, like hiding their ransomware in legitimate programmes. To combat this form of modus operandi, brand-new methods are now being deployed.
A Variety Of Scanning Methods Are Supposed To Be Helpful
The latest products from the security sector feature a ransomware protection function, which checks the system for strange file accesses in real time. At the same time, the software also monitors system values. In short, it checks whether the CPU load is
increasing abruptly and whether disk access operations are intensifying significantly, which are the first indicators of an attack. According to official statements, security vendors are confident that they can provide effective protection against attacks. However, insiders quietly claim that this technique also has vulnerabilities. This is because cyber-criminals install all their customary AV solutions on an isolated computer, which makes it possible for them to create the perfect virus – one that cannot be detected by the virus monitors and can outwit even the most modern heuristic process.
These diligently-produced variants can overwhelm just about any security product.
Vendors typically have a solution in a few hours after a virus becomes known, but this
antidote is of no use to the initial victims. Specialised malware researchers have to take
the new malware apart, analyze it and prepare a description. They then use updates to install it on the client systems. If the malware is complex, this procedure can take several days.
In fact, it can take many months to analyze a sophisticated cyber-warfare tool.
Consequently, some vendors believe that in the future, viruses will no longer be analyzed
by humans. Instead, machines will be able to eventually detect malware and generate a
Analysis Via Machine Learning
Various manufacturers – from Symantec to Malwarebytes – are currently developing
procedures in which IT systems would take over the task of malware analysis. With
‘machine learning’, researchers feed a supercomputer with millions of files, which include viruses as well as legitimate files. Using ‘feature vectors’, they then tell the computer what a virus looks like, what characteristics it has and how malware usually behaves once it gets into the victim’s computer. The researchers have to help the algorithm, in the beginning, a process similar to teaching a child.
This is how computers learn
Machine learning is made up of two domains – the learning phase and detection.
Learning phase Researchers first tell the computer exactly what constitutes a virus.
In the following steps, the computer learns and becomes more intelligent.
Detection On the basis of the behavior of an executed programme, the trained an algorithm can then decide whether the situation involves a legitimate application, or
malware that has been hidden within the file.
The methods of detection
Modern anti-virus systems use a wide range of detection methods. New files run through the different stations in a matter of seconds.
> Behaviour check In case of doubt, the scanners run the file that allegedly contains a virus in a so-called ‘sandbox’, which is a protected area. A rudimentary algorithm then checks whether the programme is infected
> Quick assessment In the future, machine learning is expected to make the current model even faster, and facilitate better protection and performance. However, in the end, the user in front of the computer will still be making the final decision as to whether the file in question is trustworthy, or whether it needs to be quarantined
All Anti-Virus Tools Make Mistakes
Even if an AV software deploys sandboxes, quarantines, heuristics and machine learning,
the attackers can still use relatively simple tools to outwit the system. As mentioned previously, all they have to do is test the AV solution on an isolated computer during the
pre-release phase, then look for loopholes in the detection mechanism.
The AV products themselves represent yet another risk. As is the case with other software, attackers can use programming flaws to hijack and control them. This is what happened at Symantec in June 2016, when researchers found out that almost all of Symantec’s AV products had seven critical loopholes. That meant that attackers would have found it very easy to infiltrate the whole computer or even entire company networks.
All the attackers had to do to exploit the vulnerability was convince their victims to visit
a manipulated website. Since AV products that run on PCs have the highest authorizations, such vulnerabilities are nothing short of fatal. All in all, the cat-and-mouse game between attackers and defenders looks set to continue. However, machine learning is going to make life a little more difficult for malware writers.