Using AI to Fight Malware
Technology companies are increasing security software capabilities to more effectively respond to the rapidly evolving threat landscape. Artificial intelligence (AI) and ML are at the heart of these efforts because they detect advanced and previously unknown malware faster than traditional antivirus solutions.
In February 2018, thousands of users were infected with the malware in USA, because a breach in existing antivirus software. Traditional security solutions are no longer a viable option, and adopting AI and ML-based solutions faster will only guarantee against persistent and awkward cyber attacks.
Microsoft was immediately alerted through cloud-based AV software. Available by default on all Windows 10 PCs, the software scans files using a lightweight machine learning (ML) model built into the client's system and finds the file suspicious.
The file is then sent to the antivirus cloud service, where the metadata-based ML classifier immediately identifies and blocks the file, while the deep learning ML model identifies the file as a variant of Trojan:Win32/Emotet, which is widely used, bank spying malware.
Each time a user downloads a new application, Cloud ML evaluates it using thousands of different application parameters, such as application permissions or entry points, if any of these parameters match the parameters of a known threat. The application is marked as a threat. The ability to identify threats based on a range of parameters enables Cloud ML to detect malicious applications using modified malware that has never been seen before.
Google Play takes a similar approach. Google Play integrates with deep learning to identify application metadata, user metrics, text descriptions, and peer groups of applications with similar functions and factors in overall time to detect potentially harmful signals. Any application with such a signal will be immediately marked as a security or privacy risk.
According to Google’s annual Android Security and Privacy Review released in March 2019, the potentially harmful application (PHA) released in 2018 was installed on only 0.45% of Android devices running Play Protect, growing 20% annually from 2017. PHA was installed for 0.56% of the equipment. This also helped Google cancel some of the most persistent and complex Android botnets like Chamois. When Chamois was detected in 2017, Chamois directed the use of advertising scams and advanced SMS scams to locate infected devices through command and control servers.
Google found that attackers behind Chamois tricked application developers into passing malicious code as a legitimate adware development kit to their applications. Chamois code was also found in side-loaded applications in third-party stores, and in some countries they were pre-installed on smartphones from different OEMs (original equipment manufacturers) who did not carefully scan for malware.
Google blocked Chamois in 2017, but it returned in 2018. However, with the ML model and continuous monitoring Android applications, Google Play Protect can more effectively identify Chamois variants.
Another artificial intelligence solution that has received a lot of attention is threat intelligence. The Threat Intelligence solution uses ML to scan unstructured data and find contexts that connect it to threat participants.
According to Gartner, threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, cues, and action-oriented recommendations for existing or emerging threats or asset hazards. This information can be used to inform the subject about the decision to respond to the threat or hazard.