Let the (right) machines do the work
Combating malware used to be easier. Previously, when new malware was discovered, a fingerprint was taken and added to the database of your anti-malware solution and that was that. No harm done, or almost no harm…
Many existing anti-malware packages still work that way. Everything that passes on the network, is compared to a database with fingerprints that manages access control. If it does not appear in the database, it is probably harmless. If it does appear, you know it has to be blocked.
The problem is: creators of new malware will make sure it never shows up in such databases. They make endless changes in their malware in order for it to be a little different from the previous ones. Consequently, the traditional anti-malware protection with fingerprint mechanism will not recognize it. As such, those traditional packages are becoming obsolete.
Look at the behavior
Malware fighters that want to be successful in the future, have to deal with things differently. They have to focus on machine learning. Anti-malware solutions are becoming increasingly intelligent by learning from the past. In this process, the focus is not on the fingerprint of the files, but on their behavior.
When files are suddenly encrypted from a PDF, or when data is copied to a server in Eastern Europe, then you should be very wary. It is up to the anti-malware solution to determine whether to classify it as malware or as infected files.
The learning part is mostly about adjusting software. When ‘false positives’ or ‘false negatives’ are detected (files that are wrongly classified as malware or harmless), then this insight can be imported into the solution. That allows for the anti-malware solution to take a better informed decision in the next similar situation.
Machine learning cannot be developed in one day
Machine learning is a powerful technology that will definitely change the future of malware fighting. But, as it goes with any innovative technology: the number of vendors that say: ‘me too’ is much higher than those who offer real machine learning.
How do you distinguish the wheat from the chaff? There is a simple solution: take a look at the history of the vendor in question. You cannot build machine learning in a few months, definitely not the advanced kind that is required.
A vendor that has not spoken about machine learning until recently, and now suddenly presents the ultimate technology, should definitely be treated with suspicion. IBM announced that they will integrate their Watson technology in their own security solutions. In this case, you do know that many years of exhaustive research have preceded.
IBM Watson is a perfect example of what can be achieved with machine learning. It has been many years since this box full of artificial intelligence won the ‘Jeopardy’ of the most impressive player. Meanwhile, the intelligent assistant has already proven its worth in various sectors. In the medical sector for example, Watson succeeds just as well as the best specialists, in predicting which black spots on the skin will grow into malignant melanoma.
The same principle of pattern analysis and detection is also applied to combat malware and thus it contributes to maintaining the health of your IT infrastructure. Those who rely on such technology are much better armed against online threats than those who rely on their current vendor who promises to add machine learning to their next update. In case of doubt: we are ready to help you take the right decision for your company.
By Frank Staut, CTO of the SecureLink Group