back to article Got to be better than human protection: New firm using machine learning anti-malware

Security firm Cylance is using machine learning to fight what many firms regard as the already lost battle of keeping computers free of malware. While mainstream thinking in the industry has moved towards acceptance that malware infections are inevitable and the focus has to be on detection and response, the US startup isn’t …

  1. Anonymous Coward
    Anonymous Coward

    Ummm...

    I'd feel more secure if their website didn't use three tracking networks to see what I'm doing on it.

  2. Steve Davies 3 Silver badge

    Er... but...

    Isn't tracking you all part of this 'Great Game'?

    They know who you are, where you are and just about everything about you.

  3. Pascal Monett Silver badge
    Thumb Up

    Can't understand why behavioral detection isn't more comon

    If it writes to system files and is not a core Windows process, then why let it do that ?

    If it's an image and it attempts to execute code, why let it ?

    Okay, it's easy to find simple examples. Real life is exponentially more difficult and I'm certainly not a virus expert. But all this signature-based detection is demonstrably insufficient.

    I wish these guys the best of luck. We can certainly do with a new approach to the question.

  4. Allan George Dyer
    Boffin

    Full disclosure: I sell AV software

    TL;DR: Entire article appears to have been copied from an over-hyped press release.

    "already lost battle of keeping computers free of malware" - Why not start by characterising your competitors as defeatist?

    "far more effective than conventional antivirus software from the likes of Symantec and Intel Security (McAfee)" - So similar to half the smaller vendors, then?

    "mainstream thinking in the industry has moved towards acceptance that malware infections are inevitable and the focus has to be on detection and response" - Why not fudge the terminology to make it sound like you're doing something new. The aim of on-access protection is to detect the malware before it is executed, e.g. if you detect malware in a browser download, you respond by deleting it. You can't prevent the code arriving on your machine unless you are prepared to block everything arriving (see airgap) because you can't identify it until you have it there to look at.

    "The firm is applying a stats-based approach to threat detection that it claims offers 99 per cent detection rates in comparison to the 40 per cent figures of conventional antivirus." - So they're using heuristics. Citation needed for those detection rates.

    "trained using a sample of 300 million known good files and 300 million known bad files" - Everyone is AV is dealing with huge numbers of samples nowadays. Now, what method did you use for knowing whether they are good or bad? You believed some else's analysis, or your staff analysed 600 million files?

    "The technology is not based on either sandboxing, signatures or conventional signatures." - OK, so what is it based on?

    "Our technology is extracting the DNA of malware" - Oh, so it's based on extracting DNA, wait, WHAT? You crush up the malware and extract the double helix???! Oh, you meant metaphorically? So, you're still not telling us. Is it based on fairy dust and wishful thinking?

    "Firstly Cylance’s technology doesn’t need to hook into every process running on a desktop and therefore has a lower footprint." - 'conventional' AV doesn't hook every process - just the read and write calls.

    "Secondly its agent can run effectively on air-gapped machines." - most AV can run on airgapped machines, but it helps if you can switch off the warning that it can't reach the update server. Air-gapping is a great method of preventing malware spread, so you've tailored your solution to work best where it is least needed?

    1. HenryandHugo

      I developed a technique which proved 99.8% effective on unknown files using machine learning for my MSc Project. There are a number of ways to achieve such high rates.

      If someone has money they would like to invest ($42m would be nice), a number of researchers are looking to set up a global SOC and are going to offer the A/V solution free to our users.

      FYI, the A/V engines at VirusTotal averaged 48% in my study.

      1. Michael Wojcik Silver badge

        I developed a technique which proved 99.8% effective on unknown files using machine learning for my MSc Project. There are a number of ways to achieve such high rates.

        I'm not saying I don't believe you, but this is a rather vague claim. Certainly before I'd even agree to take a closer look at a system of this sort I'd want to know the actual recall and precision rates, more details about the classification mechanism, and more information about the training and testing sets.

        But more fundamentally, even the definition of "malware" is to some extent subjective - it's going to vary by use case and threat model. So no classifier can be "99.8%" effective at discriminating between "safe" and "unsafe" for all files, for all users. That's simply not a meaningful distinction.

        1. HenryandHugo

          Excellent comment!

          Research normally covers a narrow area with many specifics, the detail(s) of which are included in the paper (if published).

          As you know, there is no right or wrong answer!

    2. rwilliams

      RE: Allan George Dryer

      “It is difficult to get a man to understand something, when his salary depends on his not understanding it.” - Upton Sinclair

      1. Allan George Dyer

        Re: RE: Allan George Dryer

        @rwilliams - Is that directed at me or Cylance?

        Please tell me you've understood what, "Our technology is extracting the DNA of malware" means.

    3. Michael Wojcik Silver badge

      Oh, so it's based on extracting DNA, wait, WHAT? You crush up the malware and extract the double helix???! Oh, you meant metaphorically?

      Agreed. Using "DNA" metaphorically in this fashion is a strong indication that the rest of the argument is handwaving rubbish.

  5. DCLXV

    heck, I don't even sell AV software and that bit about malware DNA triggered my BS-o-meter

  6. Anonymous Coward
    Anonymous Coward

    Some of the other vendors mentioned have Machine Learning already embedded in their engines- it's not new, and Cylance isn't doing anything unique.

    It will be interesting to see if they allow a 3rd party to test their product independently, rather than be shadey about exactly how they have tested themselves and other vendors products.

    1. HenryandHugo

      However their methods, according to my research (and the mentioned company) are ineffective (to a % in a given scenario).

      Malware detection is easy (I can say that as I have proved it!).

      High detection rates are usually academically based and have high overheads.

      The key is finding a solution which is a good trade off.

      I've found that and want to commercise it as part of a larger security problem (investment would be nice)! Cylance are only doing what any commercially aware company, with the solution, more importantly the resources, would do to market globally,

  7. jshrewey
    Thumb Up

    DNA

    The DNA section is just figurative to be understood by all audiences. What this means technically, is that every executable has every element of its code inspected against the Cylance Infinity alorithm in the kernel within a number of milliseconds before runtime. Issueing the file with a score predicting whether the file is malicious or not, resulting in letting the file run if it is believed to be safe, to the extent of quarantining the file completely from the user's device, if believed to be malicious.

    1. Allan George Dyer
      Facepalm

      Re: DNA

      Of course it was figurative, just like the terms sandboxing and signature. The difference is that those terms have acquired a defined technical meaning. Now Cylance introduces a new figurative term, and doesn't give a technical meaning.

      I'm hoping "Cylance Infinity" doesn't refer to its runtime ;-). So their solution is just the same as everyone else's: "on-access protection with our proprietary algorithm". Maybe their proprietary algorithm is better than all the others, but they should either explain technically why that is, or provide third-party test results to show it works.

      (Full disclosure: I sell AV software. Sorry for the repetition.)

      1. HenryandHugo

        Re: DNA

        As you state, you "sell" AV software, not develop. Please don't mix the two up.

        The process Cylance have done is relatively simple, if you know how. Also why would they tell anyone what their way is? To be fair they've kinda given their process away in the earlier posts and the methods are well documented (if you do your research). Research (not "sell") and you may become enlightened!

        1. Allan George Dyer

          Re: DNA

          @HenryandHugo - Thank you for your condescension. I know I'm not a developer, but I wanted to be clear that I have a horse in this race. I like to think I'm not just a salesdroid, but even if I am, consider what I'm saying.

          Cylance claims their solution is fantastically better than the competition, I'm asking for an explanation of why, or 3rd party independent tests that back the claim. Is that unreasonable?

          To me, the article looks like it has been copied from an over-hyped press release. I've seen many of these over the past 20 years, and they claim the new company is doing something radically different to "conventional" AV, with much better results. Usually, they fall into two groups, total charlatans and reasonable researchers with some incremental improvements who have a rabid marketing department.

          Cylance appears to have decent researchers, they've published in the Virus Bulletin (https://www.virusbtn.com/virusbulletin/archive/2015/06/vb201506-NET-GUIDs). I guess they need to cage the marketers.

          1. HenryandHugo

            Re: DNA

            "Cylance claims their solution is fantastically better than the competition, I'm asking for an explanation of why, or 3rd party independent tests that back the claim. Is that unreasonable?"

            Absolutely not!

            I have no doubts about their claims having researched this area. Their marketing machine appears to now be on overdrive, fair play tbh.

            I have no connection with Cylance, also their method which achieved such high rates is completely different to mine (which achieved higher and is quicker).

            The process CANNOT be legally protected, so why tell anyone if you can make some money out of it?

            If Cylance are reading this, my process could complement yours, as would a European SOC!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like