How ar­ti­fi­cial in­tel­li­gence is tak­ing on ran­somware

Kuwait Times - - TECHNOLOGY -

Twice in the space of six weeks, the world has suf­fered ma­jor at­tacks of ran­somware - ma­li­cious soft­ware that locks up pho­tos and other files stored on your com­puter, then de­mands money to re­lease them. It’s clear that the world needs bet­ter de­fenses, and for­tu­nately those are start­ing to emerge, if slowly and in patch­work fash­ion. When they ar­rive, we may have ar­ti­fi­cial in­tel­li­gence to thank.

Ran­somware isn’t nec­es­sary trick­ier or more dan­ger­ous than other mal­ware that sneaks onto your com­puter, but it can be much more ag­gra­vat­ing, and at times dev­as­tat­ing. Most such in­fec­tions don’t get in your face about tak­ing your dig­i­tal stuff away from you the way ran­somware does, nor do they shake you down for hun­dreds of dol­lars or more. De­spite those risks, many peo­ple just aren’t good at keeping up with se­cu­rity soft­ware up­dates.

Both re­cent ran­somware at­tacks wal­loped those who failed to in­stall a Win­dows up­date re­leased a few months ear­lier. Watch­dog se­cu­rity soft­ware has its prob­lems, too. With this week’s ran­somware at­tack , only two of about 60 se­cu­rity ser­vices tested caught it at first, ac­cord­ing to se­cu­rity re­searchers. “A lot of nor­mal ap­pli­ca­tions, es­pe­cially on Win­dows, be­have like mal­ware, and it’s hard to tell them apart,” said Ryan Kalem­ber, an ex­pert at the California se­cu­rity ven­dor Proof­point.

How to find mal­ware

In the early days, iden­ti­fy­ing ma­li­cious pro­grams such as viruses in­volved match­ing their code against a data­base of known mal­ware. But this tech­nique was only as good as the data­base; new mal­ware vari­ants could eas­ily slip through. So se­cu­rity com­pa­nies started char­ac­ter­iz­ing mal­ware by its be­hav­ior. In the case of ran­somware, soft­ware could look for re­peated at­tempts to lock files by en­crypt­ing them. But that can flag or­di­nary com­puter be­hav­ior such as file com­pres­sion.

Newer tech­niques in­volve look­ing for com­bi­na­tions of be­hav­iors. For in­stance, a pro­gram that starts en­crypt­ing files with­out show­ing a progress bar on the screen could be flagged for sur­rep­ti­tious ac­tiv­ity, said Fabian Wosar, chief tech­nol­ogy of­fi­cer at the New Zealand se­cu­rity com­pany Em­sisoft. But that also risks iden­ti­fy­ing harm­ful soft­ware too late, af­ter some files have al­ready been locked up.

An even bet­ter ap­proach iden­ti­fies mal­ware us­ing ob­serv­able char­ac­ter­is­tics usu­ally as­so­ci­ated with ma­li­cious in­tent - for in­stance, by quar­an­tin­ing a pro­gram dis­guised with a PDF icon to hide its true na­ture. This sort of mal­ware pro­fil­ing wouldn’t rely on ex­act code matches, so it couldn’t be eas­ily evaded. And such checks could be made well be­fore po­ten­tially dan­ger­ous pro­grams start run­ning.

Ma­chine vs Ma­chine

Still, two or three char­ac­ter­is­tics might not prop­erly dis­tin­guish mal­ware from le­git­i­mate soft­ware. But how about dozens? Or hun­dreds? Or even thou­sands? For that, se­cu­rity re­searchers turn to ma­chine learn­ing, a form of ar­ti­fi­cial in­tel­li­gence. The se­cu­rity sys­tem an­a­lyzes sam­ples of good and bad soft­ware and fig­ures out what com­bi­na­tion of fac­tors is likely to be present in mal­ware. As it en­coun­ters new soft­ware, the sys­tem cal­cu­lates the prob­a­bil­ity that it’s mal­ware, and re­jects those that score above a cer­tain thresh­old. When some­thing gets through, it’s a mat­ter of tweak­ing the cal­cu­la­tions or ad­just­ing the thresh­old. Now and then, re­searchers see a new be­hav­ior to teach the ma­chine.

An arms race

On the flip side, mal­ware writ­ers can ob­tain these se­cu­rity tools and tweak their code to see if they can evade de­tec­tion. Some web­sites al­ready of­fer to test soft­ware against lead­ing se­cu­rity sys­tems. Even­tu­ally, mal­ware au­thors may start cre­at­ing their own ma­chine-learn­ing mod­els to defeat se­cu­ri­ty­fo­cused ar­ti­fi­cial in­tel­li­gence.

Dmitri Alper­ovitch, co-founder and chief tech­nol­ogy of­fi­cer at the California ven­dor CrowdStrike, said that even if a par­tic­u­lar sys­tem of­fers 99 per­cent pro­tec­tion, “it’s just a math prob­lem of how many times you have to de­vi­ate your at­tack to get that 1 per­cent.” Still, se­cu­rity com­pa­nies em­ploy­ing ma­chine learn­ing have claimed suc­cess in block­ing most mal­ware, not just ran­somware. Sen­tinelOne even of­fers a $1 mil­lion guar­an­tee against ran­somware; it hasn’t had to pay it yet.

A fun­da­men­tal chal­lenge

So why was ran­somware still able to spread in re­cent weeks? Gar­den-va­ri­ety an­tivirus soft­ware - even some of the free ver­sions - can help block new forms of mal­ware, as many are also in­cor­po­rat­ing be­hav­ioral-de­tec­tion and ma­chine-learn­ing tech­niques. But such soft­ware still re­lies on mal­ware data­bases that users aren’t typ­i­cally good at keeping up to date. Next-gen­er­a­tion ser­vices such as CrowdStrike, Sen­tinelOne and Cy­lance tend to ditch data­bases com­pletely in fa­vor of ma­chine learn­ing. —AP

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.