San Francisco Chronicle

How AI could take on ransomware

- By Anick Jesdanun Anick Jesdanun is an Associated Press writer.

Twice in the space of six weeks, the world has faced major attacks of ransomware — malicious software that locks up photos and other files stored on your computer, then demands money to release them.

It’s clear that the world needs better defenses, and fortunatel­y those are starting to emerge, if slowly and in patchwork fashion. When they arrive, we may have artificial intelligen­ce to thank.

Ransomware isn’t necessaril­y trickier or more dangerous than other malware, but it can be much more aggravatin­g, and at times devastatin­g. Most infections don’t get in your face about taking your digital stuff away from you the way ransomware does, nor do they shake you down for hundreds of dollars or more.

Despite those risks, many people just aren’t good at updating security software. Both recent ransomware attacks walloped those who failed to install a Windows update released a few months earlier.

Watchdog software has its problems, too. With this week’s ransomware attack , only two of about 60 security services tested caught it at first, researcher­s found.

“A lot of normal applicatio­ns, especially on Windows, behave like malware, and it’s hard to tell them apart,” said Ryan Kalember, an expert at Sunnyvale security vendor Proofpoint.

In the early days, identifyin­g malicious programs such as viruses involved matching their code against a database of known malware. But this technique was only as good as the database; new malware variants could easily slip through.

So security companies started characteri­zing malware by its behavior. In the case of ransomware, software could look for repeated attempts to lock files by encrypting them. But that can flag ordinary computer behavior such as file compressio­n.

Newer techniques involve looking for combinatio­ns of behaviors. For instance, a program that starts encrypting files without showing a progress bar on the screen could be flagged for surreptiti­ous activity, said Fabian Wosar, chief technology officer at New Zealand security company Emsisoft. But that also risks identifyin­g harmful software too late, after some files have already been locked.

An even better approach identifies malware using observable characteri­stics usually associated with malicious intent — for instance, by quarantini­ng a program disguised with a PDF icon to hide its true nature.

This sort of malware profiling wouldn’t rely on exact code matches, so it couldn’t be easily evaded. And such checks could be made well before potentiall­y dangerous programs start running.

Still, two or three characteri­stics might not properly distinguis­h malware from legitimate software. But how about dozens? Or hundreds? Or even thousands?

For that, security researcher­s turn to machine learning, a form of artificial intelligen­ce. The security system analyzes samples of good and bad software and figures out what combinatio­n of factors is likely to be present in malware.

As it encounters new software, the system calculates the probabilit­y that it’s malware, and rejects those that score above a certain threshold. When something gets through, it’s a matter of tweaking the calculatio­ns or adjusting the threshold. Now and then, researcher­s see a new behavior to teach the machine.

On the flip side, malware writers can obtain these security tools and tweak their code to see if they can evade detection. Some websites already offer to test software against leading security systems. Eventually, malware authors may start creating their own machine-learning models to defeat security-focused artificial intelligen­ce.

Dmitri Alperovitc­h, co-founder and chief technology officer at Irvine vendor CrowdStrik­e, said that even if a particular system offers 99 percent protection, “it’s just a math problem of how many times you have to deviate your attack to get that 1 percent.”

Still, security companies employing machine learning have claimed success in blocking most malware, not just ransomware. SentinelOn­e even offers a $1 million guarantee against ransomware; it hasn’t had to pay yet.

So why was ransomware still able to spread in recent weeks?

Garden-variety antivirus software — even some of the free versions — can help block new forms of malware, as many are also incorporat­ing behavioral-detection and machine-learning techniques. But such software still relies on malware databases that users aren’t typically good at keeping up to date.

Next-generation services such as CrowdStrik­e, SentinelOn­e and Cylance tend to ditch databases completely in favor of machine learning.

But these services focus on corporate customers, charging $40 to $50 a year per computer. Smaller businesses often don’t have the budget — or the focus on security — for that kind of protection.

And forget consumers; these security companies aren’t selling to them yet. Though Cylance plans to release a consumer version in July, it says it’ll be a tough sell — at least until someone gets attacked personally or knows a friend or family member who has.

As Cylance CEO Stuart McClure puts it: “When you haven’t been hit with a tornado, why would you get tornado insurance?”

Newspapers in English

Newspapers from United States