New Delhi: In February 2018, a Windows user in North Carolina, US, was tricked into clicking a malicious email that carried a payload for a malware attack. Over the next half an hour, thousands of users were infected.
Microsoft was immediately alerted about the attack by its cloud-based Windows Defender AV software. Available by default in all Windows 10 PCs, the software scanned the file using lightweight machine learning (ML) models built into the client on the user’s system and found it to be suspicious.
The file was then sent to a cloud protection service where metadata-based ML classifiers immediately identified and blocked the file, while the deep learning ML models identified the file as a variant of Trojan:Win32/Emotet, a widely used banking malware.
This example shows that tech companies are stepping up their security efforts to battle the fast- evolving threat landscape more effectively. Artificial intelligence (AI) and ML are at the heart of these efforts as they can detect advanced and previously unknown malware faster than traditional antivirus solutions.
Kaspersky Labs recently introduced a Cloud ML technology for Android. Trained on millions of malware samples Cloud ML works in tandem with Kaspersky’s distributed cloud-based infrastructure that processes anonymized threats related to metadata streams from millions of volunteers.
Every time a user downloads a new app, Cloud ML evaluates it using thousands of different application parameters, such as app permissions or entry points, and if any of these parameters match with that of already known threats, it flags the app as a threat. The ability to identify threats based on a wide set of parameters is what allows Cloud ML to detect malicious apps with a modified malware that hasn’t been seen before.
Play Protect, Google’s security solution for Android and Play Store, works on similar lines. Integrated with the Play Store, Play Protect uses deep learning to identify peer groups of apps with similar functions and factors in app metadata, user metrics, text descriptions and total instals to detect potentially harmful signals. Any app with such signals gets immediately flagged as a security or privacy risk.
According to Google’s annual Android Security & Privacy Year in Review, published in March 2019, in 2018, potentially harmful apps (PHAs) were installed on only 0.45% of Android devices running Play Protect, a 20% annual improvement from 2017 when 0.56% of devices installed PHAs. This has also helped Google take down some of the most persistent and sophisticated Android botnets like Chamois. Detected way back in 2017, Chamois was instructed through command and control servers to target infected devices with ad scams and premium text message scams
Google found that attackers behind Chamois tricked app developers into using malicious code into their apps by passing it on as a legitimate advertising software development kit. Chamois code was also found in side-loaded apps on third-party stores and in some countries they were found pre-installed on smartphones from different OEMs (original equipment manufacturers) that didn’t carefully scan them for malware.
Google blocked Chamois in 2017, but it returned in 2018 with 199 million new instals. However, using ML models and constant monitoring of apps, Google Play Protect was able to identify the Chamois variants more effectively.
Another AI-powered solution that is gaining a lot of traction is threat intelligence. Threat intelligence solutions use ML to scan unstructured data and find context that would link them to threat actors.
According to Gartner, threat intelligence is evidence-based knowledge including context, mechanisms, indicators, implication, and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.
Conventional security solutions are no longer a viable option, and a faster adoption of AI- and ML-based solutions can only guarantee protection against persistent and devious cyberattacks.