- Feb 4, 2016
- 2,520
IBM Demonstrates DeepLocker AI Malware at Black Hat
- Thread starter LASER_oneXM
- Start date
I wonder if Cylance Smart Antivirus would be able to catch it as of now. Is future in security world will be an fight between malware AI and security software AI?
Most likely it would. Cylance detects alterations and anomalies in legitimate programs quite readily. For example even a tampered Chrome Update, served through a legitimate Chrome Update Channel would be flagged by Cylance. An alteration of an AV by a malicious actor, would be caught by Cylance. A few changes in an existing piece of malware to evade detection would likely be detected by Cylance. Our testing suggests Cylance ranges from 96.5%-99% detection of threats that only exist at the moment they arrive in real-time. It's not perfect, but it's getting better. If you think the consumer version of Cylance was released out of 'good will' by Cylance you are wrong, it was released to increase the datasets fed into their ML/AI systems by a magnitude of X.
Malware and threat actors have become very advanced. But beyond that, I believe there is already very intelligent, adaptable malware out there circulating based on some of the things we're seeing. We've observed infections with no logical vector on machines specifically setup to evade infections. We've seen the latest security appliances readily bypassed by malware that seemingly understands the logic paths of security appliances. We've seen update channels serve altered updates over normal paths except that it serves tampered updates to specific machines within a subnet but not every machine within a subnet.
On that last point - you'll start to see this happen more.. 500 people download a file from a legitimate location, 5 of them were injected while pathing to the update recipient. To the victim, he downloaded it from a legitimate source, but his hash will be different and he/she won't have a logical explanation of the change. Whether this is quantum injection via TCP interception or something else, we're not exactly sure, but it's happening. His AV will likely ignore it because it's parameters appear legitimate. I know of a few sandboxing systems that flagged CCleaner's hijacked updates, and I suspect some ML/AI endpoint products flagged it as well. Traditional AV's probably totally ignored it.
FortiSandbox has sort of been a failure to the extent Fortinet has shifted to not charging for it and all Fortigate appliances will get it free now. Generally speaking, it's morphing into a technology to help spot new threats so new signatures can be developed rather than an active deferential technology. Most of the big appliance vendors are in scrambling phases right now, trying to ferret solutions to a threat environment that is evolving so quickly existing technologies are outmoded at the moment they are implemented. Watchguard is the first firm to put Artificial Intelligence on all of their gateways for commercial/enterprise. The latest Watchguard Firmware rolls out Cylance-GW technology for Watchguard appliances. (yes, all of them) Gryphon is the first (and only) home appliance to implement ML/AI active detection and protection from anomalies.
So where are we going with all of this? My guess is - we need technology that can spot threats that don't yet exist but will exist shortly or virtually every technology we have will be a relic in a matter of a few years. (at the longest) I personally feel we're going to see a catastrophic failure of existing traditional AV solutions in the very near future to the point the industry will be devastated. But I have a grim outlook on all of this, I see too much...
Similar threads
