Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks
Message
<blockquote data-quote="oldschool" data-source="post: 838447" data-attributes="member: 71262"><p>Our experience in detecting and blocking threats on millions of endpoints tells us that attackers will stop at nothing to circumvent protections. Even one gap in security can be disastrous to an organization.</p><p>At Microsoft, we don’t stop finding new ways to fill in gaps in security. We go beyond strengthening existing defenses by introducing new and innovative layers of protection. While our <a href="https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/" target="_blank">industry-leading</a> <a href="https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp" target="_blank">endpoint protection platform</a> stops threats before they can even run, we continue improving protections for instances where sophisticated adversarial attacks manage to slip through.</p><p>Multiple layers of protection mean multiple hurdles that attackers need to overcome to perpetrate attacks. We continuously innovate <a href="https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/" target="_blank">threat and malware prevention engines</a> on the client and in the cloud to add more protection layers that detect and block sophisticated and evasive threats before they can even run.</p><p>In recent months, we introduced two machine learning protection features within the <strong>behavioral blocking and containment capabilities</strong> in <a href="https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp" target="_blank">Microsoft Defender Advanced Threat Protection</a>. In keeping with the defense in depth strategy, coupled with the “assume breach” mindset, these new protection engines specialize in detecting threats by analyzing behavior, and adding new layers of protection after an attack has successfully started running on a machine:</p><ul> <li data-xf-list-type="ul"><strong>Behavior-based machine learning</strong> identifies suspicious process behavior sequences and advanced attack techniques observed on the client, which are used as triggers to analyze the process tree behavior using real-time machine learning models in the cloud</li> <li data-xf-list-type="ul"><strong>AMSI-paired machine learning</strong> uses pairs of client-side and cloud-side models that integrate with Antimalware Scan Interface (<a href="https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp" target="_blank">AMSI</a>) to perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks</li> </ul><p>The figure below illustrates how the two behavior-based machine learning protections enrich post-breach detections:</p><p><a href="https://www.microsoft.com/security/blog/wp-content/uploads/2019/10/fig1-pre-execution-and-post-execution-detection-engines.png" target="_blank"><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/10/fig1-pre-execution-and-post-execution-detection-engines.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><p><em>Figure 1. Pre and post-execution detection engines in Microsoft Defender ATP’s antivirus capabilities</em></p><p>The pre-execution and post-execution detection engines make up two important components of comprehensive threat and malware prevention. They reflect the defense in depth principle, which entails multiple layers of protection for thorough, wide-range defense.</p><p>In detecting post-execution behavior, using machine learning is critical. Many attack techniques are also used by legitimate applications. For example, a very common, documented method used by both clean applications and malware is creating a service for persistence.</p><p>To distinguish between malicious and clean applications when an attack technique is observed, Windows Defender Antivirus monitors and sends suspicious behaviors and process trees to the cloud protection service for real-time classification by machine learning. Cloud-based post-execution detection engines isolate known good behaviors from malicious intent to stop attacks in real time.</p><p>Within milliseconds of an attack technique or suspicious script execution being observed, machine learning classifiers return a verdict and the client blocks the threat. The pre-execution models then learn from these malicious blocks afterwards to protect Microsoft Defender ATP customers before attacks can begin executing new cycles of infection.</p><p></p><p></p><p>... continue reading here <a href="https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/" target="_blank">In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks - Microsoft Security</a></p></blockquote><p></p>
[QUOTE="oldschool, post: 838447, member: 71262"] Our experience in detecting and blocking threats on millions of endpoints tells us that attackers will stop at nothing to circumvent protections. Even one gap in security can be disastrous to an organization. At Microsoft, we don’t stop finding new ways to fill in gaps in security. We go beyond strengthening existing defenses by introducing new and innovative layers of protection. While our [URL='https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/']industry-leading[/URL] [URL='https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp']endpoint protection platform[/URL] stops threats before they can even run, we continue improving protections for instances where sophisticated adversarial attacks manage to slip through. Multiple layers of protection mean multiple hurdles that attackers need to overcome to perpetrate attacks. We continuously innovate [URL='https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/']threat and malware prevention engines[/URL] on the client and in the cloud to add more protection layers that detect and block sophisticated and evasive threats before they can even run. In recent months, we introduced two machine learning protection features within the [B]behavioral blocking and containment capabilities[/B] in [URL='https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp']Microsoft Defender Advanced Threat Protection[/URL]. In keeping with the defense in depth strategy, coupled with the “assume breach” mindset, these new protection engines specialize in detecting threats by analyzing behavior, and adding new layers of protection after an attack has successfully started running on a machine: [LIST] [*][B]Behavior-based machine learning[/B] identifies suspicious process behavior sequences and advanced attack techniques observed on the client, which are used as triggers to analyze the process tree behavior using real-time machine learning models in the cloud [*][B]AMSI-paired machine learning[/B] uses pairs of client-side and cloud-side models that integrate with Antimalware Scan Interface ([URL='https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp']AMSI[/URL]) to perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks [/LIST] The figure below illustrates how the two behavior-based machine learning protections enrich post-breach detections: [URL='https://www.microsoft.com/security/blog/wp-content/uploads/2019/10/fig1-pre-execution-and-post-execution-detection-engines.png'][IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/10/fig1-pre-execution-and-post-execution-detection-engines.png[/IMG][/URL] [I]Figure 1. Pre and post-execution detection engines in Microsoft Defender ATP’s antivirus capabilities[/I] The pre-execution and post-execution detection engines make up two important components of comprehensive threat and malware prevention. They reflect the defense in depth principle, which entails multiple layers of protection for thorough, wide-range defense. In detecting post-execution behavior, using machine learning is critical. Many attack techniques are also used by legitimate applications. For example, a very common, documented method used by both clean applications and malware is creating a service for persistence. To distinguish between malicious and clean applications when an attack technique is observed, Windows Defender Antivirus monitors and sends suspicious behaviors and process trees to the cloud protection service for real-time classification by machine learning. Cloud-based post-execution detection engines isolate known good behaviors from malicious intent to stop attacks in real time. Within milliseconds of an attack technique or suspicious script execution being observed, machine learning classifiers return a verdict and the client blocks the threat. The pre-execution models then learn from these malicious blocks afterwards to protect Microsoft Defender ATP customers before attacks can begin executing new cycles of infection. ... continue reading here [URL='https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/']In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks - Microsoft Security[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top