1 changed files with 45 additions and 0 deletions
Split View
Diff Options
+ 45
- 0
blogContent/posts/data-science/is-using-ml-for-antivirus-safe.md
View File
| @ -0,0 +1,45 @@ | |||
| In this blog post I want to examine the ways in which anti virus programs currently employ machine learning and then go into the potential pitfalls that ML bring. | |||
| # ML In the Antivirus Industry | |||
| Most current maleware detection falls into two broad categories: static and dynamic analysis. | |||
| Static analysis looks at the program without actually running the code. | |||
| Static analysis typically looks at things like the file fingerprint, virus scanning, reverse engineering, memory artifacts, packer detection, and debugging. | |||
| Static analysis also encompasses looking up the hashes of the virus against a known database of viruses. | |||
| However, it is super easy to fool signature based malware detection using simple obfuscation methods. | |||
| Dynamic analysis is a technique where you run the program in a sandbox and monitor all the actions that the virus takes. | |||
| If you notice that the program is acting suspicious -ie changing the registry or making suspicious API calls- it is likely a virus. | |||
| Antivirus detection is very difficult, but, probably not for the reasons you think | |||
| The issue isn't writing programs which can detect these static or dynamic properties of viruses, that is the easy part. | |||
| It is also relatively easy to determine a general rule set for what makes a virus a virus. | |||
| You can easily whitelist suspicious domains, determine that certain file fingerprints hashes, and behaviours are virus like. | |||
| The real problem is that there are hundreds of thousands of maleware applications and more are created every day. | |||
| Not only are there tons of pesky maleware applications, there is an absurd amount of normal programs which we don't want maleware applications to block. | |||
| It is impossible for a small team of maleware researchers to create a definitive set of heuristics which can correctly identify all maleware programs. | |||
| This is where we turn to the field of Machine Learning. | |||
| Humans are bad with big data, but, computers absolutely love big data. | |||
| Most antivirus companies use machine learning and it has been a large success so far because it has allowed us to dramatically improve our ability to detect zero day viruses. | |||
| ## Interesting Examples | |||
| ### Cylance | |||
| [Cylance](https://www.cylance.com) uses supervised learning and static analysis to classify files as being maleware. This product pulls a list of attributes from the file which they can then compare against other known viruses. | |||
| ### MalwareBytes Anomalous | |||
| [Anomalous](https://blog.malwarebytes.com/detections/machinelearning-anomalous-100/) is a machine learning application which simply flags files which appear different from their training set of known normal files. | |||
| This does not attempt to classify what makes a virus a virus, but, what makes a normal program a normal program. | |||
| Anything which is not a normal program, it alerts you about since it is probably a virus. | |||
| ### Kaspersky | |||
| Kaspersky appears to have a ton of research into using machine learning for maleware detection. | |||
| I would highly recommend that you read their [white paper](https://media.kaspersky.com/en/enterprise-security/Kaspersky-Lab-Whitepaper-Machine-Learning.pdf) on this subject. | |||
| # Why is this a problem? | |||
| It turns out that machine learning systems can be easily fooled by using [Generative Adversarial Networks](https://en.wikipedia.org/wiki/Generative_adversarial_network). Essentially what this boils down to is that you have two | |||