Antivirus that mimics the brain could catch more malware

Deep learning antivirus software could reduce malware infections significantly according to http://www.technologyreview.com/news/542971/antivirus-that-mimics-the-brain-could-catch-more-malware/.

Artificial neural networks, trained to recognize the characteristics of malicious code by looking at millions of examples of malware and non-malware files, could perhaps offer a far better way to catch such nefarious code. An approach known as deep learning, which involves training a network with many layers of simulated neurons using huge quantities of data, is being tested by several companies.

Melih’s approach of containment rather than detection is a better way forward I think. Instead of trying to get better and better at detecting malware BEFORE it can infect a computer it’s much more sensible to run everything you don’t trust inside a sandbox where it can do no harm. Then you have as long as you like to test it for malware.

Melih is right I think, containment is the answer.

I agree that running any unknown or suspicious program in a sandbox will save your system from malware which is better than relying on a high rate of detection which can never be 100%.

Now let’s assume that you run an unknown program in the sandbox (or any other form of containment) and it appears not to have caused any harmful effects inside the sandbox. You do all the usual checks which all come up negative for malware. However if you actually want to use this program you eventually have to run it outside the sandbox. So you are still at risk from some new type of malware.

Improving the malware detection rate by any mechanism (such as suggested in the above article) will reduce the number of unknown programs that need to be sandboxed and therefore reduce the chance of you making the wrong decision about an unknown program’s safety.

So I suggest that using an AV with better detection in conjunction with sandbox/containment of unknown programs improves your defense against malware by reducing the number of occasions you have to decide whether an unknown program is safe or not.

There’s probably something else that limits virtualization and that is most likely how virtualized applications interact with each other and the medium (= sandbox).
While your statement is fair enough you wouldn’t have to if the compatibility would be ideal and you would be able to transfer between virtual and real without significant risks. :smiley:

I agree completely, and I’m not arguing against improving malware detection. Containment technology however removes the need to detect malware in real-time at the front door of your computer. Once malware is inside a sandbox you have a lot more time to run a whole series of detection tools on it whilst knowing that the malware can’t do you any harm.

I’m all for improving the malware detection rate and I wasn’t dismissing the article, but containment technology removes then need for instantaneous malware detection. With a sandbox there is no need to sacrifice thoroughness for speed, nor need there be any impact of the performance of the computer because malware detection in a sandbox can be scheduled, it doesn’t have to be instant.

Except data theft?

Personally I think sandboxing is a good idea, but there should in my opinion be an AV that screens files before they are run in a sandbox, this saves everyone time if the file is a known malware. Why let it run to begin with if it’s already known malicious?

I agree 100%, but it does NOT save you if you eventually run a malicious program outside of containment after all your lengthy and exhaustive testing wrongly indicates that the program is safe. The chance of this occurring is small, but better detection reduces the probability even further.

this technique is known as “feature extraction” and already has been used in Valkyrie. Nothing new to be honest.

we don’t run it in sandbox if we know its malware…

This is why we have Valkyrie service. Valkyrie is the goddess that decides who dies who lives in the battle…just like the Goddess our Valkyrie will verdict which file is good which is bad. users don’t have to make this decision.

One of the most powerful detection you can have is the behaviour analysis on the computer where the application is running (not somewhere else running in VM per se). Thats where the Viruscope Recognizers come into picture. They can run both inside and outside sandbox analysis malicious activity. Actually as we speak, CAMAS capability is being coded as a Viruscope recognizer to go into cloud av/cis etc. So you have a layered approach. But the main security is and should be containment.

Sorry for any misunderstandings caused by my comment, I wasn’t saying that Comodo does that, just that I generally think it wouldn’t be beneficial to run known malware in the sandbox. :slight_smile:

Looking forward to a more powerful Viruscope! :slight_smile: Just wish we could run HIPS in virtualized Sandbox. :cry:

HIPS is about protecting the cpu…inside the sandbox you don’t necessarily need hips…

I disagree, to me HIPS is about knowing what the unknown file is doing, something I can’t easily do with the sandbox, at least not in the same extent/detail as with hips… Honestly a window with a comprehensive list of actions by the application updated in real-time would be enough for me. I’d like to continue discussing this with you but it’s off-topic so please PM me. :slight_smile:

Viruscope is nice and all, but a powerful HIPS will always be stronger than any behavior blocker/detector. That’s why HIPS should monitor Sandboxed applications in my opinion, because that way users will have a layered approach, if a Malware tries to jump out of the Sandbox (which sometimes DO happen) or steal user data (via keylogging, etc) then HIPS would stop it. Also Behavior detectors can’t do anything against Screenlock Ransomwares, while HIPS can stop them.

For a service like this to be useful, would require a extremely huge infrastructure. Also as already mentioned by many, detection is not always guaranteed, because there is always a “new method” of doing bad things to a system. But I believe it can be a useful contribution in the war against malware.