"What if...": Musings on ANN (Artificial Neural Networks) and behavior-blocking

I became fascinated about how ANN works and the training process. In my reading, it recalled to mind behavior blockers and such things. I mused: “What if it were to be invented a behavior blocker that makes use of ANN to train itself and disable new threats?”

My musings continued:

  1. It’s a behavior blocker. Necessarily, there are pre-existing rules that are built-in the program.
  2. Similar behavior is often observable in legitimate programs. A whitelist is therefore necessary.
  3. Where do you place ANN in the picture?
  4. What if we reduce the complexity of BB’s by using cloud technologies and ANN?
  5. The proposal is this: To mitigate the rapid growth and evolution of malware, why not allow BB’s to be trained by users? For this, we might need the following: ProcessExplorer, Autoruns, Safe Mode-like environment, ANN.

In the program gui, we launch the task manager module and look for suspect process. A pre-analysis of the program is already indicated. Validated (and crucial) Windows processes are hidden.

The program gives an option either via right click or button: Train. Batch training is allowed.

The program configures itself to analyze the process. Reboot is required or a safe environment where only the BB can run (similar to Dr. Web’s safe mode). The program launches the suspect file(s) and analyzes the process.

The user is presented with the sequence of commands executed by the virus, its behavior (similar to sandbox analyzers) and a more detailed option (similar to ThreatExpert). The user is given the option to check which behavior is malicious (high resource usage, illegal hooks, unique behavior, etc.) and other defining marks (name, file type, checksum, dependencies and other related processes, etc.), and provides a rating and simple explanation via mouse hover or panel for each.

The next dialog suggests viable responses (process termination then quarantine, lowering process priority, lowering process rights, termination after reaching threshold, etc.)

The program attempts to reinforce new rules upon exiting safe environment. It then configures itself to check whether the system remains intact after reboot (similar to Comodo system utilities). If yes, the program asks permission for new rules and program data to be sent to Comodo labs for validation. Once validated, all other installations are updated upon internet connection.

If not, then the program restores changes made, keeps a log, and provides possible causes and course of action.

Why this idea? Because most people encounter problems when dealing with viruses, particularly in the removal of it, hoping a scan or simply deleting the files through quarantine will make the problem disappear. But by doing a hack and slash method, they sometimes make a mess of their system rather than alleviate the problem. Explaining how to deal with viruses often scare them away, so why not a program that does the needed analysis and precautions automatically?

Issues presented:
I’m not gonna lie. Behavior blockers are most of the times controversial. Particularly performance-wise. Resource usage is an issue. Since the program is going to check every process, it will need a lot of resources. A cache and whitelist will probably limit the impacts to only on first run, but the issue persists because of it constantly checking API’s.

These are after all merely musings. Though I do hope that someone engages me in a discussion to further broaden my understanding and see the faults of this idea.