Signature and behavioural based anti-malware are no match for next generation adversaries who use mutating hashes, sophisticated obfuscation mechanisms, self-propagating malware and intelligent malware components, according to the findings of a new report.
The report, published by the Institute for Critical Infrastructure Technology (ICIT), said that it is “no longer enough” to detect and respond to cyber-attacks and that artificial intelligence (AI) is necessary to offer the predictive quality that can give organisations a “much-needed edge on their more sophisticated, less burdened, and more evasive adversaries”.
The research paper, titled Signature Based Malware Detection is Dead, said that the average data breach costs $158 per stolen record, and is often undetected for 229 days.
In some organisations, especially ones containing critical infrastructure, feature layers of incompatible technologies are “Frankensteined” together in a haphazard attempt at nominally meeting security standards.
“Any unused technology in every layer exponentially increases cyber-security noise and could result in exploitable security vulnerabilities. Meanwhile, C-level executives suffer from security solution fatigue as the result of incessant product evaluations, investments, and failures,” the paper said.
The report said that one of the main, obvious problems with signature and heuristic based security solutions is that there must be an initial victim to report the malicious activity before any form of detection or prevention can occur.
But using artificial intelligence in IT security is not error-free.
“Many ‘silver-bullet' vendors offer faux-AI solutions that operate on imprecise algorithms, that do not draw from large enough data pools, or that do not analyse files according to enough features. These solutions cannot precisely evaluate files at a granular level. Other, worse solution providers tout machine learning capabilities, but really only offer the application of ‘exception'-derived signatures to generic templates,” said the authors.
The report added that marketable machine learning anti-malware applications can detect entire families of malware despite numerous modifications and it can be developed to detect future variations and threats.
“However, small ‘mini-families' cannot be taught to an AI that relies on generalisation machine learning algorithms because the sample size necessary to adapt to detect the threat is too small,” it said.
It added that organisations need machine learning AI endpoint security solutions capable of pre-empting and mitigating known and unknown malicious files and code based on characteristics, rather than signatures or behaviour, and that are capable of scaling to protect vital systems.
“Further, characteristic based AI can be used to detect and prevent authentication attacks, where an adversary attempts to brute-force access to a data resource or sensitive system. It also can be used to monitor network traffic and it can be used to detect applications that are scanning for network vulnerabilities,” the report said.
Simon Edwards, European cyber security architect at Trend Micro, told SC Media UK that there are new capabilities that machine learning offers which can deliver huge advantages in detecting unknown attacks.
“But there are issues, and really machine learning should be one of the many different detection technologies anti-malware software should deploy,” he said.
“One of the biggest problems with Machine Learning is how big and unbiased is your dataset you are working from. Big data requires lots of data to work, and that data must be unbiased.”
He said that organisations should ask the start-up companies, which are claiming machine learning is the only way forward, “Where are you getting your data from to give you a big enough picture?”
Aatish Pattni, head of threat prevention at Check Point, said that while signature-based AV is not enough to prevent unknown/zero-day malware infections, it's still very useful in preventing attacks using known malware variants which still circulate in large numbers because it is significantly faster than machine learning.
“Traditional AV needs to be complemented with advanced sandboxing that inspects suspicious files' actions at CPU level to detect exploits, and by using scrubbing techniques, to remove any suspicious code (such as macros and embedded objects) from documents or images, before passing them to the user. This combination gives the highest and fastest catch-rate for both known and unknown malware types with minimal business disruption,” he said.