AI protects against malware

Tip to try out

If you want a great introduction to the topic of language models (LLM), which are used to analyze malware in PowerShell scripts, among other things, you should watch the following one-hour video by Andrej Karpathy. Almost every aspect of Generative AI and LLM is covered and illustrated with concrete examples. The topic of security is not neglected either. A "must-read" for every AI enthusiast with an affinity for technology.

The dynamics of ML

Classic virus scanners and malware detection programs work with so-called signature recognition: The virus scanner attempts to assign known sequences of bytes to a virus in order to subsequently isolate this infected file.

However, this has the disadvantage that the malware must be known to the scanner. In addition, resourceful malware developers can easily change the signature again and again so that the scanner does not work - a game of cat and mouse.

Modern endpoint protection therefore relies on AI mechanisms, more precisely machine learning, in which the protection software observes all program processes and automatically derives patterns to detect anomalies. Such anomalies can be suspicious Wi-Fi dial-in points, new user accounts with high authorization levels, attempts to lower security levels on the PC, attempts to forward data to malicious IP addresses or suspicious patterns in network traffic.

"Behavioral ML" - also known as UEBA for user and entity behavior analytics - goes in the same direction by paying more attention to user behavior, e.g: If a user suddenly tries to open files that they do not have access to.

If suspicious behavior is detected in this way, the protection software triggers an alarm.

The protective hand

If a threat or even an attack occurs, machine learning is also used. For example, the leading endpoint protection software CrowdStrike not only attempts to detect malware at an early stage, but also to identify its cause and make suggestions for its removal.

AI algorithms are also used to detect altered signatures of malware that would otherwise go unnoticed. Malware that does not have a signature is also detected due to its conspicuous behavior - e.g. when it attempts to circumvent security mechanisms.

To avoid reinventing the wheel, CrowdStrike draws on a variety of sources, which are combined to further train and refine its own ML models. After all, effective protection against malware is a continuous battle against "evil". A standstill regularly leads to a problem and defeat in this "battle".

Example: Zero-day exploit

We want to illustrate how AI works in CrowdStrike using an example. We have chosen the dreaded zero-day exploits for this purpose. There is no remedy for these exploits, even if they are discovered. Only the complete elimination of the vulnerability can solve the problem. We havealready reported on thisin more detail at . How does CrowdStrike deal with this?

1. A malware author creates a new malware and modifies it to bypass signature-based detection. The malware author then publishes the malware on the Internet, where its victims come across it.
2. Signature-based malware scanners are not able to detect the new malware because they do not have the malware's signature in their database. However, CrowdStrike's ML models are able to detect the new malware because they have been trained on a huge dataset of known malware signatures, including signatures that have been modified to evade traditional signature-based detection. They have learned the behavior of malware programmers to obfuscate signatures and use this for identification.
3. In addition, CrowdStrike's behavioral analysis is able to detect the new malware as it shows its suspicious behavior, such as attempts to access sensitive data or disable security controls.
4. Finally, CrowdStrike's threat intelligence can detect the new malware because CrowdStrike collects and analyzes threat intelligence from a variety of sources, including its own customers, law enforcement and other security vendors. This threat intelligence contains information about new malware variants and evasion techniques. CrowdStrike then uses this information to update its ML models and detection rules.

In this way, CrowdStrike uses AI/ML in a combination of measures and sources to detect zero-day exploits as reliably as possible - even if they are new.

Example: PowerShell

PowerShell, which is popular and very powerful under Windows, is also often used by hackers to infiltrate companies with malware. Deep learning models are used here, which analyze the attacker's source code and detect it accordingly.

1. Deep learning models are used to automatically extract the most important sections of code from PowerShell scripts.
2. The AI analyzes the extracted code sections to identify malicious code flows.
3. The AI compares the code logic with a database of known malicious and benign PowerShell scripts.
4. If the AI recognizes malicious code logic, it generates a warning.

Without artificial intelligence, it will be difficult to prevent threats from the internet. For this reason, it is essential to understand how the security software used in your own company works.

Asking the right questions gives you a clear advantage.

About Business Automatica GmbH:

Business Automatica reduces process costs by automating manual activities, increases the quality of data exchange in complex system architectures and connects on-premise systems with modern cloud and SaaS architectures. Applied artificial intelligence in the company is an integral part of this. Business Automatica also offers automation solutions from the cloud that are geared towards cyber security.