Anti-virus software has a hard time keeping up. Piles of new viruses come out each week, so cybersecurity unicorn Cylance is taking what it claims to be a completely new approach: artificial intelligence that learns to recognize malicious code based on an analysis of viruses from the past. It calls the new product CylancePROTECT. In an AMA on Reddit today, the company’s head of reseach, Jon Miller, wrote:
“Cylance was the first AI built to statically analyze and convict malware pre-execution. We definitely didn’t invent AI, but we were the first to use it this way to deliver pre-execution protection. Many other products have been using machine learning, it’s just that it was used to support legacy methodologies of protection/detection, using ML to identify trends so static signatures could be built, which in a world where attackers are creating individual pieces of malware to avoid signatures, results in a severe lack of efficacy, thats the problem Cylance was built to solve.”
After the Office of Personnel Management discovered it had a breach in 2015, the Federal agency invited Cylance in to test for additional infections using CylancePROTECT, according to Dark Reading. It quickly found malicious code throughout the agency’s servers.
Here’s a profoundly simplified way to think about how AI anti-virus like this works: If a computer were a town in a Western movie, anti-virus would be the town’s sheriff. Old school anti-virus sheriffs would learn to recognize bad guys (that is, the viruses) by memorizing every hat a known villain has ever been seen wearing, but every time one came to town with a slightly different hat, the sheriff wouldn’t recognize their criminality until they did something evil. But the Cylance sheriff would learn that the bad guys always wear black hats, so they would stop anyone with a black hat on, no matter what cut or look the hat had.
It’s important to flag that Miller wrote the system will “statically analyze” software. That means that it will look at the code before it does anything. This is obviously advantageous when it comes to viruses. Several Cylance staffers joined in to answer questions from interested redditors about what it claims to be a radical departure from the prior approach to stopping hostile code. Jon Miller, the company’s head of research, took the lead on the conversation, but almost a dozen members of staff were available to weigh in as well.
Traditionally, most anti-virus works by taking fingerprints of known malicious code. Anti-virus companies set up computers that invite infections from viruses, isolate their code and add them to their registry of known threats. Cylance argues that this approach has become too slow and cumbersome in a world where something like 144 new million pieces of malicious code get reported every year.
On the other hand, Hiep Dang (@Cyphermantis), from the product team, argues that a machine learning approach works because malware developers just aren’t that innovative. They can come up with lots of ways to write basically the same code, but fundamentally the attacks change slowly. Traditional anti-virus software that works by recognizing specific code has to keep working hard to identifying the thousands of new versions of the same old attacks. Cylance contends that an artificial intelligence can recognize the same attacks no matter how malware developers bend and twist the underlying code.
That said, one question came up that seemed to suggest the company will still be releasing something much like the old patches users of old school anti-virus will be familiar with. Dangs wrote, “We can push an update to the AI Model called Centroids. A centroid is the mathematical center of a cluster of data geometric shape” if a new virus should prove undetectable by their software.
In the past, many anti-virus users have used multiple different systems to prevent infections, which adds processing loads to users machines with software checking 99.9 percent the same things at the same time. Cylance advises customers not to use additional software alongside theirs, saving their companies’ computing power. Your mileage may vary. One of its competitors, Kaspersky, says the same thing.
Deep learning works great but it’s a black box. Software learns, but humans don’t know what it has learned. CTOs considering using Cylance might worry that good code could look like bad code to CylancePROTECT. “We have relationships with major software vendors to make sure that an update doesn’t break anything,” Miller said. PROTECT only updates twice per year, which also saves processing load on its customers. This infrequent update schedule also makes it good for air-gapped systems.
Cylance is a California-based company, founded in 2012. It became a unicorn (valued at more than $1 billion) in June of last year after receiving $100 million in series D funding, according to Fortune.