Antivirus and Artificial Intelligence
ReviewMacApps provides essential tips and buying advice to every Apple software user. We try to focus on practical information. Now the big question Why or DO we need an Antivirus software application for our Mac computers ?
So do Macs get viruses? The answer is simple “Yes” your Mac needs protection. Although a Mac is considered more safe to PC’s, they also face the same treats as PC’s do. In the past Mac’s were not widely used on our planet so they were less interesting to people trying to pry in your computer software and look for any interesting data like your bankaccount and used passwords etcetera.
But in recent years, as Mac’s popularity has grown, Macs have gained the attention of those looking to hijack data or make you visit websites that are after your credentials or money. We have a complete list of all the Mac viruses, malware and security flaws that have hit the operating system here.
Despite this interest, Macs have generally remained fairly secure. Thanks to the fact that MacOS is based on Unix, a kind of default security is build-in.
Apple itself has included Gatekeeper and number of security measures that make attacking a Mac particularly challenging. Gatekeeper, blocks software that hasn’t been digitally approved by Apple from running on your Mac without your agreement.
Still plenty of risks left, and Macs haven’t managed to completely avoid being targeted. According to a report from Malwarebytes in August 2017, there was a 230 per cent increase in Mac malware in 2017. So YES your Mac needs protection!
Now there is a fast growing list of developers specialised in antivirus security all claiming to be best to buy. Of course if life was that simple, there would be only one software application available on the marker solving all our problems.
We (ReviewMacApps) are not able to simply setup a full known malware and virus database for checking the software’s capabilities in catching exploits and vulnerabilities. We do rely on AV-TEST which is the best known It-Security Institute from Germany. They are able to test in absolute equal conditions for every package, and measure system impact is most accurate on their systems. Updates are performed on a regular bases to check if later software-editions have evolved.
The latest independent test shows all scores and Norton 360 Deluxe like Bitdefender scores a full 100% detection rate ! Norton 360 Deluxe included VPN service provides extra safety for your online activities as does it feature truly fast speeds and ease of use.
Security trends in 2020: ransomware, cloudrisc’s and 5G-exploits are the main threats for business and internet users. Get yourself a full security application providing best safety for your valuable data. Another expected trend is cyber criminals attempting to corrupt machine learning detection models. Machine learning has become an essential part of the cybersecurity strategy of most modern organisations and cyber criminals now know that these tools are used to thwart their attacks. In response, criminals will attempt to evade machine learning security systems. In the coming years, the speed in which the cybersecurity industry is experimenting with new techniques from the scientific machine learning community will continue to increase. This allows systems to make (semi-) autonomous decisions when defending information systems. A possible solution can be: ” by combining human threat hunters with threat intelligence and technologies such as deep learning, organizations can detect even the most advanced attacks faster “.
(source: https://ReviewMacApps.com)
Viruses are applications (source:https://antivirusjar.com/how-antivirus-software-works/) like many others, designed to work on specific devices. Obviously, not any compiled application is a virus. And so, the difference between useful and harmful compiled applications is given by their purpose.
Viruses are meant to cause damage. That damage can mean anything from stealing your information to deleting your data, crashing your computer, or asking you ransomware to regain access to the infected device.
The fact that a virus is a compiled app can be both a good and a bad thing:
- It is a bad thing because it can easily pass as a good app and trick users into downloading or accessing it.
- But it is also a good thing because, well… compiled applications are made of bits.
- And bits create footprints or signatures that make the app easier to recognize as a virus, once it was first reported as such.
In other words, a virus is an application that compiles into the same sequence of bits, every single time it runs, generating the same negative impact. This sequence reported by antivirus software to have a harmful impact on a device is seen as a virus signature.
Antivirus vendors will blacklist and store that sequence as reference for future comparisons. From that moment on, whenever their software will encounter it during any kind of scanning, it will recognize it as a virus and react accordingly.
Reacting accordingly is a vague term. There are so many and different tools that antivirus labs rely on, when it comes to dissembling viruses. Normally, they all move the suspicious file in quarantine, isolating it from the system and preventing it from running its malicious code. Depending on the antivirus program’s settings, it can choose to delete the file right away. Or it can run it and test it in sandboxes, in the cloud, from where it cannot affect your device.
So, is it really that easy for your antivirus to spot a virus?
Now, if it’s so easy to “spread the word” and let other devices know what signatures to block… How comes we still often feel overwhelmed with these attacks?
Obviously, it is because while antivirus developers are working hard to collect useful information and share it with their entire pool of users, so are the virus developers. Anyone with the knowledge to program computer software can also create computer viruses. And they don’t even need to create a virus from scratch. Suffices to take one of those virus signatures, alter its code with new, custom specifications, and they can compile and distribute it as a new virus.
The new virus will have a certain code sequence in common with the old virus. But the signature won’t perfectly match and, therefore, it will be reported as a different virus. This is the case when a particular virus, powerful enough to frighten the entire online community, ends up having several different names – it was altered by other virus developers and now has different versions running online.
How can your antivirus stay up to date with all these changes?
Well, the antivirus in itself is just a compiled app that knows how to scan other compiled apps and match what it finds with a database. That database contains virus signatures that, as already explained, change rapidly, resulting in new threats.
Basically, your antivirus doesn’t stay up to date with all these changes. But its developer will do. By collecting all the information that it can get, the developer will update the antivirus with so-called definition files. It will then notify its users that a new definition file is available. And by installing the update, the antivirus software will benefit from a new version of database with virus signatures.
In other words, if you ignore updating the definition files, you leave your computer exposed. The antivirus will continue to scan the executable files. But if it will encounter a virus with a signature modified from the version currently stored on its database, it will not be able to recognize it.
For this reason, definition files should be allowed to download automatically. And the antivirus software will have the chance to access new, updated definition files once a day, sometimes even more often than that.
Is that everything that antivirus software does?
Needless to say, the antivirus will always have to match the file it analyzes against the signatures from its most recent definition file. By always, we mean every time you are launching an app or an executable file.
In those short (or long) fractions of a second when you’re waiting for the app to launch, the antivirus is doing all the hard work of comparing code sequences. Hence the complaints that using antivirus software can slow down your computer… And the continuous struggle of antivirus developers to create software with as little impact on a computer’s system resources as possible.
Aside from the code comparison, antivirus software can also look into a program’s behavior, doing a so-called heuristic evaluation.To sum up, the basic scanning process of any antivirus software will focus on three types of detection mechanisms:
- Specific detection
- Generic detection
- Heuristic detection
The specific detection will try to identify known malware by looking for a specific, quite exact set of characteristics. Whereas the generic detection will seek for variations of the known malware code, trying to identify new viruses that have been developed from older versions.
Heuristic detection is different from behavioral detection
Heuristics walk the extra mile. Instead of simply comparing pieces of code, it relies on rules and algorithms. And it evaluates commands that can indicate malicious intentions from a certain app or program. Because of that, it can spot a new or unknown malware even when the antivirus lacks the latest virus definitions.
What kind of suspicious activities performed by viruses can be spotted with the help of heuristic detection? For instance, when the virus is trying to access all of the executable files on your computer, inserting a copy of the original program into their code. That way, it will increase the risks of infecting your device (any executable file on the PC will become a source of infection) and it will make it even harder for the antivirus to completely remove it from the device.
Heuristic-based detection usually pairs with signature-based detection and tends to make an impact especially on the prevention side. The behavioral based detection, on the other hand, will look at what a program or an app does while actually running on the PC. This is hugely different from looking at what that program does in a virtual environment.
The problem with heuristics, however, is that it leaves so much room for mistakes. Sometimes, it can prove too much of an aggressive measure. And so, it can lead to false positives, where it flags a harmless program as an unknown type of virus.
Does it come down to signatures, behaviors, and executable files?
It would have been nice, but no. The truth is that there are many other types of online threats. And not all of them will come through an executable file that you personally launch. Browsers and plugins, the operating system itself, your email app and not only… It can all easily turn into access points for viruses to sneak in.
So, antivirus software is either part of a security suite with several other layers of protection included; or it comes with extra features in itself, doing a lot more than the actual scanning of every file you open.
Antivirus software can fight malware with different detection techniques. We have already seen the signature and the heuristic-based detection mechanisms. And we have mentioned the behavioral-based detection.
As suggested, this has more to do with an antivirus’ intrusion detection mechanisms. It detects the potentially harmful characteristics of malware while it actually executes on the device, meaning while it runs its malware actions.
On top of everything else above discussed, there is also the sandbox detection and a series of data mining techniques.
Sandboxes are virtual environments
Specifically built for testing malicious files outside of the operating system, sandboxes are the next level after heuristic detection.
Heuristic detection looks for features or actions and behaviors that are normally associated with known threats.
Sandboxing is all about letting the malicious app run in that dedicated environment and record its behavior.
Sandboxing takes more time but it is also more accurate and it is often inspected, afterward, by a malware analyst. With its help, the analysis will not only determine if the suspicious file really is malicious or not, but also exactly what it does, if it really ismalicious.
In a nutshell, sandboxing opens the file in a safe environment, lets it run, and sees exactly what it would have done to your computer if it had the chance to run in there.
Data mining and the first steps towards machine learning
Just like the name suggests, data mining is a sophisticated process of selecting a huge amount of data and, equally important, sifting through it in search of pertinent, specific information.
Knowing how to interpret the information extracted from those large sets of data is crucial, therefore are different options involved in data analysis. Machine learning techniques represent one of the most recent and complex options of data analysis, making use of complicated algorithms.
In fact, data mining involves applying an overwhelming suite of statistical and machine learning algorithms, on a specific set of features extracted from both malicious and clean programs. More about that, a bit later in this article.
The main antivirus scan types and detection mechanisms
We’ve seen what the antivirus is generally looking for. But it would probably help to know, in advance, what kind of options you have, as an antivirus software user.
Scanning is a process that can be executed either on demand or by default. Some users will disable automatic scanning, unhappy that allowing the antivirus to run its scans in the background will slow down their computers. Others will let the antivirus work as it sees fit and that’s probably a very good idea.
Long story short, there’s on-access scanning and full system scanning. Depending on the features that the antivirus software comes with, there are also options to create custom scans, to scan only certain partitions, certain folders, or even certain files. You can do that periodically or, as suggested, on demand.
Then again, scanning is just one of the many security layers that your antivirus relies on. More specifically, it is a detection mechanism, one of the four main detection mechanisms that antivirus software normally provides:
- Scanning – implies simply searching for specific strings in the analyzed files, strings that are pre-defined virus signatures; scanning may report results based either on exact matching or variants of a virus-signature.
- Activity monitoring – as one of the latest trends in virus research, this one involves monitoring a file execution and detecting any trace of malicious behavior.
- Integrity checking – this one starts with creating a cryptographic checksum for every single file stored on the computer and returning to it periodically, to check for any variation that occurred in that checksum in the meantime; these variations can help to detect changes caused by viruses.
- Data mining – as mentioned, it is a complex process that works with both statistical and machine learning algorithms.
On-access scanning
With this scan type, the antivirus runs in the background, checking every single file you open. It checks it by comparing its code with the database of signatures, to see if it matches the ones of known viruses, worms or other types of malware.
This type of scanning onaccess doesn’t come down to executable files only. It can also look into archive files that may hide a compressed virus; or into office documents that may hide malicious macros; or into any type of file that you download, which will be scanned automatically, without the antivirus waiting for you to open that file.
On-access scanning is perhaps the most important type of antivirus scanning because it has the ability to protect a PC before it gets infected. Most viruses will enter the device and wait for you to launch it before it starts acting.
Once you release it, it becomes significantly more difficult to remove it. And even if you do, or your antivirus says it has removed it, there is no certainty that you have completely removed it. Therefore, catching a virus before you get to launch the app that contains the malicious code is very important.
While one may have the option to disable on-access scanning with the purpose of reducing the impact that the antivirus has on the system’s resources, it is certainly not a good idea to make use of that option.
Full system scanning
The full-system scans are available with most antivirus software. And they usually come as an option to schedule or an automatic action. When automatic, the antivirus software will schedule it like once a week, at an hour when you normally don’t need to use your computer (it will notify you about that).
But as long as the on-access scanning is active, there are only a few instances when one should spend time with scanning the entire disk. Such instances include but aren’t necessarily limited to the following situations:
- When you have just installed new antivirus software and you want to run a full scan to see if there aren’t dormant viruses that the previous antivirus missed;
- When you know for a fact that the device has been infected, you don’t want to reinstall the operating system, and choose instead to transfer the hard drive on another PC and have it scanned in there with a full system scan;
- When you have disabled the automatic full-system scans that the antivirus software will schedule periodically.
The future of how antivirus software works
With the simple mentioning of the machine learning algorithms, we have entered the fascinating field of artificial intelligence antivirus. Pretty much everything we have discussed in this article so far targeted the way that traditional antivirus software works.
As stated, traditional antivirus software relies on data signatures and pattern analysis. It’s all a never-ending attempt to comparing everything that happens on your computer with previous instances where malicious activities were reported.
In other words, antivirus software knows how viruses look and what they do on a computer. And whenever it detects an activity that has to do with those virus-specific features and behaviors, it jumps in and blocks it.
The traditional malware recognition modules decide if an app is a threat after collecting and analyzing specific data about it. Data can be collected:
- In the pre-execution phase – a phase where it just looks at the app and gathers details such as file format descriptions, code descriptions, statistics of binary data, text strings and other data extracted through code emulation;
- Or in the post-execution phase – a phase where it analyses what happens after the app was active inside the system, after seeing its behavior and consequences firsthand.
This would work fine for the less challenging malware apps, but we all know that we are facing more and more advanced malware versions and malware attacks. To respond to it all accordingly, artificial intelligence antivirus software is being developed. And through it all, the anti-malware companies have turned to machine learning, increasing their malware detection rates and malware classification abilities.
The differences between Machine Learning and Artificial Intelligence
Machine learning (ML) and Artificial Intelligence (AI) are two terms often interchanged, even though, at their essence, they are different. To put it simple, machine learning is just a mean for the goal of achieving artificial intelligence. Because artificial intelligence defines programs that can execute tasks with human intelligence characteristics… Whereas machine learning defines a set of methods that would give an antivirus the ability to learn without being explicitly programmed.
Machine learning algorithms can look at large sets of data, and then discover and formalize the principles underlying that data. In other words, the algorithm should be able to “reason” properties of malicious samples even if they were previously unseen.
Applied specifically to malware detection, machine learning can consider any new file that you are trying to access on your computer as a previously unseen sample. The hidden property it discovers in it may be malware or benign. But it should be able to reason if it really is malware or not, based on a model that it deducts through a set of principles underlying the data properties.
Most importantly, machine learning is not just a single method but rather a range of approaches that will lead to a solution.
Given the complexity of this scanning method, artificial intelligence antivirus is raising the stake among the villains who seek to develop malware. The more complex the scanning and identification methods become, the harder they will have to work to create malware that are more difficult to detect.
It is, after all, a continuous race and antivirus software based on artificial intelligence simply keeps us in the race. (source:https://antivirusjar.com/how-antivirus-software-works/)
Hackers can use the same technology powering your appliances to create smart malware.
Aug 27, 2018, 6:30 am
You’re about to fire up a video-conferencing app you’ve used dozens of times before. Your colleagues have already joined the call. Suddenly, a vicious ransomware virus launches in its place, encrypting all your files.
Thanks to advances in artificial intelligence, such fine-grained targeted cyberattacks are no longer the stuff of dark hacker movies, as security researchers at IBM demonstrated at the recent Black Hat USA security conference in Las Vegas.
AI has made it possible for our devices and applications to better understand the world around them. Your iPhone X uses AI to automatically recognize your face and unlock when you look at it. Your smart security camera uses AI to detect strangers and warn you. But hackers can use that same AI technology to develop smart malware that can prey on its targets and detect them out of millions of users.
The researchers of IBM have already created DeepLocker, a proof-of-concept project that shows the destructive powers of AI-powered malware. And they believe such malware might already exist in the wild.
Why is AI-powered malware dangerous?
Most traditional malware is designed to perform its damaging functions on every device they find their way into. This is suitable when the attackers’ goal is to inflict maximum damage, such as last year’s WannaCry and NotPetya ransomware outbreaks, in which hundreds of thousands of computers were infected in a very short period of time.
But this method is not effective when malicious actors want to attack a specific target. In such cases, they have to “spray and pray,” as Marc Stoecklin, cybersecurity scientist at IBM Research, says, infecting a large number of targets and hoping their target is among them. The problem is that such malware can quickly be discovered and stopped before it reaches its intended target.
There is a history of targeted malware attacks, such as the Stuxnet virus, which incapacitated a large part of Iran’s nuclear infrastructure in 2010. But such attacks require resources and intelligence that’s often only available to nation states.
In contrast, AI-powered malware such as DeepLocker can use publicly available technology to hide from security tools while spreading across thousands of computers. DeepLocker only executes its malicious payload when it detects its intended target through AI techniques, such as facial or voice recognition.
“This AI-powered malware is particularly dangerous because, like nation-state malware, it could infect millions of systems without being detected,” Stoecklin says. “But, unlike nation-state malware, it is feasible in the civilian and commercial realms.”
How does AI-powered malware work?
To find its target and evade security solutions, DeepLocker uses the popular AI technique deep learning, from which it has gotten its name. Deep learning is different from traditional software in the sense that instead of defining rules and functions, programmers develop deep learning algorithms by feeding them with sample data and letting them create their own rules. For instance, when you give a deep learning algorithm enough pictures of a person, it’ll be able to detect that person’s face in new photos.
The shift away from rule-based programming enables deep learning algorithms to perform tasks that were previously impossible with traditional software structures. But it also makes it very difficult for contemporary endpoint security solutions to find malware that use deep learning.
Antivirus tools are designed to detect malware by looking for specific signatures in their binary files or the commands they execute. But deep learning algorithms are black boxes, which means it’s hard to make sense of their inner workings or reverse-engineer their functions to figure out how their work. To your antimalware solution, DeepLocker is a normal program, such as an email or messaging application. But beneath its benign appearance is a malicious payload, hidden in a deep learning construct.
DeepLocker identifies its target through one or several attributes, including visual, audio, geolocation and system-level features, and then executes its payload.
AI-powered malware in action
To demonstrate the danger of AI-powered malware, the researchers at IBM armed DeepLocker with the popular ransomware WannaCry and integrated it into an innocent-looking video-conferencing application. The malware remained undetected by analysis tools, including antivirus engines and malware sandboxes.
“Imagine that this video conferencing application is distributed and downloaded by millions of people, which is a plausible scenario nowadays on many public platforms,” says Stoecklin. Hackers can use AI to help their malware evade detection for weeks, months, or even years, making the chances of infection and success skyrocket.
While running, the application feeds camera snapshots to DeepLocker’s AI, which has been trained to look for the face of a specific person. For all users except the target, the application works perfectly fine. But as soon as the intended victim shows their face to the webcam, DeepLocker unleashes the wrath of WannaCry on the user’s computer and starts to encrypt all the files on the hard drive.
“While the facial recognition scenario is one example of how malware could leverage AI to identify a target, other identifiers such as voice recognition or geo-location could also be used by an AI-powered malware to find its victim,” Stoecklin says.
Malicious actors can also tune the settings of their AI-powered malware to target groups of people. For instance, hackers with political motives might want to use the technique to hurt a specific demographic, such as people of a certain race, gender or religion.
How serious is the threat of AI-powered malware?
It’s widely believed and discussed in the cybersecurity community that large criminal gangs are already using AI and machine learning to help launch and spread their attacks, Stoecklin says. So far, nothing like DeepLocker has been seen in the wild. But that doesn’t mean they don’t exist.
“The truth is that if such attacks were already being launched, they would be extremely challenging to detect,” Stoecklin says.
Stoecklin warns that it’s only a matter of time before cybercriminals look to combine readily available AI tools to enhance the capabilities of their malware. “The AI models are publicly available, and similar malware evasion techniques are already in use,” he says.
In recent months, we’ve already seen how publicly available AI tools can become devastating when they fall into the wrong hands. At the beginning of the year, a Reddit user called deepfakes used simple open-source AI software and consumer-grade computers to create fake porn videos featuring celebrities and politicians. The outbreak of AI-doctored videos and their possible repercussion became a major concern for tech companies, digital rights activists, lawmakers and law enforcement.
However, for the moment, Stoecklin doesn’t see AI-powered malware as a threat to the general public. “This type of attack would most likely be used to target specific ‘high value’ targets, for a specific purpose,” he says. “Since this model of attack could be attached to different types of malware, the potential use-cases would vary depending on the type of malware being deployed.”
0 Comments