Black Hat: Traditional AV is Dead, Long Live XGen Machine Learning

Today’s IT security bosses are assailed from all sides by a huge variety of online threats. They’re designed to exploit known and unknown vulnerabilities across cloud, mobile, virtual and hybrid environments. And increasingly, they’re developed to outwit traditional signature-based tools. Yet the impact of these threats has never been greater. Data breaches and service outages can lead to heavy industry fines, damage to the brand, lost customers, remediation and clean-up costs, and even heft legal bills.

That’s why we have developed a new statistical-based approach designed to learn as it goes to detect modern unknown threats. This XGen approach was revealed at Black Hat today by senior researcher, Marco Balduzzi.

The old way
Signature-based security is fine for protecting against only known bad entities, especially when combined with whitelists and application control to ensure users are exposed to only the ‘known good’ files. But today’s IT environments and the threats facing them have outgrown this way of doing things, according to Balduzzi.Marco

Polymorphic malware, for example, can automatically change the characteristics of malware files by recompiling the binaries in different formats. That makes it virtually impossible for signature-based detection to keep up. Obfuscation techniques, meanwhile, make it hard to read and understand binary and textual data. A good example is packing technology, which black hats use to obfuscate entire files.

Signature-based AV can also be time consuming in terms of analysing the malicious files – something no company can afford. Plus, new strains of domain generation algorithm (DGA) malware generate large numbers of domain names to communicate with C&C servers, rendering traditional URL blacklists obsolete, Balduzzi said.

Enter XGen
The answer is to complement traditional detection methods with a new approach developed by Trend Micro. XGen is content agnostic, meaning file and/or webpage content doesn’t need to be analysed. Instead, it analyses relationship patterns along the lines of “Who”, “What”, “Where”: that is, who downloaded what from where, Balduzzi explained. By combining system and network-level information in this way it’s able to leverage statistical models to detect and classify potential malware and malicious URLs. What’s more, this is done on a global scale, to gain the most accurate situational awareness possible.

The benefits are obvious, says Balduzzi:

  • Concurrent detection of malicious download events, eg files and URLs
  • Complementary approach to existing solutions, eg static and dynamic detection
  • Efficient, real-time detection against unknown and modern threats

The technology has already been deployed on a large-scale installation and can effectively do classification of real-time threats in just 0.16 seconds. And it identified 84% of future malware listed in the Virus Total database a full six months before it was officially classified, Trend Micro said. What’s more, experiments on classified data showed a detection rate of over 90% while keeping the false positives at just 0.1%


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.