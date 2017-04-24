Forget signatures for malware detection. SparkCognition says AI is 99 percent effective

The volume of malicious software in the wild has exceeded researchers’ ability to write signatures for all of it. The most effective way to detect malware today is through the use of artificial intelligence.

The notion of detecting malware by looking for malicious file signatures is obsolete. Depending on which source is cited, anywhere from 300,000 to one million new malware files are identified every day.

Kaspersky Lab says it finds 323,000 files daily, AV-TEST claims to discover more than 390,000 new malicious programs every day, and Symantec says it uncovers almost a million new threats per day. No matter how you count it, that’s a lot of malicious software being unleased into the wild day after day.

Most of these “new” files are actually clones of each other, with perhaps just one character that is different. Given that every digital file has a unique signature, this one character difference means that two otherwise identical files still have different signatures.

Malware researchers continuously scour the Internet to look for malicious files. They use honeypots and other techniques to attract the files. When they come across a new sample they compute an MD5 and/or SHA256 hash and add it to their database of signatures. Anti-virus (AV) and anti-malware (AM) products that get installed on endpoint computers compare the hashes of all the files on an endpoint to the hashes in the signature database. If there is a match, the AV/AM software generates an alert about the malicious file.

This process was rather effective until a few years ago, when the amount of malware being produced daily skyrocketed. Now it is practically impossible for any research team to keep up with the volume of malware variants and to generate and distribute the necessary hashes to detect the malware in real-time. The efficacy of AV/AM products that rely solely on signatures is dropping precipitously.

Luckily an alternative is rising in its place: malware detection that uses artificial intelligence (AI) to identify malicious files by characteristics rather than by signatures. Products based on AI are said to be more effective in detecting malware in all its mutations, quickly and with few false positives.

SparkCognition, an Austin-based AI company, has a new entrant in the malware detection marketplace. DeepArmor Enterprise is a machine learning-based malware detection engine. SparkCognition has trained its algorithms on hundreds of thousands of clean files and malicious files to learn the characteristics of a file that is benign versus a file that is malicious. The characteristics are an indicator of what the actual intent is of those files. When the system reads a new file, it’s able to read those characteristics, make a determination and provide a confidence score on whether the file is malicious or benign.

SparkCognition doesn’t define the characteristics for its malware detection engine; that would be tantamount to giving it signatures. Instead, the machine learning model leverages an ensemble of algorithms that pore over a thousand or more characteristics per file to learn how to classify the file as clean or benign.

