from the process of behavior identification or malware
analysis currently conducted by threat researchers.
Rather than looking for things which people believe
are suggestive of something that is malicious, Cylance
leverages the compute capacity of machines and datamining techniques to identify the broadest possible set of
characteristics of a file. These characteristics can be as basic
as the PE file size or the compiler used and as complex as
a review of the first logic leap in the binary. We extract the
uniquely atomic characteristics of the file depending on its
type (.exe, .dll, .com, .pdf, .java, .doc, .xls, .ppt, etc.).
By identifying the broadest possible set of attributes, Cylance
removes the bias introduced by the manual classification
of files. Use of hundreds of thousands of attributes also
substantially increases the cost for an attacker to create a
piece of malware that is not detected by Cylance.
The result of this attribute identification and extraction
process is the creation of a file genome very similar to that
used by biologists to create a human genome. This genome
is then used as the basis for which mathematical models
can be created to determine expected characteristics of files,
much like human DNA analysis is leveraged to determine
characteristics and behaviors of cells.
Learning
Once the attributes are collected, the output is normalized and
converted to numerical values that can be used in statistical
models. It’s here where vectorization and machine learning
are applied to eliminate the human impurities and speed
analytical processing. Leveraging the millions of attributes
of files identified in extraction, Cylance mathematicians then
develop statistical models that accurately predict whether a
file is valid or malicious.
Dozens of models are created with key measurements to
ensure the predictive accuracy of the final models used
by Cylance products. Ineffective models are scrapped and
effective models are run through multiple levels of testing.
The first level starts with a few million known files and later
stages involve the entire file corpus (tens of millions of files).
The final models are then extracted from the test corpus and
loaded into Cylance’s production environment for use in file
classification.
Classification
Once the statistical models are built, the Cylance engine
can be used to classify files which are unknown (e.g., files
that have never been seen before or analyzed by another
whitelist or blacklist). This analysis takes only milliseconds
and is extremely precise because of the breadth of the file
characteristics analyzed.
Because the analysis is done using statistical models, the
classification is not completed in a black box. Cylance provides
the user with a ‘confidence score’ as part of the classification
process. This score provides the user with incremental insight
that they can use to weigh decisions around what action to
take on the specific file — block, quarantine, monitor, or
analyze further.
There is an important distinction between the machine
learning approach and a traditional threat research approach.
With the mathematical approach, Cylance builds models that
specifically determine if a file is valid or malicious. It will also
return a response of ‘suspicious’ if our confidence about
its malicious intent is less than 20% and there are no other
indications of malicious intent. In so doing, the enterprise
gains a holistic perspective on the files running in their
environment. It also eliminates the current industry bias in
which threat researchers only determine if a file is malicious
and whitelist vendors only determine if a file is good.
Cylance vs. the Real World
Cylance prevented the Microsoft Word RTF (CVE-20141761) zero-day malware threat from executing before it was
ever observed in the wild — without any foreknowledge.
Cylance discovered and quarantined this threat in March
2014, even though it did not appear on malwr.com until
April, and even then, was detected by only 4 of 51 antivirus
engines.
It’s important to remember that for each and every file,
thousands of attributes are analyzed to differentiate
between legitimate files and malware. This is how the
Cylance engine identifies malware — whether packed or
not, known, or unknown — and achieves an unprecedented
level of accuracy. It divides a single file into an astronomical
number of characteristics and analyzes each one against
hundreds of millions of other files to reach a decision about
the normalcy of each characteristic.
Math vs. Malware
|
3
CylancePROTECT®
Key Features:
• Protection and detection
of previously undetectable
advanced threats
The Cylance engine, however, detected the same malware (a2fe8f03adae711e1d
3352ed97f616c7) instantaneously — without the need for any updates. Cylance
prevented this exploit from executing, as seen in the screen shot below.
• Cloud-enabled, but not cloud
dependent for sensitive
environments
• No daily .DAT updates which
eliminates the need for an
‘always-on’ connection
• Extremely low performance
impact; runtime execution
dramatically reduces overhead
• Easy to deploy and manage
with a purpose-built
web interface
Future-Proof Security
By applying math models to the endpoint, the Cylance engine easily surpasses all
traditional methods of malware detection and prevention. Our approach is to stop
the execution of bad files before they can cause any damage. With this approach, the
endpoint remains secure and unviolated even if the file is resident on disk.
CylancePROTECT
CylancePROTECT is our flagship enterprise product that harnesses the power of the
Cylance engine to prevent the execution of advanced threats in real time on each
endpoint in the organization.
CylancePROTECT provides real-time detection and prevention of malware. It operates
by analyzing potential file executions for malware in both the operating system
(OS) and memory layers, and prevents the delivery of malicious payloads. Memory
protection is designed to be extremely low-touch as to not incur a heavy performance
overhead. Instead, memory protection strengthens basic OS protection features like
DEP, ASLR, and EMET by providing an additional layer to detect and deny certain
behaviors which are very commonly used by exploits.
These two core functions are supported by a variety of ancillary features necessary
for enterprise functionality, including:
• Whitelist and blacklist support for administrative granularity
• Detect-only mode (audit mode)
• Self-protection (prevention against user tampering)
• Complete control, update and configurability from the management console
Cylance Consulting
Math vs.
Data
Malware
Sheet
|
4
Please complete the form to gain access to this content
