Explore the heauristics of virus detection and proactive identification-through the eyes of a seven year old.
As a recognized expert in cyber security, I’m often pressed by the media for comments relating to current cyber-related headlines. In one such recent encounter, I received a call from a newspaper journalist. Toward the very end of the call, the columnist thanked me for my “valued” feedback and said, “I must tell you Steven, after every conversation we have together, I feel sick to my stomach, and like I must go home, hug my kids and immediately disconnect all our computers and devices.”. The cybersecurity world can be a very dark place, and I don’t mean that a light has merely burned out. I witness and deal with countless accounts of evil, greed and wrong doing on an hourly basis within my office day – and I am guessing that as I write monthly about just a minute fraction of these new, emerging dangers and threats, many readers probably share in the same sentiments of the journalist.
While it’s my responsibility (and pleasure!) to help educate users on safe computing and to never turn a blind eye to the cyber-evil out there, for this article, I’m going to digress from educating you in hand-to-hand cybercombat and write about something different: how we (virus researchers) classify the severity and maliciousness of the latest cyber threats- through the eyes of a child. Here is a hint—it correlates with God’s beautiful creatures and his wisdom in outfitting them uniquely and classifying them.
In a past article, I referenced my family’s recent holiday cruise, and my kid’s fascination with all the different local currencies as we visited several countries in South and Central America. One of those countries we visited was Costa Rica. We were told by our local excursion guide that Costa Rica is home to more than 500,000 species, representing nearly 4% of all total species estimated worldwide (spoiler alert–rainforests). To maximize the number of species we’d see while our ship was docked for 5 or 6 hours, we decided to experience the Costa Rican rainforest via an all-terrain “Monster Bus” (and All-Terrain it was: consider the Monster Jam Truck ‘Gravedigger’ only with an old-school bus body!). If you thought the cybersecurity world was scary, picture yourself scaling a mountain on a muddy dirt path (barely wide enough for our vehicle, with no guard rails, etc.) at an angle greater than 45% during a heavy (Costa Rican rain-forest) rain in a “Monster Bus” custom built by two men using spare parts. My wife speaks a little Spanish and she completely freaked out when the only roadsign we saw was the upside-down yellow triangle of caution, and it had the word PELIGRO boldly printed on it. (Peligro is “danger” in Spanish.) This may have not been my best fatherly decision in the name of family time. Or was it?
As we finally came to a stop somewhere up the mountain, so did the tropical rain, and the guide had us disembark to experience the rain forest. However, before doing so, he matter-of-factly warned us not to touch anything, as many of the plants and animals right next to us, dangling down around us, growing wild beneath us, were either extremely dangerous or deadly poisonous. (Where are my kids?) He also said that in the event of a jaguar sighting that we should remain calm. (Does anyone else doubt the parental decision I made besides me?)
Once outside the bus, the guide immediately pointed to a bright red dot on a fallen tree and asked if anyone knew what this mysterious red spot was. Without hesitation and almost as if on cue, my 7-year-old daughter shouted out that it was a poison dart frog, and she was right. I was floored! I am not ashamed to admit that I know less than a 7-year old when it comes to neuroscience, cognitive psychology or any science relating to the brain. My basic reasoning for how she came up with that answer and how quickly it came to her boils down to this:
In her mere seven years on this planet, my daughter has likely already seen millions of “animals” (we will use this term loosely to describe mammals, reptiles, birds, insects, etc.). I’d imagine most of the animals she’s seen in-the-wild are repetitive: animals native to Ohio (squirrel, deer, horses, fish, robins, etc.). Some of the animals both alive and extinct she knows and recognizes likely may have come from visits to numerous zoo’s, seeing local animals on vacations (ie. Costa Rica), reading books, watching T.V. and at school. My point here is that regardless of age, we all have a large collection set of animals we recognize and label. We label animals broadly by their different feature sets. A feature is an individual measurable property or characteristic of the things being observed. Does it have wings? Can it swim? Does it bark? You get the point. Identifying good features is one of the most important steps in distinguishing one type of animal from another. For example, if we are distinguishing between a pig and zebra, asking and extracting features such as “Does it have four legs?”, or “Does it have two eyes?” would not make it possible to classify them separately. So, when deciding if that Costa Rican red spot was a poison dart frog or an African hippo, my daughter’s collection set of animals she knew about had to be large enough to tell one animal from another, there had to be feature extraction process so that the animals could be systematically categorized into individual animal families, and the red color was certainly a narrowing factor in her little mind. Are you still with me?
What about the speed in which the answer was drawn? In the antivirus world, a process called dimensionality reduction can be used. Dimensionality is the process of automatically reducing the number of unwanted or redundant features. Removing or combining such features saves space, time and improves performance. In our case, animals that share in many of the similar extracted features, can be carefully excluded with the attempt to increase time and accuracy. Again, the larger the initial sample collection set, the better! What we have done so far is called creating a Training Model.
Now, if my daughter encounters an animal, she can quickly extract the features of that animal, apply the Training Model, and then quickly determine the species of that animal. In its simplest form, it is in this very same way that we fight new malware. Thirtyseven4 incorporates a very powerful, fully dynamic-based behavior detection engine called the Advanced DNA Scan (DNA). Just like my daughter’s example, the DNA was created to quickly and proactively analyze all new files in real-time, both clean and malicious, and immediately identify them as either suspicious or clean. The process of making that determination is the same. It starts with a huge collection set of both clean and malicious files (millions of files), extracting features from them, systematically categorizing them, applying dimensional reduction and other advanced, proprietary machine learned algorithms, to create a robust training model. When Thirtyseven4 intercepts a new file (or a red poison dart frog), the feature extraction process starts, the training model is applied, and the DNA can quickly determine, in a fraction of a second, whether a file is clean or not
By utilizing and combining the latest technologies, Thirtyseven4 strives to be cutting-edge and to be the industry leading next-generation scanning engine. We want our users to be in similar disbelief and amazement, just like I was with my daughter identifying the poison dart, when Thirtyseven4 proactively prevents an unknown threat from infecting a system.
Just as animals are classified and separated by features and characteristics, this is a simple way to grasp the heuristics of virus detection and proactive identification. It’s an abstract comparison, but hopefully one that gives you a simplified understanding, appreciation and “backdoor” look inside anti-malware scanning.
Did we make it out of the Monster Bus tour alive? Absolutely. The guides never faltered and their peace gave us peace. They were a neat example of two people who had a dream (showing tourists the “unseen” beauty and nature of Costa Rica), and they worked very hard to build their dream in creating a safe and cruise-ship endorsed monster-bus excursion. What we saw and experienced was raw and awesome. I am not sure the flora, fauna and animals will always be as prevalent there, and in the end, I was glad I booked the adventure for our family.
I hope that viruses, ransomware, bots and the like will not always be prevalent. That they would die off like an extinct species. But until then, Thirtyseven4 will keep classifying and protecting. A poison dart frog is tiny and lethal, but the destruction that new strands of malware can take on us and our machines is just as daunting.
Thirtyseven4, LLC is dedicated to serving customers with a full palette of security solutions including AntiVirus, AntiMalware, Anti-Ransomware and Zero-Day Threat Protection.
