Deep Instinct: from detection to prevention

(To Alessandro Rugolo)
06/10/21

It has been established that antiviruses are not always able to protect us. In a 2012 study, security journalist Brian Krebs found that the main antiviruses in use at the time were about 20% effective, meaning only one of every five attempts at infection was reported and blocked! 

From 2012 to date, several other studies have been conducted to demonstrate the effectiveness of antivirus, using different methodologies and with different results showing that older generation antiviruses are more than 90% effective. Certainly a good step forward from 20% in 2012.

The question that arises now is related to the possibilities for improvement provided by Artificial Intelligence technologies. 

Older generation antiviruses are mainly based on the use of elements of recognition typical of the infections already identified, namely:

- use of signatures associated with the malware. It is a question of comparing the presence of one or more characteristics of the unknown software with those of already known malicious software, for example a certain sequence of commands or a particular sequence of code;

- heuristic analysis. It is based on checking for similar (but not identical) elements between unknown software and families of malware. This method is based on the observation that many viruses are similar to each other and the same can be said of their behavior;  

- file reputation. It is based on the categorization of known files and the management and sharing of information available to users. 

All these technologies are clearly based on the knowledge and analysis of malware existing, but are generally not very useful in the case of new ones malware

To be effective on malware new concepts need to develop other technologies and Artificial Intelligence can be useful.

An American company with headquarters in New York, "Deep Instinct", founded in 2015, uses deep learning to try to prevent attacks due to malware still unknown and seems to be on track.

Let's try to understand together how it works and to do it we use a scheme available on their site.

In this image it is possible to see the architecture of the platform based on a neural network located in the laboratory of Deep Instinct (top) and represents the beating heart of the security architecture. The neural network is continuously learning and thanks to it it is possible to have an always updated predictive model, which is called D-Brain.

The predictive model is deployed on all clients we want to protect. This allows the performance of statistical and behavioral analyzes and to use all the "knowledge" used for the creation and updating of the model both to identify malware already known but above all to identify those not yet known. In fact, the platform is connected to a database (D-Cloud) which includes information on the reputation of billions of files. 

It is clear that in such a system it is necessary that the number of false positives (detection of a malware when this is not) must be kept at very low levels, blocking the execution of a benevolent file can in fact be just as dangerous as not blocking a malicious file.

It is important to note that the verification of the presence of the can malware it is done in the system cache, that is, before the malware can access the hard drive.

The platform Deep Instinct is an example of how AI can help the world of cyber security by preventing infections before they can infect the system.

To learn more:

How useful is antivirus software? | Computerworld

A Closer Look: Email-Based Malware Attacks - Krebs on Security

When it Comes to Antivirus, Herd Immunity Works for Cattle and PCs | PCMag

Existing Evidence for the Effectiveness of Antivirus in Preventing Cyber ​​Crime Incidents (gsu.edu)

What is Heuristic Analysis in Antivirus? Definition, Advantages, and More (computertechreviews.com)