Ummm...
I'd feel more secure if their website didn't use three tracking networks to see what I'm doing on it.
Security firm Cylance is using machine learning to fight what many firms regard as the already lost battle of keeping computers free of malware. While mainstream thinking in the industry has moved towards acceptance that malware infections are inevitable and the focus has to be on detection and response, the US startup isn’t …
If it writes to system files and is not a core Windows process, then why let it do that ?
If it's an image and it attempts to execute code, why let it ?
Okay, it's easy to find simple examples. Real life is exponentially more difficult and I'm certainly not a virus expert. But all this signature-based detection is demonstrably insufficient.
I wish these guys the best of luck. We can certainly do with a new approach to the question.
Full disclosure: I sell AV software
TL;DR: Entire article appears to have been copied from an over-hyped press release.
"already lost battle of keeping computers free of malware" - Why not start by characterising your competitors as defeatist?
"far more effective than conventional antivirus software from the likes of Symantec and Intel Security (McAfee)" - So similar to half the smaller vendors, then?
"mainstream thinking in the industry has moved towards acceptance that malware infections are inevitable and the focus has to be on detection and response" - Why not fudge the terminology to make it sound like you're doing something new. The aim of on-access protection is to detect the malware before it is executed, e.g. if you detect malware in a browser download, you respond by deleting it. You can't prevent the code arriving on your machine unless you are prepared to block everything arriving (see airgap) because you can't identify it until you have it there to look at.
"The firm is applying a stats-based approach to threat detection that it claims offers 99 per cent detection rates in comparison to the 40 per cent figures of conventional antivirus." - So they're using heuristics. Citation needed for those detection rates.
"trained using a sample of 300 million known good files and 300 million known bad files" - Everyone is AV is dealing with huge numbers of samples nowadays. Now, what method did you use for knowing whether they are good or bad? You believed some else's analysis, or your staff analysed 600 million files?
"The technology is not based on either sandboxing, signatures or conventional signatures." - OK, so what is it based on?
"Our technology is extracting the DNA of malware" - Oh, so it's based on extracting DNA, wait, WHAT? You crush up the malware and extract the double helix???! Oh, you meant metaphorically? So, you're still not telling us. Is it based on fairy dust and wishful thinking?
"Firstly Cylance’s technology doesn’t need to hook into every process running on a desktop and therefore has a lower footprint." - 'conventional' AV doesn't hook every process - just the read and write calls.
"Secondly its agent can run effectively on air-gapped machines." - most AV can run on airgapped machines, but it helps if you can switch off the warning that it can't reach the update server. Air-gapping is a great method of preventing malware spread, so you've tailored your solution to work best where it is least needed?
I developed a technique which proved 99.8% effective on unknown files using machine learning for my MSc Project. There are a number of ways to achieve such high rates.
If someone has money they would like to invest ($42m would be nice), a number of researchers are looking to set up a global SOC and are going to offer the A/V solution free to our users.
FYI, the A/V engines at VirusTotal averaged 48% in my study.
I developed a technique which proved 99.8% effective on unknown files using machine learning for my MSc Project. There are a number of ways to achieve such high rates.
I'm not saying I don't believe you, but this is a rather vague claim. Certainly before I'd even agree to take a closer look at a system of this sort I'd want to know the actual recall and precision rates, more details about the classification mechanism, and more information about the training and testing sets.
But more fundamentally, even the definition of "malware" is to some extent subjective - it's going to vary by use case and threat model. So no classifier can be "99.8%" effective at discriminating between "safe" and "unsafe" for all files, for all users. That's simply not a meaningful distinction.
Some of the other vendors mentioned have Machine Learning already embedded in their engines- it's not new, and Cylance isn't doing anything unique.
It will be interesting to see if they allow a 3rd party to test their product independently, rather than be shadey about exactly how they have tested themselves and other vendors products.
However their methods, according to my research (and the mentioned company) are ineffective (to a % in a given scenario).
Malware detection is easy (I can say that as I have proved it!).
High detection rates are usually academically based and have high overheads.
The key is finding a solution which is a good trade off.
I've found that and want to commercise it as part of a larger security problem (investment would be nice)! Cylance are only doing what any commercially aware company, with the solution, more importantly the resources, would do to market globally,
The DNA section is just figurative to be understood by all audiences. What this means technically, is that every executable has every element of its code inspected against the Cylance Infinity alorithm in the kernel within a number of milliseconds before runtime. Issueing the file with a score predicting whether the file is malicious or not, resulting in letting the file run if it is believed to be safe, to the extent of quarantining the file completely from the user's device, if believed to be malicious.
Of course it was figurative, just like the terms sandboxing and signature. The difference is that those terms have acquired a defined technical meaning. Now Cylance introduces a new figurative term, and doesn't give a technical meaning.
I'm hoping "Cylance Infinity" doesn't refer to its runtime ;-). So their solution is just the same as everyone else's: "on-access protection with our proprietary algorithm". Maybe their proprietary algorithm is better than all the others, but they should either explain technically why that is, or provide third-party test results to show it works.
(Full disclosure: I sell AV software. Sorry for the repetition.)
As you state, you "sell" AV software, not develop. Please don't mix the two up.
The process Cylance have done is relatively simple, if you know how. Also why would they tell anyone what their way is? To be fair they've kinda given their process away in the earlier posts and the methods are well documented (if you do your research). Research (not "sell") and you may become enlightened!
@HenryandHugo - Thank you for your condescension. I know I'm not a developer, but I wanted to be clear that I have a horse in this race. I like to think I'm not just a salesdroid, but even if I am, consider what I'm saying.
Cylance claims their solution is fantastically better than the competition, I'm asking for an explanation of why, or 3rd party independent tests that back the claim. Is that unreasonable?
To me, the article looks like it has been copied from an over-hyped press release. I've seen many of these over the past 20 years, and they claim the new company is doing something radically different to "conventional" AV, with much better results. Usually, they fall into two groups, total charlatans and reasonable researchers with some incremental improvements who have a rabid marketing department.
Cylance appears to have decent researchers, they've published in the Virus Bulletin (https://www.virusbtn.com/virusbulletin/archive/2015/06/vb201506-NET-GUIDs). I guess they need to cage the marketers.
"Cylance claims their solution is fantastically better than the competition, I'm asking for an explanation of why, or 3rd party independent tests that back the claim. Is that unreasonable?"
Absolutely not!
I have no doubts about their claims having researched this area. Their marketing machine appears to now be on overdrive, fair play tbh.
I have no connection with Cylance, also their method which achieved such high rates is completely different to mine (which achieved higher and is quicker).
The process CANNOT be legally protected, so why tell anyone if you can make some money out of it?
If Cylance are reading this, my process could complement yours, as would a European SOC!!