No fate
No fate but what we make.
Researchers at Endgame, a cyber-security biz based in Virginia, have published what they believe is the first large open-source dataset for machine learning malware detection known as EMBER. EMBER contains metadata describing 1.1 million Windows portable executable files: 900,000 training samples evenly split into malicious, …
Various security vendors have already done this sort of thing using both supervised and unsupervised machine learning algorithms.
There are numerous products out there for some time using it.
In case you hadn't noticed, it hasn't stopped malware yet, because it never will.
Its always offence vs defence and a new defence spawns a new offensive technology. Given both the rewards and the players involved, it always will be an endless war.
Signature-based protection is an after-the-fact approach - you have to have the virus locally before a signature-base AV can scan it, and that means you run the risk of triggering it before the AV can check out the file.
Instead of using signatures, an activity-base approach might be better. On a clean system, the AV creates a record of legitimate programs and kernel programs. After that, anything trying to modify those files is stopped cold, with a warning. Any process trying to access memory it shouldn't is frozen and quarantined. Any new application installed is sandboxed until its activity has been thoroughly analyzed and found acceptable, then it stands a chance of being whitelisted. Any whitelisted program trying to modify the kernel generates a warning for the user before the modification is allowed to complete.
Of course, the problem with this approach is that security is basically user-based, so the user has to know what he is doing.
And with that I realize that I have just shot down my own theory. Bugger.