Ever Heard of Cylance?

Discussion in 'other anti-virus software' started by kerykeion, Dec 31, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In a further effort to "demystify" the current state of AI in malware detection, I am posting this link on machine based neural networks. This component is essential in AI delivering on its claims of truly being more effective than existing malware detection methods. As you will note from the article, machine based neural networks are just in there infancy at this point in time: https://www.bizety.com/2016/02/05/deep-learning-neural-nets-are-effective-against-ai-malware/ . Refer back to my previous comments in this thread about polymorphic and metamorphic malware.

    Excerpts from the article:

    Companies Claiming Deep Learning Solutions

    Deep Instinct, an Israeli startup, claims that they are the first to employ offer a deep learning- based AV solution using ANNs. They use data fragmentation by breaking down objects into their smallest parts, and applying deep learning to identify unknown suspicious behavior and detect, predict, and prevent known and unknown threats.

    Their deep learning solution comprises of three components: D-Brain provides the real-time cyber threat intelligence that features continuous learning to predict new malware and then update the D-Appliance and D-Clients for what the company says is instant, instinctive protection against never-seen-before threats. They claim that its software is 20% more effective at catching modified versions of existing malware than the best current generation of AV solutions.

    Baidu has long been an investor in AI and deep learning, and they are also selling Symantec-like products to Chinese companies using deep learning.

    Symantac recently announced integrating deep learning to detect 0-days malware. Android versions of Symantec mobile security products are the first to include deep learning, but will soon spread to other platforms.

    Cylance has 1 to 2 PB of data reserved solely for machine learning. Currently in development, they are reported to have used deep learning to train their software to discern malware without the need for sandboxing or analyzing malware.

    Conclusions

    Deep learning shows a lot of promise as a preventative measure against AI malware and threat morphing. Few deep learning-based malware detection methods so far have achieved the low false positive rates and high scalability required to deliver reliable predictors for threat morphing malware. However, these developments are still quite skeptical since security firms have just wholly embraced integrating deep learning for their software. Until more results are released, it is difficult to determine if a neural net recognizes malware or applications that perform a lot of network activity.
    Additionally, here is a link that indicates that this technology is very much still under development by Cylance: http://www.darkreading.com/vulnerab...-learning-in-malware-detection/d/d-id/1321423

    Excerpts:

    Cylance has some one- to 2 petabytes of data in its data set for machine learning: "We typically have a few hundred CPUs running for days to process and work through the data, and weeks and months running and training the machines to learn these things," Wolff says. It takes hundreds of gigabytes of memory, CPUs and "big machines," he says.

    The machine learning-based method for now is all about detection. It's up to the security analyst or other tools to decide what to do next with the newly discovered malicious code, he says.

    A deep learning system could ultimately replace today's existing malware detection tools, Wolff says. "A machine learning engine is more effective" than a signature-based engine, he says.
     
    Last edited: Jul 7, 2016
  2. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    What you say is AI, just not advanced.

    Artificial intelligence has been used for a long time. A simple calculator, for example, is driven by AI. Think about it, how can a physically small object (i.e. a calculator) solve a complex mathematical equation? :D

    Typically now, nevertheless, "AI" means advanced AI.
     
  3. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    No, a calculator gives you 100% accurate results. Ai might give you close but it is not the same thing.
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Static disassembly is problematic - discovered code paths are heuristic, and is difficult to trace out all executable code

    ● Important information can be buried elsewhere in the executable - how do we find it?
    Only applies to executable code
    - how to apply to scripts, code running in VMs (Java, C#, …)?
    ● Is training on raw bytes is tractable?

     
  7. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    any further news if cs is going to accept mm challenge?
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    For anyone not following the malwaretips.com video threads on Cylance, I am posting a Managed Malware excerpt:

    A point of clarification, though, we do require the device to connect to the cloud so it can initially register and receive the policy we use to configure PROTECT; otherwise, PROTECT installs in a default configuration which observes only; doesn't prevent threats.

    We also provide our customers with access to the cloud console (if they wish) so they can see threats and waive any false-positives.


    Ref.: https://malwaretips.com/threads/sophos-vs-cylance.60825/page-4#post-521491
    Why anyone is remotely interested in this software is beyond me. But each to their own .................

     
  9. guest

    guest Guest

    it is what i said since the beginning, you have absolutely no control over it... policies are remotely implemented by their techs...
     
  10. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    418
    I wonder if policies are set depending on what licens they put out, for the CS challenge for example?
    They know perfectly well what licens she will use, and could potentially turn up the screws to catch all or?
    If this is going to work it should be up to CS to set the parameters, or at least have full insight in what settings are used.

    /E
     
  11. guest

    guest Guest

    if i was CS i would do it anonymously :D
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Also from what I could glean from the Managed Malware web site, you are purchasing a one year subscription to use Managed Malware services which includes the deployment of CylanceProtect on your local machine as MM sees fit. This differs from a software license where you can use, modify, and configure the software however you wish.

    So if MM/Cylance desired to do tracking, monitoring, data mining activities or the like, there is zip you can do about it short of uninstalling the software. My recommendation is if you do install this software, do a full image backup of your OS installation HDD that can be used to restore your system once you decide to get rid of CylanceProtect.
     
  13. guest

    guest Guest

    exactly , it was my first concern about it.

    and encrypt all your files with a strong key.
     
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    itman quoted "PROTECT installs in a default configuration which observes only; doesn't prevent threats."

    I am still not sure why the doesn't prevent threats would have been posted. I am running it and it has indeed quarantined a few things.

    "do a full image backup of your OS installation HDD that can be used to restore your system once you decide to get rid of CylanceProtect."

    I have had a back up months ago and not just in case Cylance doesn't work out.

    "if i was CS i would do it anonymously :D"

    Yes but then nobody would know it was done. Everybody is waiting with baited breath for CS to do it.

    MalwarManaged is slowly moving 1840 toward production with a target of end-of-July - this will introduce scripting protection as well as some minor bug fixes. Maybe CS should wait till then ?
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    What MM said was "We also provide our customers with access to the cloud console (if they wish) so they can see threats and waive any false-positives." This indicates to me that you will only be able to "allow" previously denied FP's only. You don't have any access to modify CylanceProtect internal settings.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    There is also the question of what protection components you are receiving when you purchase a MM home subscription of CylanceProtect.

    I previously posted that on the Cylance web site, it is clearly noted that memory protection and execution control are optional features. However, when you view this MM web page: https://www.malwaremanaged.com/pages/cylance-protect-demo, it states that those "optional features" are part of your home product subscription? Well as we all know, execution control is meaningless unless it can be locally configured and managed.

    Really, this home version of CylanceProtect is all about "smoke and mirrors."
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Obviously, you did register your product since you purchased a subscription.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Continuing the analysis of Cylance "mumbo jumbo and voodoo black magic," let's look at this feature as noted in the MM product description web page:

    Automated Code ‘DNA’ Analysis

    Analyzes every file on your endpoints to find executable elements, then extracts the core DNA of those files to find malware using our patent-pending artificial intelligence engine.
    Is this some "earth shattering concept?" No. Let's look at something one of those "legacy" vendors, Eset, employs in their AV solutions. Do note the detailed description given:

    DNA SIGNATURES

    Signature types range from very specific hashes (useful, for example, in targeting specific malicious binaries or specific versions of malware, for statistical purposes or simply to give a more precise detection name to malware that we have previously detected heuristically) to ESET DNA Signatures, which are complex definitions of malicious behavior and malware characteristics.

    The pattern matching used by old-school antivirus products can be bypassed easily by simple modification of the code or use of obfuscation techniques. However, the behavior of objects cannot be changed so easily. ESET DNA Signatures are precisely designed to take advantage of this principle. We perform deep analysis of code, extracting the “genes” that are responsible for its behavior. Such behavioral genes contain much more information than the indicators of compromise (IOCs) that some so called “next-gen” solutions claim to be ”the better alternative” to signature detection. ESET behavioral genes are used to construct DNA Signatures, which are used to assess potentially suspect code, whether it’s found on the disk or in the running process memory.

    Additionally, our scanning engine extracts many discriminator genes, which are used for anomaly detection: anything which does not look legitimate is potentially malicious.

    Depending on the adjustable threshold level and matching conditions, DNA Signatures can identify specific known malware samples, new variants of a known malware family or even previously unseen or unknown malware which contains genes that indicate malicious behavior. In other words, a single well-crafted DNA Signature can detect tens of thousands of related malware variants and enable our antivirus software not only to detect malware that we already know about, or have seen before, but also new, previously unknown variants. Moreover, automated clusterization and application of machine learning algorithms to our malicious sample sets allows us to identify new malicious genes and behavioral patterns for detection by our scanning engine. Such genes can be easily matched against a huge whitelist set to ensure that they generate no false positives.


    Ref.: http://static3.esetstatic.com/fileadmin/Images/INT/Docs/Other/ESET-Technology-Overview.pdf
     
  19. Malware Managed

    Malware Managed Registered Member

    Joined:
    Aug 18, 2016
    Posts:
    9
    Location:
    Houston, TX
    Hi - Joel from Malware Managed here - this is my first post and I just want to say hello to everyone.

    I'd also like the opportunity to clarify a few things:

    1) We make the same Cylance PROTECT (that large organizations use) available to our Home and SMB Customers - Cylance doesn't currently have multiple types of PROTECT. Feature wise, our Customers have access to everything other Cylance PROTECT customers have.

    2) We can and do offer our Customers the ability to customize the policy for their endpoint(s); 90% of our Customers are well protected by our standard policy but we have a few that want some of the protection disabled for their personal reasons - ultimately we provide this assistance as part of the managed service because honestly most of our customers aren't security expert.

    3) We provide Cloud Console access to any of our customers who want it. We are pushing Cylance to add a specific REST API endpoint so we can automate this; access would be provided automatically when a Customer makes a purchase but we're told it's in the queue. Currently we can grant our customers the ability to waive and quarantine files for their devices.

    4) Script control is currently enabled for several of our customers and we are very close to completing its roll-out; this protects against JScript, VBScript, MSOffice Macro and PowerShell based threats.

    5) We offer PROTECT to Home and SMB customers as a managed service because it's currently the only way we can make it available; Cylance currently requires that a Customer purchase a minimum of 250 devices before they will provide that Customer with a dedicated Console. Ideally, we'd like to see Cylance provide a more finer grained Console access control; such that it permitted a single Customer to fully control their own policy within a shared tenant like ours.

    6) PROTECT uploads only executables for dynamic analysis and log files for troubleshooting. Though it does protect against memory and script based attacks, it doesn't upload artifacts of these. PROTECT does not provide remote access or any other type of remote capability that might impact your privacy. In fact, if uploading logs and executables is a concern for any of our customers, we can disable that in policy for them.

    I hope I've addressed most of what's been discussed; sorry I'm late to the table. I'd gladly take questions or try to help address concerns so long as everyone keep in mind that we (Malware Managed) are not Cylance and anything we say only represents our opinions.
     
  20. Malware Managed

    Malware Managed Registered Member

    Joined:
    Aug 18, 2016
    Posts:
    9
    Location:
    Houston, TX
    @SHvFI, good question regarding trials - it's difficult for us because we still have to pay Cylance for each device we on-board; regardless of whether the Customer decides to buy or not. We do, however, offer a 30 day money back guarantee - so if a Customer is unsatisfied with PROTECT, we'll still refund them; in full.
     
  21. guest

    guest Guest

    the answer was explained here :

    https://www.wilderssecurity.com/thr...-malware-managed-testing.385886/#post-2588633

     
  22. About the 20:1 ratio (allthough not exactly the same)

    I have a company together with a partner (we each also have our own company). Together we have developed a new tool for sales (an APP). I used to work on no cure/no pay basis (branding & business developmen), my partner on a bill by the hour basis (training & coaching). So we had different opinions on free activities. What we see, only one out of 20 free customers become paid, so when selling software FREE is a lousy business case ( a lot of work with little payment). We are still offering FREE trail licenses, only limited to two week (which has a positive impact on my work hours without reducing turnover).

    Only when your App or extension is used over a million times, you can earn money with free (by including advertisements). All other free is IMO just a waist of time and resources.
     
  23. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    If you say all this now can you answer any questions and answers I posted here and what has changed since my post? https://www.wilderssecurity.com/threads/ever-heard-of-cylance.382682/page-5#post-2591329 as I know Richard from Cylance.

    Thanks,

    Daniel ;)
     
  24. @SHvFl

    It is B2B-app, so it sells through old fashioned cold calling, seminar/training follow up and promoted content on digital channels. One of the key things in B2B is urgency and support at responsible managers. People in those positions don't spend time wandering the internet for freebies, the have their consultants for that. That is why conversion is so low in B2B from free to paid. In the consumer market it is a different ball game. But with VoodooShield panning out as a next generation Machine Learning/Artificial Intelligence solution for home use, why would anyone bother for Cylance?
     
  25. Malware Managed

    Malware Managed Registered Member

    Joined:
    Aug 18, 2016
    Posts:
    9
    Location:
    Houston, TX
    @Triple Helix what questions do you have? I'll answer them as best I can.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.