Since 2016 – when a hospital in Los Angeles paid US$17,000 (£14,000) to cure itself of an infection – the healthcare sector in particular and the world, in general, have suffered the effects of a sporadic outbreak of ransomware attacks.
Though viruses and other strains of malware can cause headaches, data corruption, and financial losses, they tend to do so quietly – with the true extent of the damage they cause often not being felt until days, weeks, or even months after the attack.
With ransomware, it’s different. The effects are often immediate – and there’s an “in your face” quality to the nature of the attacks themselves (literally, with popups or dialogs spelling out the perpetrator’s demands, and crowing about their success in trapping you) that raises the hackles of private citizens, corporations, and security professionals alike.
To date, there’s been no “magic bullet” or universal cure for ransomware afflictions, but there’s reason for optimism. In this article, we take a closer look at the use of Artificial Intelligence vs Ransomware and how AI and machine learning may hold the key to creating more effective defenses.
The Trouble with Signatures
Mainstream anti-virus and anti-malware products have traditionally relied on a database containing digital signatures associated with known variants of malicious software. By comparing files discovered or active on a host system against these signatures, any viruses or malware can be identified.
There are a couple of serious problems with this approach.
First, the effectiveness of such a solution relies on keeping the signature database up-to-the-minute accurate, and reliable. And keeping it updated is something that many users find difficult to do. It’s another chore added to an already busy schedule – and even automated updates can fail, or miss out on vital new threats.
Second, a signature database only consists of known signatures from known malicious software. There are new strains being developed as we speak, and new techniques for mutating or masking the signatures of existing ones. All these new variants could make it past a traditional signature-based defense.
Many cyber-security products still rely on this approach. So it’s really no coincidence that only around two out of 60 security services tested spotted the recent outbreak of ransomware that swept the globe in June 2017.
Simple Behavioral Problems
There’s been an attempt to improve on traditional methods of security scanning, by observing the behavior and characteristics of processes and files on a system, looking for activities that might indicate the presence of malicious software. Files or processes contravening the simple rules of ethical behavior are then red flagged or quarantined.
For ransomware attacks, bad behavior would typically include attempts to make files unavailable by encrypting them. But this is also the function of legitimate software utilities for file and folder encryption – and a behavior also associated with routine system activities like file compression.
Missing the Mark
More sophisticated behavior monitoring tools look to reduce the number of “false positive” alerts by looking for combinations of behaviors that might reasonably indicate the presence of software with malicious intent.
As an example, a legitimate file encryption utility would display a progress or status bar while scrambling files – but the malware initiating a ransomware attack would tend to encrypt files and folders without announcing its presence (that comes later when the damage is done).
The problem with this approach is the “closing the barn door after the horse has bolted” effect, where damage to files and networks may have already occurred before the offending malware is flagged.
Artificial Intelligence vs Ransomware – Adaptability with Intelligence
What’s required for dealing with threats like ransomware is a system that’s continually vigilant and able to make decisions on the fly, about what it perceives to be malicious activity. That’s why machine learning and Artificial Intelligence (AI) are being proposed as a powerful tool in this fight.
Machine learning algorithms are mathematical and computational formulas that can create large databases of behaviors observed on a system, and logical associations between those behaviors and their effects on the system or network as a whole. As more behavior is observed and more information is added, the system creates more refined logical associations – effectively learning by experience.
Coupling a machine learning system with tools to act on what’s being observed in real time produces an artificially intelligent defense system capable of proactively eliminating potential threats and/or passing information and alerts on to human security officers who can take the required action.
Artificial Intelligence vs Ransomware – Complex Behavior Matching
Introducing machine learning and AI into the equation makes it possible to extend behavior monitoring beyond a few simple rules to include potentially massive rule and association sets defining normal and abnormal system activity. “Good” and “bad” software behaviors may be compared against what’s being observed in real time, to determine whether a process or file is behaving like a legitimate system element or a piece of malware.
A heuristic analysis may be performed, to establish the probability of whether a behavior that’s being observed is more likely to be legitimate or malicious – and this can help in cutting down the number of misdiagnoses and false positive alerts. Machine learning capabilities can ensure that any results that slip through the net can be used to tweak and improve the system during subsequent monitoring.
AI Protection for Consumers?
AI security solutions are becoming an increasingly available commodity in the enterprise market, with machine learning products aimed at corporate users currently in the range of $40 to $50 a year per computer.
At the consumer end of the market, options are thinner on the ground – though there are third-party software utilities using heuristic analysis and the strategic placement of bait files and folders with names that have been targeted in the first wave of previously observed ransomware attacks.
Artificial Intelligence vs Ransomware – Creating a Strategic Defense
The fight against ransomware and other malware threats isn’t all about security mechanisms and software. For ransomware, in particular, the first point of contact between victims and perpetrators is typically that baited email, text, or voice message which leads the target to click on a fatal link and/or visit a booby-trapped website.
Vulnerability to social engineering scams and a lack of security awareness on the part of the victims are as much a part of the equation as the malware itself. So measures to increase public and enterprise knowledge on the tricks to avoid and the best practices to adopt must also be part of any overall defense strategy.
Share this Post