BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Silencing Malware with AI

This article is more than 5 years old.

Stuart McClure is on a personal mission. After more than two decades in the anti-malware industry, he firmly believes that ninety percent of malware attacks today can be prevented by not clicking on this, not clicking on that, and not opening that attachment either. While he's not the first nor alone in suggesting the user bears at least some responsibility, the anti-malware industry up until now hasn't yet produced an effective alternative to signature-based solutions based on known attacks. McClure's company, Cylance, thinks it has the answer with its first-generation AI-driven anti-malware products for both enterprises and consumers.

"Why couldn’t we simply train a computer to think like a cybersecurity professional to know what to do and not to do based on the characteristics and features of known attacks?" asked McClure.

Today the anti-malware industry is built on detection and responses to known events. In other words, when something bad does happen, it must bypass whatever signature-based protection might already be in place. McClure said the industry response has always been to define each new event with a signature or a heuristic file and then push it out to users. Sometimes there's a delay. And sometime new variants multiply too fast to be stopped. Hence the recent and devastating NotPetya outbreak in 2017, he said.

McClure said years ago he ended up leaving McAfee as their CTO because "the number one thing I did was apologize. I'd call myself the Chief Apology Officer. 'I'm sorry we didn’t catch this. Sorry we’re overwhelming your systems with alerts. Sorry, sorry, sorry.' I kept thinking the only reason I kept having to say sorry was because of the signature-based detect and response model."

So McClure started working toward a better approach. "My idea was what if we feed a computer everything that we know is bad online behavior, then have it tell us – algorithmically -- the characteristics of this badness. We can apply that algorithm to every decision made on a compute so that if anything new comes in -- whether it has been known or unknown, future or past -- we can now detect it and prevent it in real time. We wanted to finally get to a preventative capability within our technology so that it eliminated the need for a human being to write a signature."

Having the idea was one thing. Executing it was another. McClure said he started with his university education, with an idea of feeding a decision tree algorithm data and then having it learn by which characteristics aligned to one data classification or another. "I said [to my team], just start with decision tree learning and go figure it out. Give me an algorithm for bad. That was the initial exercise."

That didn't work, McClure said. "They iterated through thousands of algorithms. They went thought logistic regression [among others], and finally landed on deep learning models of neural networks." McClure said deep learning models proved incredibly effective at finding the distance between good and bad. "We were now able to build math models that were lightweight and fast, and that allowed us to go to market."

During the interview McClure said he wanted to correct an industry myth -- that there are all kinds of new attacks coming out every day. "The industry tries to say that there are new viruses all the time because they want to sell upgrades and subscriptions and all that kind of stuff." He said that most of the signature files being created today are for variants of known viruses and not necessarily for new ones.

Example? WannaCry and NotPetya.

McClure said signature-based systems were not very effective in the summer of 2017; therefore these two malware outbreaks had a lot of impact. He said about ninety percent of these attacks were variants. "If companies had signature-based protection in place, why would these attacks work? Because signature-based protection is too limiting; it's based on what’s been seen before."

McClure said that not one of Cylance's customers were effected by WannaCry or NotPetya, although he said the real proof is found in talking with customers. "Number one thing they will say is 'It just works'.” He said his deep knowledge-based anti-malware eliminates the threat vector on networks and back end systems so admins can get their nights and weekend back. "At Cylance we create silence," he said.

But McClure didn't just start a company to make amends for decades of signature-based approach to malware. He added that he did so literally to protect people. He explained that his dad was in law enforcement and was in Navy in the Korean War before and that is brothers went into law enforcement as well. "I know I'm driven to protecting people."

McClure cited one personal example of that passion, helping a friend of his wife’s who was being extorted for sex pictures online, "if you don’t do A, then B, and then C will happen. Well, I wanted to make sure this didn’t happen so I’ll always try and help someone even if I know I shouldn’t. My core mission -- and passion, I guess -- is to deliver protection so others no longer have to suffer victimization online. And it's also a big part of our mission and culture at Cylance."