Today is a celebrated day for defenders of advanced threats. Cylance is releasing its Infinity Advanced Threat Cloud to the world as a revolutionary new ability for detecting advanced threats, built on the principles of machine learning and algorithmic science theory.
Over twelve months of dedication and investigation by the Cylance Labs team have proven the application of scientific theories to security true - one can actually detect the unknown-unknown. These are typically advanced threats and those missed or bypassed by today’s anti-virus and malware detection security infrastructure. Cylance Infinity can accurately decide if a file or object is malicious and answer the question "Is this something that I should allow to run or should I treat it as a threat and take action?
Making critical threat decisions is certainly not a new challenge, or one lacking a variety of solutions. The most effective, yet primitive solution is to get a very highly skilled analyst to reverse engineer the binary and make a determination "Is this malware or is it not?" There will never be enough human malware analysts, especially expertly skilled ones. And you’re going to need a good one because on any particular Windows based computer you can expect to find 60k – 70k unique objects containing executable instructions. Across even a moderate enterprise this translates to millions.
To manage this daunting task, automated human efforts have been applied to this problem, with tool chains to screen out unlikely candidates, such as signed binaries, dynamic analysis and sandboxing to gather behavioral inputs and databases containing billions of hashes, but in the end, a human analyst still must make a manual decision: "Is this "bad" or is it not?". This simply cannot keep up with the threat(s).
Beginning with the principles of letting machines do what they do well and applying measurable, repeatable techniques, Cylance applies the science of machine learning and statistical analysis to the problem of execution control. These techniques are seen today in a variety of different fields. In particular, high speed algorithmic trading, allowing information systems to make rapid decisions on buying and selling equities and derivatives; actuarial science which informs the insurance industry on managing the likelihood of adverse events across a wide variety of applications such as flood, life and health insurance; and scientific algorithms with pharmaceuticals to group and detect chemical interactions and treatments. Cylance changes the game in the cyber world.
Cylance’s work over the past year has delivered a proven scientific and mathematical solution to this most critical and essential security industry problem. The power of Cylance Infinity is accessed through both Windows’ based desktop products available to security professionals at every skill level and an API to leverage our elastic cloud for broader integration and adoption.
The secret behind Infinity is its statistical extraction of massive numbers of features from objects and then applying decision models to those features. Infinity allows the models to make complex determinations of good versus bad. It also employs an iterative process with successive generations of models enhancing efficacy and accelerating measureable improvement. Infinity currently ingests over five million objects a day, extracts a large number of features and makes determinations on the risk, providing the requestor with a statistical confidence of that decision.
All features in the Cylance approach are extracted statically, allowing the technique to scale infinitely. Features, in the Cylance nomenclature, are attributes of the object such as signatures and contents of the object, like components of its disassembly. Many of these features are the product of brilliant malware analysts experience and an understanding of how to approach the analysis of an object. Each object may have tens of thousands of features with new ones being made available to Infinity on a regular basis.
These features are measured in a supervised environment to understand which ones are the most deterministic; those features are then combined into models that can then be applied to unknown samples. Using mathematical measurement and objective analysis of features, the combinations thereof and the intent of the sample or its use, Infinity becomes more that the sum of its parts - capable of artificial intelligence exceeding the ability of any analyst. Infinity is self-learning.
Samples are analyzed in milliseconds rather than minutes or hours and with categorized confidence. If for some reason a sample is not categorized then additional features are applied to allow greater fidelity and accuracy. Infinity’s beauty is that there is no requirement for an object to have been previously seen to enable the analytic models to classify the sample. The decision of good or bad is made on each individual sample and the composition of that object.
Today Cylance is making this model available to operational security teams for integration within their workflow. In the fourth quarter of 2013 Cylance will debut Cylance EnterprisePROTECT providing Infinity on the desktop for enterprises and finally shifting the power from the adversary to the victim, once and for all.