Microsoft Details Anti-Malware Cloud-Based System
Microsoft says it used artificial intelligence to not only spot and identify and attempted malware attack, but to block it more than a thousand times in the next half hour. It says the defense was possible thanks to Windows Defender being used locally on the victim's computer, as well analyzing the snippet of code using cloud-based antimalware.
The company calls it an example of machine learning. This means computers are able to figure things out for themselves, rather than simply following 'true or false' routines that are part of a program. Similar to antivirus, the most basic level of anti-malware protection simply scans a computer looking for files that are already known to be malware. However, more sophisticated defenses such as the 'machine learning' approach provide the ability to decipher characteristics of potentially malicious software.
Decision Tree Shows Risk
The first line of defense came on the computer belonging to a Windows 7 user in North Carolina. Windows Defender spotted something was amiss by looking at the code in an unfamiliar file and, before it could be opened, simulating what would happen if the file was executed. (Source: thewindowsclub.com)
The next step was running a decision tree. This meant looking at various characteristics of the file and giving each a probability rating for how likely it was to mean the file was malicious. Windows Defender then crunched the numbers on various combinations of these individual probability ratings to give an overall rating.
Online Analysis Far Quicker
Once Windows Defender decided that the overall chances were that the file was malware, the online ("cloud") element kicked in. Microsoft's cloud computers then carried out assessments that were similar in principle to Windows Defender on the PC, but with the ability to crunch data far more quickly and drawing on a bigger database of previous confirmed malware.
According to Microsoft, it was took less than a minute from Windows Defender first spotting the file to reporting it to the Microsoft computers as a potential risk. The online analysis then took a matter of seconds before sending out a message to Windows PCs worldwide that the file should be considered compromised. That meant computers could block the file without needing to analyze it locally. (Source: microsoft.com)
What's Your Opinion?
Are you impressed by the way the security tools worked in this case? Do you rely on Windows built-in security or do you use third-party tools? What improvements would you like to see to the security tools you use?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
The future of antimalware / antivirus
This case study demonstrates the power of cloud computing. Normally it might take days to 'crunch the numbers' to provide a deep analysis of data, but cloud-based servers are able to do it in a matter of seconds. These cloud servers are in fact clusters of very powerful computers linked together to form a super computer. Each computer in the link processes part of the job and eventually all the computers combine to provide the result. This is also similar to how IBM's "Watson" computer works. Very impressive indeed!
Anti Malware cloud computing
So the big question in my mind is how long and how many committees does Microsoft need before they can apply this, sounds like a no brainer but recognize that MS has it's own bureaucracy to wind through before a decision gets made.
What if ...?
What if this were implemented at the levels above individual computers? In other words, what if company networks and all ISPs implemented this? Then, since all individual computers would be unable to receive or propagate malware, they are protected without implementing it on billions of individual computers. There would be no benefit for malware developers to create their nasty software.
Not viable.
This is a nice idea but not viable. Telecommunications companies are not computer science geniuses capable of analyzing, fixing, or patching operating systems. This has everything to do with detecting malware that is capable of running an exploit in an operating system (usually with elevated permissions) and delivering an infected payload, versus using hardware to deliver data from A to B. These are two completely separate issues.
Like all good things....
there's a dark side too. OK, i love the fact that the cloud protection can analyze a local computer and if suspicious send a warning or a patch to every windows PC worldwide. In a matter of seconds, no less. I mean, right now, if I find a suspicious file, it has to be submitted to the AV manufacturer for analysis, and if bad, they send out a warning and then an update. A fast AV company can do this in only a day. I don't know how Win Defender worked if it found a suspicious file, likely somehow it submitted it to MS. A day,again, I suspect. This new procedure takes seconds.
But, what if it finds an "illegal" file on the PC? Maybe with a suspect serial? OK, I don't condone cracking, but the point is it might be mistaken.. Even so, it can send a signal to all the PCs worldwide and shut down that particular application. Or, if it finds some kind of app that allows for anonymous browsing, or perhaps some kind of snoop blocker to prevent the PTBs from invading one's space.. It can then send a signal to all the PCs too disable that app. An AI can identify pretty much anything you ask it to, after all. Any time you place power over people in the hands of the few, you can be sure it will eventually get misused, against the majority.
Or, have I misunderstood the capabilities of this new system?