DeepRay foils cyber crooks' business plans


Machine Learning against Malware: G DATA has introduced its latest Next-Generation Technology. DeepRay can effectively detect the obfuscation of malware samples and thus protect customers from new threats in real time.

G DATA is taking action against the growing threat of cybercrime with a completely new development. Instead of catching malware with classic signatures, the German IT security manufacturer relies on a self-developed machine learning solution to identify rapidly changing malware quickly, effectively and in a resource-saving manner and to block its execution. DeepRay technology uses artificial intelligence to classify potential malware files based on more than 150 factors and calculates a risk value for each executable.

DeepRay has become necessary because the cybercrime scene has developed massively in recent years. Malware has become a service good. Criminals can buy specialized malware packages on relevant underground platforms and then distribute them. They need far less specialist knowledge than before. As a result, more and more criminals are making use of these services resulting in ever more malware being distributed on the Internet. In addition, the malware itself is even more technologically advanced. Sophisticated camouflage mechanisms make detection by antivirus software difficult. Classical algorithms for detecting such malware are therefore severely limited in their effectiveness.

New iteration of next-gen technologies

The DeepRay technology complements the already extensive portfolio of next-generation technologies in the G DATA security solutions. Exploit Protection already prevents the exploitation of vulnerabilities in the operating system and other software, while G DATA BankGuard protects users during online banking. A complete overview of all Next-Gen components can be found in this blog post.

"With DeepRay we are changing the rules of the game and are depriving cybercriminals of their economic basis. Thanks to this new technology, we can look behind the camouflage of the malware and effectively fend off fast-moving malware campaigns. This will significantly improve protection for our customers," says Andreas L√ľning, founder and CEO of G DATA CyberDefense AG.

DeepRay is based on G DATA's more than 30 years of experience in the antivirus business. The know-how in the analysis and classification of malware is used directly to train the new machine learning components. G DATA uses a neural network with several perceptrons to classify executable files quickly and efficiently.

A total of around 20 differently trained machine learning models are at work in the G DATA security solution in order to guarantee the best detection of malicious files using DeepRay. Executable files of various types (portable executables such as .exe / MSIL/.Net or VB6) are analyzed using static indicators defined in advance by our analysts. The training set includes more than 150 such indicators, including the ratio of file size to executable code, the compiler version used, and the number of system functions imported.

20 Machine Learning Models at the Customer's Service

Using various training sets, the models analyse the processes and determine a risk value. If one of the models classifies the file as likely malicious, the machine learning technology initiates a deeper analysis of the file. This analysis is performed in RAM on the customer's machine. As a result, malware cannot behave differently in an analysis environment and evade detection, as is often the case. The DeepRay technology therefore makes it possible to detect even previously unknown malware on the basis of certain characteristics occurring in RAM.

It does not help cybercriminals to hide their malicious code with the help of certain packers or other obfuscation techniques. Firstly, the use of certain packers in combination with other features can be a tell-tale sign of amalicious executable. Secondly, the code eventually runs in plain text in the computer's memory and can thus be analysed irrespective of which obfuscation is used.

If new malware families or completely new threats emerge, a further learning process is still indispensable. For this DeepRay uses adaptive learning. The knowledge gained from the technology will be much more stable and long-term applicable than single signatures or heuristic detection methods.

The advantage of the technology is obvious: it can not only detect malware samples that analysts have previously classified as harmful, but also previously unknown programs. In addition, it is no longer necessary to create a dedicated signature for each individual detection. Through a growing data set and a long-term learning process, the knowledge gained from DeepRay can provide effective long-term protection for users against malware.