Development of a new system to combat malware with artificial intelligence

A joint research team from the companies "Microsoft" and "Intel" developed a new system to combat malware used in theft and robbery attacks, and remote control of devices, systems and applications, called it "Stamina", explaining that it depends on artificial intelligence, as it is It is made up of "deep learning" and "computer vision" techniques, and converts any data file into a set of one-way points or "pixels", then reconstructs it as an image, reveals the presence of malware, and then removes it.

The announcement of the details of the new "Stamina" system came in a research paper published by the researchers in the Microsoft Information Security Intelligence team, Google Barrick and Marc Marino, on the official information security blog in the company, during which they confirmed that the achieved results were done on small-sized data files, And that the team will continue its work during the coming period, to expand the scope of the work of "Stamina", to work as an effective protection system, part of which will be on the computers of customers and users, and the other part, on servers that operate Microsoft's cloud computing systems.

Idea of ​​the system

The researchers pointed out that "Stamina" is an abbreviation that refers to a method in dealing with malware, called "Malware analysis network as a static image", and the basic idea in this system is that it depends on what is known as "static analysis" of files and programs, which is the analysis done for suspicious program files It is in stable mode, not running, meaning that the program is just a file on the computer that has not been installed yet, or has been installed, but it is not running, and it is an approved method known to deal with viruses and malware files, and differs from another broad approach Propagation, based on monitoring and discovery of software etc. Ath, through their behavior which is running the actual.

They added that what is new in the system "Stamina", that it scans the file to be examined, comprehensively scanned, then dismantled and converted into a flowing stream of unidirectional "pixels" points, and then using this current to rebuild the file as a two-way image, with a pattern of " GBEG »Known in the world of image files, after which the file becomes an image with a visual scene, it can be examined, and whether the whole file is malicious software, or contains malicious software or not.

Practical implementation

The researchers, Barrick and Marino, showed that the practical implementation of this idea is through three main steps, the first being transforming and building images, in which the points (pixels) in the files are converted into two-dimensional images, then converting the binaries into a one-dimensional "stream" of pixels, After that comes the second step, which is the transfer of learning, in which the method of "selective learning" is used, which is used to accelerate the time to complete image analysis and learning, while maintaining a high performance in analysis and classification, and then the third step, which is evaluation, in which accurate matching processes are performed, between the nature of The resulting images from the file, along with the nature of the Pictures already known about malware, based on historical data, and current data on the "software edition" of malware, and its various strains.

Implementation tools

The researchers pointed out that designing the system in this way means that it needs continuous matching, matching and training processes, in all its steps. Hence, various artificial intelligence science and techniques have been used, including "computer vision" techniques to accelerate matching and verification processes, and "machine learning" technology. , Which has been used exclusively in two of its branches, namely "deep learning" and "deep neural networks", to make the system capable of continuous training and learning, and to understand the nature and characteristics of malware first-hand, and to benefit from this learning in examining files on computers, and discovering what It contains malware.

And they mentioned that a form of "static analysis" has been reached, in which it relies entirely on artificial intelligence techniques, which use dynamic renewable data.

System testing

Researchers at the Microsoft Information Security Intelligence team, Google Barrick and Marc Marino, said that Stamina was tested on a sample of 2.2 million different parts of files, noting that the new system achieved accuracy in detecting and removing malware 99.99% , With a false positive rate of 2.58%.

They added that this was achieved with regard to small files, but they were disrupted with larger files, due to restrictions in converting billions of pixels into GBEG images, then changing their size.