Slashdot Mirror
Microsoft To Automate Malware Classification
Kuzulu Kuhuru writes "Researchers in Microsoft's anti-malware engineering team are using distance measure and machine learning technologies to automate the process of classifying new strains of computer viruses, Trojans and other malicious software programs." From the article: "Microsoft's proposal will take a 'holistic approach' to tackle the classification problem, Lee said, pointing out that the machine learning aspects will deal with everything, from knowledge consumption, representation and storage, to classifier model generation and selection. It aims to consume knowledge about the malware sample efficiently and automatically and represent that knowledge in a form that results in minimal information loss. "
(Offtopic warning!)
:-)
That eweek's "malware icon" (just like slashdot's malware icon has a picture of something that's not a worm.
Unless I've missed the threat of 'caterpillars' crawling the internet (consuming all resources.
Anyway, back on topic - wouldn't it be easier for MS to simply write more secure software? It's rather disheartening to hear their response to the deluge of malware is a classification program.
There are shills on slashdot. Apparently, I'm one of them.
I have every reason to be confident that this will work exactly as proposed with no problems whatsoever. After all, it's coming from Microsoft.
This guy's the limit!
Spyware provided by a big (or friend) corporation = GOOD
FOSS = malware
Is it just me, or are there more people that think that instead of getting busy automating the process of classifying new strains of computer viruses, Trojans and other malicious software programs, maybe they should address the cause of the problem first?
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
After all, the malware business is one of those "ecosystems" that's wholly dependent on Microsoft. Only fair that MS should offer a little direction to their clients.
Lacking <sarcasm> tags,
Too bad the research isn't being done on ways to prevent malware. Apple could make good use of this: "Windows has so many viruses they need a computer to help sort through them all!"
Now, if they start taking payola for delisting malware, then this will be no better than all the shit the current batch of jokers/anti-spyware companies pull every day.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
Or is classification going to allow them to have a flashier anti-malware tool to sell?
Can't you see it now...animation of the viruses being caught, sent down a chute that sorts them into different buckets. Different cute cuddlies for each type of virus, each with unique characteristics. They could then create an entire industry around stuffed animals and stickers the kids could trade! People would go around giving each other viruses on USB keys and via email just to watch the tool sort the cute things time and again!
This is marketing genius at work!!
It's a simple matter of complex programming.
How long till we get headlines like "Microsoft's Malware Software Deletes Windows after identifying it as a security risk"?
To combat pirates Microsoft plans to employ a full clan of Ninjas. According to latest polls Ninjas always have at least a 2 to 1 following compared to those who prefer pirates. These Microsoft Ninjas will be trained in all the dark arts, including, but not limited to, poisoning Pirate rum, placing explosive powders in their parrots, and using biological weapons such as scurvy induced rats. Psychological war will also be waged as the Ninjas use cardboard cutouts of themselves hidden throughout the pirate ships.
if (strcmp(product.ID, "MICROSOFT"))
exec("DeleteTheBastard.bat");
-- "Can't sleep, clowns will eat me!"
I bet a little help from the MSUpdate ActiveX will be welcome, after all "When you check for updates, basic information about your computer, not you, is used to determine which updates your programs need".
You don't need to know what's going on, just relax and trust them.
Why not just not have the user run as root all the time?
The main difference I've noticed between Linux and Windows is that Linux makes it abundantly easy to run under limited access using password prompting, while Windows tries to prevent you from securing it.
People say that "well you shouldn't run things you don't know." Well, that argument works for computer professionals and people that know what's going on. But to the average user, you should be able to tell what is and isn't going to hurt the system.
If an application needs to access any critical areas of the OS, the running threads, the registry, or anything else deemed critical or potentially harmful, it should prompt for password. This would give IT people a clear message to send to users "If it asks you for your password, make sure you trust the program." While it might be easy to click "yes" or "ok" to everything, because windows is user prompt hell to begin with, typing in and remembering a password takes considerably more work.
Why you would continue to try to patch the holes in the Titantic this way is beyond me. Unless now MS just wants to sell insecure products and then sell you repair kits to fix them.
Judges and senates have been bought for gold; Esteem and love were never to be sold.
I recall another company talking about an automated computer immune system. Sounds like automated discovery and response may be the way the industry is going. I was wondering if this would change the nature of attacks. One possible approach would be to create malware to fake a system into believing some critical dll or exe was infected. Suppose you could create some sort of antisense malware that would behave in a manner indicating malfeasance, but wouldn't actually do anything bad itself. The structure of the malware would be made only to be recognized, but the checksums etc, would actually cause the automatic software to now recognize a critical dll or exe as a foreign invader, and create a sort of auto-immune response. It would be less likely that this approach could be used to execute code, but a DOS might be achieved.
Just once I'd like to see a story run on /. that involves MS that starts a discussion of the issue in the story and not just collection of attacks on MS.
I'm not a big MS fan but it does get old.
Is buying a Harley Davidson as your first motorcycle since you were 16 at age 49 a midlife crisis issue?
1. Microsoft's long practice of anti-competitive behaviors calls its motives into question on every project.
2. Microsoft is prone to screwing things up even when they mean well.
I agree there are concerns. Most of those concerns stem, justifiably, from the word "Microsoft".
But, since we're not going to stop MS, it's worth seeing where the project pans out to.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
Unfortunatly there is only one living Ninja, and he is 76 years old.
o rld/14434176.htm
http://www.mercurynews.com/mld/mercurynews/news/w
Marketing or acquisitions? I mean, considering the amount of spyware in Vista, I wouldn't deem it impossible that this is an attempt to scout what's to come in the next gen.
:)
After all, when did MS really invent something themselves?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Hi,
You can download the fix here. if this download gets marked by your antivirus please ignore it. Just trust me. You can also install the realvnc client and install it and post your ip here. Someone will fix it for you. I only need a small advance for this. Please pay by western union or use a cheque for this. I gues that you will trust me more if you payed for the service.
You, like most Slashdotters, would like to believe that Microsoft cared enough to sabotage FOSS wouldn't you? The truth is, they don't give a shit about it, and that's what really scares you.
Or maybe I'm way off base and this kind of automatic malware detection seems reasonably computable to people. I can think of so many ways (lots of which have been used in malware) to hide the malware in otherwise innocent programs. But what if I encoded my malware as a turing machine, how would they find out if it is malware without actually running it (or have I missed something?)?
I was reading the slashdot feed on my cell and the title only showed:
microsoft to automate malware
and I went like: wtf! haven't they done enough already?
mind you, not an hour ago I was removing over a hundred pieces of malware that a client had. all of them on just two machines...
I wish I could filter out the annoying Pickens articles...
"That isn't cancer, Mrs. Jones, we've redefined it as a sniffle."
The Independent: Reverend Spooner Arrested in Friar Tuck Incident - ISIHAC, Historical Headlines
I don't have great confidence that Microsoft will plug security holes as fast if they SELL a product that can block Malware. I can see Microsoft updating their Malware detector to remove the threat and later patching Windows while Symantec and McAfee scream foul.
What is going to happen when Microsoft makes a more secure OS and the need for virus scanners and the like are no longer needed? Are we going to have another court case? I can just see a judge now saying that they have to have no less than one known vulnerability at a time so as not to run the anti-virus companies out of business.
Slashdot +1 funny -4 Insightful +1 informative -2 Redundant
Karma: Somewhere between SCO and Microsoft
Seriously. They're wasting billions on patching up what they've got and bolting on features to deal with its inherent problems. It's pretty clear to everyone at this point that pretty soon the whole house of cards is going to come crashing down.
Instead of trying to make the existing system smart enough to classify what's attacking it, why don't they just step back and make a whole new system secure enough that it doesn't needs an attacker classification system in the first place?
Vista is years overdue and has been gutted of all of its compelling features. When it's ships it's going to be XP+eyecandy, and as a result is going to be a flop-- so why not get a skunk works operation going now to develop a 100% new Windows OS, backward compatibilty be damned. Once they get that working, then add a 'classic' Windows compatibility environment to aid in the transition from old OS to new.
They have no qualms about copying anything else Apple does, so why not do that? It's arguably one of the things that saved Apple from oblivion and brought about their renaissance. Now it could do the same for Microsoft.
When I opened /. this was the second story. Headline (before scrolling) read
"Microsoft to automate malware"
I don't know if you guys did that on purpose, but thanks, I needed a good laugh today.
Has Microsoft not done enough to harm us? Now they have to go and automate malware?
(RTFA? This is slashdot! I didn't even finish reading the summary title!)
Kuzulu Kuhuru writes "Researchers in Slashdot's anti-troll engineering team are using distance measure and moderator learning technologies to automate the process of classifying new strains of offtopic posts, Flamebaits and other malicious posters." From the article: "Slashdot's proposal will take a 'holistic approach' to tackle the classification problem, Taco said, pointing out that the moderator learning aspects will deal with everything, from groupthink 'me-too' posters, verbal masturbation and karma whore-age, to Slashdot cliché generation and selection. It aims to consume knowledge about the troll sample efficiently and automatically and represent that knowledge in a form that results in minimal information loss. "
Now Microsoft engineers sound like my PHB.
Build a smarter virus-scanner and virus-authors will write smarter virus code. We've had that 20 years ago.
Automatically running any downloaded code in a sandbox until the user explicitly asks for it to be installed locally (say, after testing it out in the sandbox) would be a much simpler and much more effective step. There's 5-10 others, like not making the default user an admin, etc.
But maybe marketing just didn't "get" them as well as "look here, shiny new technology".
Assorted stuff I do sometimes: Lemuria.org
classifying new strains of computer viruses, Trojans and other malicious software programs.
I wonder how it would classify Windows XP and Vista... Spyware I guess...
but seriously - this would all be unneccessary if ms were able to develop an OS instead of swiss cheese... or people would stop using the swiss cheese...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Vista couldn't get malware
The process of classifying malware samples into families is mainly driven by the following steps,
...
1. Analyze an Object (sample).
2. Represent and store knowledge of the object in a structured format.
3. Reference learned knowledge, apply classifiers to recognize familiar patterns and correlate similarities.
To me that's just like saying
The process of taking notes in class is,
1. Listen to the speaker
2. Write down what he's saying
3. Read it later to study for your exam
Now some security researcher won't have to spend an hour a day classifying new viruses. They'll save thousands of dollars every year, minus the costs of training, debugging, and verification, and whatever it cost to write the thing.
The number and severity of Windows viruses and malware has now reached the point where MS finds it worthwhile to automate the process --- presumably because doing it manually simply takes up too much (expensive) human intervention for them.
Maybe it's time that some authority figure(s) at MS took a step back and re-thought their security model? Nah.....
--- Asking inconvenient questions for over 30 years...
Scurvy is caused by a lack of Vitamin C. English sailors were called "limeys" because they woudl suck on limes to prevent scurvy. It's not a communicable disease.
Hey, people! At the time I write this only on this page I've found the name of that company 22 times. Could you just stop writing down that name? At least for a day?
Imagine -- so much malware that there is a REAL TEAM working on the problem of automatically classifying it!
Wow...
Now that I am finished laughing (and it was a good one)...
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
Now the black hats can
Thanks Microsoft, you are working so hard to make all those black hat crackers life easy! (and for finally removing that pesky ???? that kept getting in the way of profit here at slashdot)
I think I'll invest in retirement villas in the Caspian Sea area.
Do we Remember the M$ Firewall? There's only so many compilers out there (m$ use Borland) so it was quickly decoded, and cracked. Then the Security advice was "Whatever you do, DON'T RUN THE M$ FIREWALL" There were guys out scouring the 'net for someone stupid enough to be running a m$ firewall. I think someone in there dreams of taking over the Internet one day... Thank goodness for GNU & Linux.
True, the inchworm is a moth larva, but it's still called a worm, just as the media calls a lot of worms "viruses."
if ($program_info{'author'} != 'MS'){$program_info{'type'}=('Virus','Trojan','Spy ware')[rnd(0,3)];}
Whoot 1 line!
Automate Malware, sorry your current Hotmail account only accepts maleware! You can not use it for anything useful other than receive spam mail. Please upgrade to our newest release Hotmail 2.0. Watch the Butterfly fly faster!
For those that actually read the article, the link to Flake's research on this is actually good, meatier reading (though not much more meaty). Granted, it's for another company, not Microsoft, but I imagine that Microsoft will try some similar approaches.
Basically, at Flake's company they have a tool that tells the degree of similarity between two programs. I'm not sure of the actual mechanics of this (if it's 1-by-1 instruction comparison, on a functional level, etc), but it enables them to build taxonomies of malware programs. Trees of programs that are variants of eachother, if related; separate trees if not. It somewhat reminds me of stuff in bioinformatics, though my knowledge of that area is extremely weak.
It's neat stuff if you're interested in that sort of thing.
The rest of you all can go back to bashing Microsoft.
Humorless sig goes here.
Scurvy is a vitamin defficiency, not a contagious disease.
My favorite scurvy quote:
"I had a horrible rash, and I was afraid that it was scurvy! I couldn't understand it because I had been making sure to eat lots of spinach. Then I went to the doctor and he said that it was just genital herpes. What a relief!"
whatever happened to.. "It's not a bug, it's a feature"?
step #1: create sw with large gaping holes for worms and viruses
step #2: wait till market is ripe for a/v software
step #3: buy an a/v software maker, offer a/v product for free
step #4: wait for ppl to get hooked
step #5: announce that a/v software may not be in the future
step #6: automate malware classification
step #7: ..???
Microsoft, Microsoft, ooh Mi-mimi-mimimi-Microsoft!
Badum-dum-dum...
Seriously, though, if you think mentioning the name of a company that everyone here knows about is going to give free publicity in a discussion about said company........... well, you're just plain dumb.
Or you can protect the user in the first place by providing informed prompts and enabling the user to make the right and/or wrong choices. You can keep an outgoing firewall closed by default and authorize applications one by one, and be sure to protect the user from anything manipulating these dialog boxes.
Why start trying to identify it? Let the user identify it and you just keep it from doing any damage.
-M
when you see the word 'Linux', drink!
>distance measure and machine learning technologies
>take a 'holistic approach'
>knowledge consumption
>classifier model generation and selection
>consume knowledge
Could someone who speaks that language take a stab at translating it for us? Could someone familiar with the technology tell us whether the "knowledge consumption" might consumer mjore knowledge than it's supposed to and leave us dumber, as reading the article summary did?
I'm going to automate the process of creating malware. The automation process will be designed specifically to exploit a hole in their classification software, so that it executes arbitrary code that changes the software so that it classifies all MS software as "F1R5T P05T lolol!"
http://outcampaign.org/
Microsoft has finally realized that they need to more closely measure the malware that they've come to depend upon for feeding the upgrade cycle. If the number of emerging malware threats starts to taper off, they need to know this early to adjust their sales projections and hopefully take remedial action. If malware should ever be contained, it would spell doom for the hardware manufacturers and the OS supplier as well. It's no coincidence that a new computer performs well only for a short time and then becomes slower and slower as the malware accumulates. This means that the users will eventually give up and buy another computer, with a new OS license. Everybody wins! (well, except the consumer, but the label they give them tells you what the business world thinks their only purpose is)
...to have Gates demo their new malware detector and watch in horror as it deletes itself...
The race isn't always to the swift... but that's the way to bet!
It's a lot like how many insects are called "bugs" when only those of the order hemiptera are true bugs.
Even so, knowing as I do from my studies of entomology that absolutely no insect is properly called a "worm" I still think that this picture would make a much cooler logo:
Evil looking little bugger.
It will end up with a "current high score" for the folk inside Microsoft who would get to see the data collected. Almost game like. That aside, it would be interesting to speculate what their defining rubric for what makes a piece of software a piece of malware.
Microsoft's proposal will take a 'holistic approach' to tackle the classification problem...
I'm guessing that this "holistic approach" will do for malware what it did for medicine.
Wanted: witty unique signature. Must be willing to relocate.
Principle of Least Privilege Whitepaper - MalcomVetter