Sharing ideas, tools, and techniques among our community of defenders makes everyone sharper and safer. To that end, we previously received third party certification, joined AMTSO, have published and presented in peer-reviewed settings, and have otherwise participated openly in the broader infosec community. Continuing this pursuit of community engagement, we are pleased to announce that we have integrated MalwareScore™, Endgame's proprietary machine learning-powered malware detection and prevention engine, into VirusTotal.
While MalwareScore™ has been available to Endgame customers since last year as the earliest deployment of machine learning in our security platform, its worldwide availability through VirusTotal merits a broader explanation of its scope and design.
Scope: Prevent and Detect Executable Malware with Machine Learning
Endgame’s approach to protecting the endpoint relies on unified and tightly-integrated layers of behavioral protection mechanisms that each cover a swath of an attacker’s life cycle. These layers include exploit prevention, prevention of attacker techniques, detection of fileless attacks and signature-less malware detection. Protection against malware is a foundational element of an endpoint security solution, preventing adversaries who may have gained access to an endpoint from establishing persistence, installing backdoors, or executing ransomware, for example.
Critical to a modern malware prevention and detection solution is independence from rules, signatures and IOCs that are inherently reactive since they are derived from post-breach forensics. While these traditional practices have their place, holistic prevention and detection must rely on a less brittle solution. As detailed in our whitepaper last year, we built MalwareScore™ as the foundation for preventative malware protection using machine learning because it provides many advantages, including:
- a unified way to generalize to never-before-seen malware samples, families and variants (signatureless);
- an automated means to adapt malware prevention to emerging trends observed in malware or discovered by researchers; and
- deep insights learned from complex predictive relationships in the data that might only otherwise yield weak hand-crafted indicators of maliciousness.
Design: Lightweight but Lethal
Our design philosophy in MalwareScore™ was to include a machine learning model as one piece of a suite of tightly-integrated protective layers, with no need for cloud connectivity, and with a unified user experience. As such, from the get-go, we had three primary requirements in scoping our malware prevention models:
- extremely small footprint,
- rapid execution (low CPU utilization), and
- very high detection rate at extremely low false positive rates.
After rigorous competitive analysis, we believe we've punctuated each objective with an exclamation point. For a typical executable file, our model takes 5 ms to evaluate, with a memory footprint of roughly 5 MB. It reproduces malicious and benign labels of our holdout validation sets with an area under the ROC curve (AUC) of 0.9997. In practice, this allows our customers to achieve a true positive rate exceeding 99% at false positive rates below 1:1000. And, as our own harshest critics, we're continuously and relentlessly in pursuit of improvements to our models and methodology.
Deployment: MalwareScore™ in Action
MalwareScore™ prevents malicious Windows executables from running on customers’ endpoints using wholly on-sensor machine learning models. In addition, Endgame computes a MalwareScore™ for each PE file that is created or modified on an endpoint and triggers an alert for executables with a sufficiently high MalwareScore™. Endgame provides several user-selectable settings for MalwareScore™ to allow customers to adjust their detection and prevention postures to be either more conservative or more aggressive.
MalwareScore™ is a tightly integrated feature within our endpoint protection platform. For deployment in VirusTotal, we extracted and wrapped the MalwareScore™ product feature as a standalone scanner that examines all incoming PE files. As deployed in VirusTotal, MalwareScore™ currently outputs three categories: benign, malicious (moderate confidence), and malicious (high confidence).
Strengthening Defenses through Machine Learning
Machine learning and artificial intelligence are exciting fields that have many applications to security. In addition to MalwareScore™, Endgame is applying machine learning and artificial intelligence to other areas to help defenders detect, prevent and respond to malicious activity in other phases of the attacker’s life cycle.
Our team at Endgame leveraged years of previous experience building data-driven products to research, develop, rigorously test and deploy MalwareScore™ into the Endgame platform. Today’s inclusion into VirusTotal provides a tremendous opportunity to assist security analysts worldwide and is a validating step for MalwareScore™. But we’re not done yet! We’re continually improving MalwareScore™, aggressively seeking out corner cases and solving those problems through data collection and curation, engineering, and maintaining the perspective of an attacker. Stay tuned as we incorporate updates to our endpoint detection and response product offering into the VirusTotal scanner in the months to come.
We welcome your input to continue helping us support the community. Please send any feedback to: vt_feedback@endgame.com