Forgot your password?
typodupeerror

Microsoft To Automate Malware Classification 124

Posted by Zonk
from the virus-a947qalpha dept.
Kuzulu Kuhuru writes "Researchers in Microsoft's anti-malware engineering team are using distance measure and machine learning technologies to automate the process of classifying new strains of computer viruses, Trojans and other malicious software programs." From the article: "Microsoft's proposal will take a 'holistic approach' to tackle the classification problem, Lee said, pointing out that the machine learning aspects will deal with everything, from knowledge consumption, representation and storage, to classifier model generation and selection. It aims to consume knowledge about the malware sample efficiently and automatically and represent that knowledge in a form that results in minimal information loss. "
This discussion has been archived. No new comments can be posted.

Microsoft To Automate Malware Classification

Comments Filter:
  • (Offtopic warning!)

    That eweek's "malware icon" [ziffdavisinternet.com] (just like slashdot's malware icon [slashdot.org] has a picture of something that's not a worm.

    Unless I've missed the threat of 'caterpillars' crawling the internet (consuming all resources [amazon.com]. :-)

    Anyway, back on topic - wouldn't it be easier for MS to simply write more secure software? It's rather disheartening to hear their response to the deluge of malware is a classification program.
  • Easy (Score:2, Insightful)

    by aadvancedGIR (959466)
    Spyware provided by a big (or friend) corporation = GOOD
    FOSS = malware
    • What do you want to bet that anything that is signed doesn't get checked. because it is trusted..

      because by paying 300$ - the people must be legit.. sorry but the whole idea of root certs for by passing security measures is jsut dumb.
    • by tenco (773732)
      I use the so called "Windows Defender" Beta 2 and have a lot of FOSS installed. The last time i scanned my System with this utility (1 minute ago), it detected no malware.
  • Priorities? (Score:2, Insightful)

    by mrjb (547783)
    Is it just me, or are there more people that think that instead of getting busy automating the process of classifying new strains of computer viruses, Trojans and other malicious software programs, maybe they should address the cause of the problem first?
    • by Savage-Rabbit (308260) on Friday May 12, 2006 @11:24AM (#15317889)
      Is it just me, or are there more people that think that instead of getting busy automating the process of classifying new strains of computer viruses, Trojans and other malicious software programs, maybe they should address the cause of the problem first?

      I'm not sure that training enough high class .NET certified MSCA ratified ninja commando teams to assasinate all those thousands of malware authors and spam kings would be a financially viable proposition for Microsoft. Using a fully automated self classifying system to build a proper threat library which can later be fed to mass manufactured hunter killer bots and android terminators sounds like a much more cost effective approach.
    • This is typical Microsoft bandaid the problem. I'm not saying it's a bad idea, but MS does this all over the place. Take the start menu. Any idiot in 95 could have seen that anyone who added more than 20 programs in that list would make things hard to find. Eventually Microsoft works around the problem by making the list scroll. Then they go to hideing stuff you don't use. Eventually they just stuffed the start menu for programs away with XP and give you the option of putting more programs up front.
      • They've done a doozie with Vista.

        Problem: Everyone logs in as administrator, so there's no security.

        Obvious solution: Don't let people log in as administrator, implement password protected setuid (aka. OSX)

        MS solution: Remove all privileges from the administrator. Have a passwordless setuid which is default 'yes' (so you *very* quickly learn to hit return by reflex when it appears) and invariably asks you if you want 'rundll32' to have privileges. Make this dialog pop up when you want to do *anything*.
    • Maybe they should address the cause of the problem first?

      What cause would that be? Maybe employing humans? Or maybe the fact that they use C and C++ heavily?

      Hmm, what other projects are written by humans and use C/C++ heavily? Oh right .... all the competitors! How many "arbitrary code execution" vulnerabilities has Firefox had in the past year? How many privilege escalation bugs has the X server had in the past year? How many has MacOS X had that haven't been fixed for months? How short is the "dump e

    • You mean like teaching users not to click "OK" on seedy websites? Yeah . . . that's gonna work. If the user gives a program executable permission, it's not going to help that there are no holes in the operating system. Just like "sudo make install BAD_MALWARE" would probably kill you on Linux. Yeah, they could work on permissions, but users will probably just clobber those too.
  • Fair's fair (Score:2, Funny)

    by overshoot (39700)
    After all, the malware business is one of those "ecosystems" that's wholly dependent on Microsoft. Only fair that MS should offer a little direction to their clients.
  • by noidentity (188756) on Friday May 12, 2006 @11:03AM (#15317648)
    Too bad the research isn't being done on ways to prevent malware. Apple could make good use of this: "Windows has so many viruses they need a computer to help sort through them all!"
    • (Ignoring the fact that these technologies are being used by the virus analysts at Microsoft to create signatures for MRT and other technologies at a near automated pace...)

      Just remember this... When you're sleeping with 98% of the population, you're bound to run into a bug or two. That's one argument for chastity, I guess.
  • Simple Alog (Score:1, Insightful)

    by Slipgrid (938571)
    ---snip trusted.txt---
    ms
    dell
    hp
    doj
    dod
    usgov
    --- snip---

    if (is_on_trusted_computing_list(this.product.vendor) ){
    this.product.malflag = false;
    } else {
    this.product.malflag = true;
    die();
    }
    • It's a shame that you got marked troll. It's not like this is not a pattern of behavior going all the way back to the MS-DOS [internetnews.com] days of computing. ...Those who don't learn from history are doomed to repeat it I guess.
    • Don't forget to add RIAA, MPAA, and Sony to the trusted list. If we have only one anto-spyware/virus/malware company, then they will make the definitions of what is and isn't malware. So if Sony does another rootkit, but buys MS (or any monopolist in the anti-malware trade) off, then no one will be able to call it dangerous.
  • IF ... and that's a big if ... Microsoft has the balls to leave it fully automated and let the system do its thing.

    Now, if they start taking payola for delisting malware, then this will be no better than all the shit the current batch of jokers/anti-spyware companies pull every day.

    • SO its going to stop lots of programs which spread....

      Firstly it will be down goes youtube, myspace, and all the other sites powered by lots of people visiting them.

      Then stuff like msn will start getting blocked (we can only hope?) i mean, will it block msn it if has the stupid smiley central stuff installed?
      • Because even when Microsoft has the kernel of a good idea, it oftens takes a beating because:

        1. Microsoft's long practice of anti-competitive behaviors calls its motives into question on every project.
        2. Microsoft is prone to screwing things up even when they mean well.

        I agree there are concerns. Most of those concerns stem, justifiably, from the word "Microsoft".

        But, since we're not going to stop MS, it's worth seeing where the project pans out to.

  • If they can classify the stuff, shouldn't they be able to stop it?

    Or is classification going to allow them to have a flashier anti-malware tool to sell?

    Can't you see it now...animation of the viruses being caught, sent down a chute that sorts them into different buckets. Different cute cuddlies for each type of virus, each with unique characteristics. They could then create an entire industry around stuffed animals and stickers the kids could trade! People would go around giving each other viruses on

    • but which one will clippy represent???? or is he the dungeon master?
    • If they can classify the stuff, shouldn't they be able to stop it?

      Or is classification going to allow them to have a flashier anti-malware tool to sell?


      It could give you an idea of exactly how hosed your system is, and what, if any, kinds of remedies might actually work. If your machine is infested beyond repair, wouldn't you want to know that?

      Slashdot is entirely too pragmatic, and cynical about Microsoft in general. Your post is just one example. This is Microsoft Research, which is very active in theoret
      • cynical about Microsoft in general. Your post is just one example.

        Cynical? yes. Incorrect? not necessarily.

        Having worked for the "MS-beast", and having been in meetings where exactly these kinds of conversation went on, I don't think I'm being unrealistic.

        When a couple of us young developers recognized that auto-run macros in the soon-to-be-released MS-Word 6 was a potential for some serious misuse, marketing assured us that this is what corporate customers wanted...and that home users likely woul

    • If they can classify the stuff, shouldn't they be able to stop it?

      I'm sure they hope so. I doubt they are trying to classify it simply as an academic exercise. I'm guessing - going way out on a limb here - that Microsoft is planning to try to stop the malware they identify. Probably, they'll use some kind of special anti-malware software. They could call it "Windows Defender" or something.

    • Was about to comment on the same lines... too much effort to put a bright, shiny and new label to a problem instead of worrying on solving/curing/fixing it,

      Of course, you can say, oh, but a trojan is a different beast than a worm, so must be treated different by future development. Or better yet, this is a future-cool-name-that-implies-user-interaction that is really different from a future-cooler-name-that-implies-exploiting-net-se r vices-vulnerabilities. But i bet that will make things more confusing th

      • Is it possible to take a step back and remove the veil of seething anti-Microsoft rage for a moment and look at the issue objectively?

        Identifying what a new piece of malware does is the very first step to "solving/curing/fixing" it. If a virus analyst can be presented with detailed family classification when a new sample comes in, they can target their analysis to more efficiently create a signature, identify a new class of malware, and/or find a new method to prevent a particular type of infection.

        Oh, and
    • Quick! Nine innocent citizens and one heinous (but unidentified) criminal are standing in a group. You have a license to shoot the criminal. Ready, aim ... fire!

      Oh, wait. Which one is the criminal?

      The first step to stopping malware is to identify it.
    • ...This is marketing genius at work!!

      Yes, because Microsoft is so good at making predicitions [cbsnews.com] seeing them to fruition.

  • by PhotoBoy (684898) on Friday May 12, 2006 @11:07AM (#15317697)
    How long till we get headlines like "Microsoft's Malware Software Deletes Windows after identifying it as a security risk"?
    • How long till we get headlines like "Microsoft's Malware Software Deletes Windows after identifying it as a security risk"?
      Indefinitely. Why should we expect such accurate results from a Microsoft written tool?
    • Actually what would be better is malware that gets "MS anti-malware" to identify itself as malware. Then it just removes itself. Or remove other stuff like windowsupdate.
  • To combat pirates Microsoft plans to employ a full clan of Ninjas. According to latest polls Ninjas always have at least a 2 to 1 following compared to those who prefer pirates. These Microsoft Ninjas will be trained in all the dark arts, including, but not limited to, poisoning Pirate rum, placing explosive powders in their parrots, and using biological weapons such as scurvy induced rats. Psychological war will also be waged as the Ninjas use cardboard cutouts of themselves hidden throughout the pirate
  • Easy... (Score:2, Funny)

    by WebfishUK (249858)
    if (strcmp(product.ID, "MICROSOFT"))
          exec("DeleteTheBastard.bat");
  • How will they collect all the data they need for this? - what OS versions are infected, what are the worms trying to do, etc.

    I bet a little help from the MSUpdate ActiveX will be welcome, after all "When you check for updates, basic information about your computer, not you, is used to determine which updates your programs need".
    You don't need to know what's going on, just relax and trust them.

  • Here's a thought! (Score:3, Interesting)

    by danpsmith (922127) on Friday May 12, 2006 @11:11AM (#15317737)
    Why not just not have the user run as root all the time?

    The main difference I've noticed between Linux and Windows is that Linux makes it abundantly easy to run under limited access using password prompting, while Windows tries to prevent you from securing it.

    People say that "well you shouldn't run things you don't know." Well, that argument works for computer professionals and people that know what's going on. But to the average user, you should be able to tell what is and isn't going to hurt the system.

    If an application needs to access any critical areas of the OS, the running threads, the registry, or anything else deemed critical or potentially harmful, it should prompt for password. This would give IT people a clear message to send to users "If it asks you for your password, make sure you trust the program." While it might be easy to click "yes" or "ok" to everything, because windows is user prompt hell to begin with, typing in and remembering a password takes considerably more work.

    Why you would continue to try to patch the holes in the Titantic this way is beyond me. Unless now MS just wants to sell insecure products and then sell you repair kits to fix them.
    • MS just wants to sell insecure products and then sell you repair kits to fix them.

      Bingo.
    • If an application needs to access any critical areas of the OS, the running threads, the registry, or anything else deemed critical or potentially harmful, it should prompt for password.

      Ask, and it shall be granted [microsoft.com].

      However, the password-prompting behavior isn't the panacea you describe it to be. It works well for people who understand the underlying system including permissions and concepts like user vs. administrator. It doesn't work well for people who just want to get their work done, or download the l
      • The user access control does *not* prompt for a password.

        It's just a big dialog with 'OK' on it. Invariably filled with techincal gobbledegook involving Rundll32... we've had big dialogs with 'OK' before in IE and they weren't very effective either.

    • Why not just not have the user run as root all the time?

      Is that rhetorical, or do you want a real answer? First, Windows has only had user-level permissions since NT. While these are present in XP, and limited users can be created, the default is to create admininstrators because so much legacy software requires it. Fortunately, as legacy software gets older and less common, this problem is decreasing. The upcoming Vista has further workarounds to help run legacy software in limited accounts, and will

      • I would make a guess and say that malicious software that accesses things that would require admin rights are probably the easiest to find and solve.
        Firstly, they have the biggest potential for harm and so are more well known. Secondly, you can look through what are uses admin rights and filter them.
        It is the ones that run at a user level that are harder to catch, and those are the ones that a "This is doing something potentialy dangerous. Are you sure?" will not catch.
        I for one would like to see an improve
  • Just once... (Score:4, Insightful)

    by GigG (887839) on Friday May 12, 2006 @11:23AM (#15317875)
    Just once I'd like to see a story run on /. that involves MS that starts a discussion of the issue in the story and not just collection of attacks on MS. I'm not a big MS fan but it does get old.
    • Re:Just once... (Score:3, Insightful)

      by Billosaur (927319) *
      Just once I'd like to see a story run on /. that involves MS that starts a discussion of the issue in the story and not just collection of attacks on MS. I'm not a big MS fan but it does get old.

      I suggest a trip to an alternate universe... look MS haters are a dime-a-dozen, but you have to admit it's pretty cheeky of MS to take these steps instead of just cutting down on the problem to begin with. It's like the people who say global warming needs more study, when the global average temperature is going up

    • Because the article i quite light on details. There is not much to discuss about it. There is malware and they classify it. period (or "dot")
    • Perhaps you forgot: This is /.

      Website of knee-jerk anti-microsoft rants.
    • For those that actually read the article, the link to Flake's [blogspot.com] research on this is actually good, meatier reading (though not much more meaty). Granted, it's for another company, not Microsoft, but I imagine that Microsoft will try some similar approaches.

      Basically, at Flake's company they have a tool that tells the degree of similarity between two programs. I'm not sure of the actual mechanics of this (if it's 1-by-1 instruction comparison, on a functional level, etc), but it enables them to build taxonom
    • While I am not usually a Microsoft basher, this story is remarkable. It is remarkable that Microsoft considers this worth mentioning.

      Norton started using neural networks [symantec.com] in 1999 in their anti-virus software. Any number of adaptive systems [peltarion.com] will do the job quite nicely.

      While these methods have a proven track record, and I'm sure this will bring improvement to Microsoft's products, but really, everybody else has been using it for a while.

      What's next? "Microsoft announced that its upcoming release of the Wi

  • Marketing or acquisitions? I mean, considering the amount of spyware in Vista, I wouldn't deem it impossible that this is an attempt to scout what's to come in the next gen.

    After all, when did MS really invent something themselves? :)
  • Microsoft will include a program that determines if another (arbitrary) program will halt if run with no input.

    Or maybe I'm way off base and this kind of automatic malware detection seems reasonably computable to people. I can think of so many ways (lots of which have been used in malware) to hide the malware in otherwise innocent programs. But what if I encoded my malware as a turing machine, how would they find out if it is malware without actually running it (or have I missed something?)?

  • wtf! (Score:3, Funny)

    by Observador (224372) <afreytes@gmail.HORSEcom minus herbivore> on Friday May 12, 2006 @11:41AM (#15318076) Homepage
    I was reading the slashdot feed on my cell and the title only showed:

    microsoft to automate malware

    and I went like: wtf! haven't they done enough already?

    mind you, not an hour ago I was removing over a hundred pieces of malware that a client had. all of them on just two machines...
  • by tbone1 (309237) on Friday May 12, 2006 @11:48AM (#15318154) Homepage
    It's easier to say something isn't a threat than to actually, you know, do something about it.

    "That isn't cancer, Mrs. Jones, we've redefined it as a sniffle."

  • I don't have great confidence that Microsoft will plug security holes as fast if they SELL a product that can block Malware. I can see Microsoft updating their Malware detector to remove the threat and later patching Windows while Symantec and McAfee scream foul.

    What is going to happen when Microsoft makes a more secure OS and the need for virus scanners and the like are no longer needed? Are we going to have another court case? I can just see a judge now saying that they have to have no less than one kn
  • by Anonymous Coward
    Seriously. They're wasting billions on patching up what they've got and bolting on features to deal with its inherent problems. It's pretty clear to everyone at this point that pretty soon the whole house of cards is going to come crashing down.

    Instead of trying to make the existing system smart enough to classify what's attacking it, why don't they just step back and make a whole new system secure enough that it doesn't needs an attacker classification system in the first place?

    Vista is years overdue and h
  • Has Microsoft not done enough to harm us? Now they have to go and automate malware?

    (RTFA? This is slashdot! I didn't even finish reading the summary title!)
  • Now Microsoft engineers sound like my PHB.
    • No shit, their holistic approach will allow them to leverage the synergies, induce a paradigm shift, maximize the ROI, optimize critical deliverables, incubate ubiquitous technologies, enhance distributed solutions, deliver proactive applications, reinvent virtual applications, empower cross-platform experiences, grow global partnerships and recontextualize chair-throwing monkey methodologies!
  • by Tom (822)
    Build a smarter virus-scanner and virus-authors will write smarter virus code. We've had that 20 years ago.

    Automatically running any downloaded code in a sandbox until the user explicitly asks for it to be installed locally (say, after testing it out in the sandbox) would be a much simpler and much more effective step. There's 5-10 others, like not making the default user an admin, etc.

    But maybe marketing just didn't "get" them as well as "look here, shiny new technology".
  • Now some security researcher won't have to spend an hour a day classifying new viruses. They'll save thousands of dollars every year, minus the costs of training, debugging, and verification, and whatever it cost to write the thing.
  • The number and severity of Windows viruses and malware has now reached the point where MS finds it worthwhile to automate the process --- presumably because doing it manually simply takes up too much (expensive) human intervention for them.

    Maybe it's time that some authority figure(s) at MS took a step back and re-thought their security model? Nah.....

  • Hey, people! At the time I write this only on this page I've found the name of that company 22 times. Could you just stop writing down that name? At least for a day?
  • Now THIS is funny! (Score:3, Insightful)

    by ratboy666 (104074) <fred_weigel@hotmail . c om> on Friday May 12, 2006 @12:41PM (#15318736) Homepage Journal
    Imagine -- so much malware that there is a REAL TEAM working on the problem of automatically classifying it!

    Wow...

    Now that I am finished laughing (and it was a good one)...

    Ratboy
  • Now the black hats can

    • hack Microsoft's automated classification system
    • classify their own malware as benign
    • classify anything that detects their malware as malware
    • rent space on all the zombified Windows boxes to spammers
    • profit
    • retire early

    Thanks Microsoft, you are working so hard to make all those black hat crackers life easy! (and for finally removing that pesky ???? that kept getting in the way of profit here at slashdot)

    I think I'll invest in retirement villas in the Caspian Sea area.

  • Do we Remember the M$ Firewall? There's only so many compilers out there (m$ use Borland) so it was quickly decoded, and cracked. Then the Security advice was "Whatever you do, DON'T RUN THE M$ FIREWALL" There were guys out scouring the 'net for someone stupid enough to be running a m$ firewall. I think someone in there dreams of taking over the Internet one day... Thank goodness for GNU & Linux.
  • if ($program_info{'author'} != 'MS'){$program_info{'type'}=('Virus','Trojan','Spy ware')[rnd(0,3)];}
    Whoot 1 line!
  • whatever happened to.. "It's not a bug, it's a feature"?
  • step #1: create sw with large gaping holes for worms and viruses

    step #2: wait till market is ripe for a/v software

    step #3: buy an a/v software maker, offer a/v product for free

    step #4: wait for ppl to get hooked

    step #5: announce that a/v software may not be in the future

    step #6: automate malware classification

    step #7: ..???

  • Or you can protect the user in the first place by providing informed prompts and enabling the user to make the right and/or wrong choices. You can keep an outgoing firewall closed by default and authorize applications one by one, and be sure to protect the user from anything manipulating these dialog boxes.

    Why start trying to identify it? Let the user identify it and you just keep it from doing any damage.

    -M
  • >distance measure and machine learning technologies
    >take a 'holistic approach'
    >knowledge consumption
    >classifier model generation and selection
    >consume knowledge

    Could someone who speaks that language take a stab at translating it for us? Could someone familiar with the technology tell us whether the "knowledge consumption" might consumer mjore knowledge than it's supposed to and leave us dumber, as reading the article summary did?
    • >take a 'holistic approach'

      translation: An old hippy will come to your house, place a couple of crystals on your keyboard and start a Mongolian throat singing session to realign the chakras of your hard drive.
    • Could a fancied up hueristic scanner and code debugger. I bet this system will have false positives going undetected. How can the software tell if the user is running a legitiment disk maintence tool verses a program that modifies programs own devious purposes. --chris
  • I'm going to automate the process of creating malware. The automation process will be designed specifically to exploit a hole in their classification software, so that it executes arbitrary code that changes the software so that it classifies all MS software as "F1R5T P05T lolol!"
  • "You cannot manage what you cannot measure"

    Microsoft has finally realized that they need to more closely measure the malware that they've come to depend upon for feeding the upgrade cycle. If the number of emerging malware threats starts to taper off, they need to know this early to adjust their sales projections and hopefully take remedial action. If malware should ever be contained, it would spell doom for the hardware manufacturers and the OS supplier as well. It's no coincidence that a new computer per

  • ...to have Gates demo their new malware detector and watch in horror as it deletes itself...
  • It will end up with a "current high score" for the folk inside Microsoft who would get to see the data collected. Almost game like. That aside, it would be interesting to speculate what their defining rubric for what makes a piece of software a piece of malware.
  • Microsoft's proposal will take a 'holistic approach' to tackle the classification problem...

    I'm guessing that this "holistic approach" will do for malware what it did for medicine [holisticmed.com].

The person who's taking you to lunch has no intention of paying.

Working...