In my last post I began talking more about our protection technology stack. The focus of that post was our more traditional detection mechanism based on 1-1 signatures. While we have done a tremendous amount to push the envelope regarding what traditional signatures can do (for example, by using a cloud publishing model that facilitates real-time protection), the fact is that the traditional 1-1 signature-based approach will never be a comprehensive solution to the vast array of threats our customers face on a daily basis.
To address that issue, we have a number of additional engines that form a part of our overall protection capabilities. I’d like to respectively talk very briefly about two of them today, namely the Ethos generic detection engine and the Spero Machine Learning engine.
Ethos Generic Detections
Ethos generic detections go one step further and try to “generalize” existing traditional fingerprints. The idea is that even if a virus author made a number of shallow changes to a specific piece of malicious software as a means to circumvent signature-based detection (which is remarkably common), we can still catch this threat via Ethos. At the “heart” of Ethos are automated algorithmic techniques for creating signatures that “withstand” such superficial changes. While many vendors employ some form of generic detection, what makes the Ethos system unique is the level of automation we have built in around signature generation.
Incumbent AntiVirus companies rely on human analysts to come up with generic signatures. Immunet’s technology is algorithmic. The result is that our customers are protected in near-real time (which is critical considering that threats are highly ephemeral and are often alive for just a few hours). As before, we are able to accomplish this type of automation because of our data driven approach, which allows us to determine automatically the threats that are suitable for generic signature creation and to algorithmically create those signatures. Furthermore, we can monitor how this technology is performing in the field, what threats it is catching, and how malware variants are evolving.
Spero Machine Learning Technology
The other critical piece of Immunet's offering is our Spero technology, which leverages machine learning techniques to detect malicious software. While the general idea of using machine learning techniques in an AntiVirus technology is not new and while a small number of AntiVirus vendors appear to have begun leveraging these techniques, there are several aspects of our approach that are worth noting.
First, we use actual field data as the basis for training and evaluating our classifiers. Our ability to do so is a consequence of our cloud-based architecture, which gives us extensive visibility into our real-world performance. Furthermore, since we have taken a data driven approach from the onset, we are able to effectively train on exactly the kind of data our classifiers will encounter in the field. (Without this type of architecture, machine learning techniques – as powerful as they are – would essentially amount to shooting in the dark.) Having the right data source is the foundation on which machine learning techniques must run. Without good data, trying to apply changes and tweaks further down the stack is a pointless exercise in futility (that far too many people seem to be addicted to).
Second, we also leverage a number of distributed computing, advanced data mining, and machine learning techniques, such as Map Reduce, feature selection, and cost-sensitive classification. In this regard, we have benefitted tremendously from the recent “big data” movement that has resulted in advances in the underlying algorithms, frameworks, and available tools for being able to process, analyze, and visualize large data sets.
Overall, Ethos and Spero have been very powerful technologies for us. They have given us a remarkable window into the vast spectrum of threats that evade traditional signature-based approaches. Time and again we have seen these technologies identify threats that many vendors miss. Beyond these technologies, we do have a number of others that I can’t go into just yet. But what I think makes Immunet so compelling is that our underlying architecture correctly looks at AntiVirus protection as a “big data” problem. This architecture allows us to rapidly innovate and bring new ideas into the field. In the race against the bad guys, I fundamentally believe that this approach is fueling our ability to break away from the pack.