Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Microsoft To Automate Malware Classification

Posted by Zonk on Fri May 12, 2006 09:56 AM
from the virus-a947qalpha dept.
Security Math Worms
Kuzulu Kuhuru writes "Researchers in Microsoft's anti-malware engineering team are using distance measure and machine learning technologies to automate the process of classifying new strains of computer viruses, Trojans and other malicious software programs." From the article: "Microsoft's proposal will take a 'holistic approach' to tackle the classification problem, Lee said, pointing out that the machine learning aspects will deal with everything, from knowledge consumption, representation and storage, to classifier model generation and selection. It aims to consume knowledge about the malware sample efficiently and automatically and represent that knowledge in a form that results in minimal information loss. "
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Microsoft To Automate Malware Classification 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • (Offtopic warning!)

    That eweek's "malware icon" [ziffdavisinternet.com] (just like slashdot's malware icon [slashdot.org] has a picture of something that's not a worm.

    Unless I've missed the threat of 'caterpillars' crawling the internet (consuming all resources [amazon.com]. :-)

    Anyway, back on topic - wouldn't it be easier for MS to simply write more secure software? It's rather disheartening to hear their response to the deluge of malware is a classification program.
  • Spyware provided by a big (or friend) corporation = GOOD
    FOSS = malware
    • What do you want to bet that anything that is signed doesn't get checked. because it is trusted..

      because by paying 300$ - the people must be legit.. sorry but the whole idea of root certs for by passing security measures is jsut dumb.

  • Priorities? (Score:2, Insightful)

    by mrjb (547783)
    Is it just me, or are there more people that think that instead of getting busy automating the process of classifying new strains of computer viruses, Trojans and other malicious software programs, maybe they should address the cause of the problem first?

    • Re:Priorities? (Score:4, Funny)

      by Savage-Rabbit (308260) on Friday May 12 2006, @10:24AM (#15317889)
      Is it just me, or are there more people that think that instead of getting busy automating the process of classifying new strains of computer viruses, Trojans and other malicious software programs, maybe they should address the cause of the problem first?

      I'm not sure that training enough high class .NET certified MSCA ratified ninja commando teams to assasinate all those thousands of malware authors and spam kings would be a financially viable proposition for Microsoft. Using a fully automated self classifying system to build a proper threat library which can later be fed to mass manufactured hunter killer bots and android terminators sounds like a much more cost effective approach.

    • Maybe they should address the cause of the problem first?

      What cause would that be? Maybe employing humans? Or maybe the fact that they use C and C++ heavily?

      Hmm, what other projects are written by humans and use C/C++ heavily? Oh right .... all the competitors! How many "arbitrary code execution" vulnerabilities has Firefox had in the past year? How many privilege escalation bugs has the X server had in the past year? How many has MacOS X had that haven't been fixed for months? How short is the "dump e

  • After all, the malware business is one of those "ecosystems" that's wholly dependent on Microsoft. Only fair that MS should offer a little direction to their clients.

  • Throwing in the towel (Score:5, Funny)

    by noidentity (188756) on Friday May 12 2006, @10:03AM (#15317648)
    Too bad the research isn't being done on ways to prevent malware. Apple could make good use of this: "Windows has so many viruses they need a computer to help sort through them all!"
  • IF ... and that's a big if ... Microsoft has the balls to leave it fully automated and let the system do its thing.

    Now, if they start taking payola for delisting malware, then this will be no better than all the shit the current batch of jokers/anti-spyware companies pull every day.

    • SO its going to stop lots of programs which spread....

      Firstly it will be down goes youtube, myspace, and all the other sites powered by lots of people visiting them.

      Then stuff like msn will start getting blocked (we can only hope?) i mean, will it block msn it if has the stupid smiley central stuff installed?
  • If they can classify the stuff, shouldn't they be able to stop it?

    Or is classification going to allow them to have a flashier anti-malware tool to sell?

    Can't you see it now...animation of the viruses being caught, sent down a chute that sorts them into different buckets. Different cute cuddlies for each type of virus, each with unique characteristics. They could then create an entire industry around stuffed animals and stickers the kids could trade! People would go around giving each other viruses on

    • but which one will clippy represent???? or is he the dungeon master?
    • If they can classify the stuff, shouldn't they be able to stop it?

      Or is classification going to allow them to have a flashier anti-malware tool to sell?

      It could give you an idea of exactly how hosed your system is, and what, if any, kinds of remedies might actually work. If your machine is infested beyond repair, wouldn't you want to know that?

      Slashdot is entirely too pragmatic, and cynical about Microsoft in general. Your post is just one example. This is Microsoft Research, which is very active in theoret
    • If they can classify the stuff, shouldn't they be able to stop it?

      I'm sure they hope so. I doubt they are trying to classify it simply as an academic exercise. I'm guessing - going way out on a limb here - that Microsoft is planning to try to stop the malware they identify. Probably, they'll use some kind of special anti-malware software. They could call it "Windows Defender" or something.

    • Was about to comment on the same lines... too much effort to put a bright, shiny and new label to a problem instead of worrying on solving/curing/fixing it,

      Of course, you can say, oh, but a trojan is a different beast than a worm, so must be treated different by future development. Or better yet, this is a future-cool-name-that-implies-user-interaction that is really different from a future-cooler-name-that-implies-exploiting-net-se r vices-vulnerabilities. But i bet that will make things more confusing th

  • This should be amusing (Score:4, Funny)

    by PhotoBoy (684898) on Friday May 12 2006, @10:07AM (#15317697)
    How long till we get headlines like "Microsoft's Malware Software Deletes Windows after identifying it as a security risk"?
    • How long till we get headlines like "Microsoft's Malware Software Deletes Windows after identifying it as a security risk"?
      Indefinitely. Why should we expect such accurate results from a Microsoft written tool?
  • To combat pirates Microsoft plans to employ a full clan of Ninjas. According to latest polls Ninjas always have at least a 2 to 1 following compared to those who prefer pirates. These Microsoft Ninjas will be trained in all the dark arts, including, but not limited to, poisoning Pirate rum, placing explosive powders in their parrots, and using biological weapons such as scurvy induced rats. Psychological war will also be waged as the Ninjas use cardboard cutouts of themselves hidden throughout the pirate
  • if (strcmp(product.ID, "MICROSOFT"))
          exec("DeleteTheBastard.bat");

  • Here's a thought! (Score:3, Interesting)

    by danpsmith (922127) on Friday May 12 2006, @10:11AM (#15317737)
    Why not just not have the user run as root all the time?

    The main difference I've noticed between Linux and Windows is that Linux makes it abundantly easy to run under limited access using password prompting, while Windows tries to prevent you from securing it.

    People say that "well you shouldn't run things you don't know." Well, that argument works for computer professionals and people that know what's going on. But to the average user, you should be able to tell what is and isn't going to hurt the system.

    If an application needs to access any critical areas of the OS, the running threads, the registry, or anything else deemed critical or potentially harmful, it should prompt for password. This would give IT people a clear message to send to users "If it asks you for your password, make sure you trust the program." While it might be easy to click "yes" or "ok" to everything, because windows is user prompt hell to begin with, typing in and remembering a password takes considerably more work.

    Why you would continue to try to patch the holes in the Titantic this way is beyond me. Unless now MS just wants to sell insecure products and then sell you repair kits to fix them.
    • MS just wants to sell insecure products and then sell you repair kits to fix them.

      Bingo.
    • If an application needs to access any critical areas of the OS, the running threads, the registry, or anything else deemed critical or potentially harmful, it should prompt for password.

      Ask, and it shall be granted [microsoft.com].

      However, the password-prompting behavior isn't the panacea you describe it to be. It works well for people who understand the underlying system including permissions and concepts like user vs. administrator. It doesn't work well for people who just want to get their work done, or download the l
    • Why not just not have the user run as root all the time?

      Is that rhetorical, or do you want a real answer? First, Windows has only had user-level permissions since NT. While these are present in XP, and limited users can be created, the default is to create admininstrators because so much legacy software requires it. Fortunately, as legacy software gets older and less common, this problem is decreasing. The upcoming Vista has further workarounds to help run legacy software in limited accounts, and will

  • Just once... (Score:4, Insightful)

    by GigG (887839) on Friday May 12 2006, @10:23AM (#15317875) Homepage
    Just once I'd like to see a story run on /. that involves MS that starts a discussion of the issue in the story and not just collection of attacks on MS. I'm not a big MS fan but it does get old.
    • Just once I'd like to see a story run on /. that involves MS that starts a discussion of the issue in the story and not just collection of attacks on MS. I'm not a big MS fan but it does get old.

      I suggest a trip to an alternate universe... look MS haters are a dime-a-dozen, but you have to admit it's pretty cheeky of MS to take these steps instead of just cutting down on the problem to begin with. It's like the people who say global warming needs more study, when the global average temperature is going up

    • Perhaps you forgot: This is /.

      Website of knee-jerk anti-microsoft rants.
    • For those that actually read the article, the link to Flake's [blogspot.com] research on this is actually good, meatier reading (though not much more meaty). Granted, it's for another company, not Microsoft, but I imagine that Microsoft will try some similar approaches.

      Basically, at Flake's company they have a tool that tells the degree of similarity between two programs. I'm not sure of the actual mechanics of this (if it's 1-by-1 instruction comparison, on a functional level, etc), but it enables them to build taxonom
  • Microsoft will include a program that determines if another (arbitrary) program will halt if run with no input.

    Or maybe I'm way off base and this kind of automatic malware detection seems reasonably computable to people. I can think of so many ways (lots of which have been used in malware) to hide the malware in otherwise innocent programs. But what if I encoded my malware as a turing machine, how would they find out if it is malware without actually running it (or have I missed something?)?

  • wtf! (Score:3, Funny)

    by Observador (224372) <afreytes@@@gmail...com> on Friday May 12 2006, @10:41AM (#15318076) Homepage
    I was reading the slashdot feed on my cell and the title only showed:

    microsoft to automate malware

    and I went like: wtf! haven't they done enough already?

    mind you, not an hour ago I was removing over a hundred pieces of malware that a client had. all of them on just two machines...

  • And we all know why (Score:3, Funny)

    by tbone1 (309237) on Friday May 12 2006, @10:48AM (#15318154) Homepage
    It's easier to say something isn't a threat than to actually, you know, do something about it.

    "That isn't cancer, Mrs. Jones, we've redefined it as a sniffle."

  • Now Microsoft engineers sound like my PHB.
  • Build a smarter virus-scanner and virus-authors will write smarter virus code. We've had that 20 years ago.

    Automatically running any downloaded code in a sandbox until the user explicitly asks for it to be installed locally (say, after testing it out in the sandbox) would be a much simpler and much more effective step. There's 5-10 others, like not making the default user an admin, etc.

    But maybe marketing just didn't "get" them as well as "look here, shiny new technology".
  • Now some security researcher won't have to spend an hour a day classifying new viruses. They'll save thousands of dollars every year, minus the costs of training, debugging, and verification, and whatever it cost to write the thing.
  • Imagine -- so much malware that there is a REAL TEAM working on the problem of automatically classifying it!

    Wow...

    Now that I am finished laughing (and it was a good one)...

    Ratboy

  • Now the black hats can

    • hack Microsoft's automated classification system
    • classify their own malware as benign
    • classify anything that detects their malware as malware
    • rent space on all the zombified Windows boxes to spammers
    • profit
    • retire early

    Thanks Microsoft, you are working so hard to make all those black hat crackers life easy! (and for finally removing that pesky ???? that kept getting in the way of profit here at slashdot)

    I think I'll invest in retirement villas in the Caspian Sea area.

  • if ($program_info{'author'} != 'MS'){$program_info{'type'}=('Virus','Trojan','Spy ware')[rnd(0,3)];}
    Whoot 1 line!
  • Or you can protect the user in the first place by providing informed prompts and enabling the user to make the right and/or wrong choices. You can keep an outgoing firewall closed by default and authorize applications one by one, and be sure to protect the user from anything manipulating these dialog boxes.

    Why start trying to identify it? Let the user identify it and you just keep it from doing any damage.

    -M
    • It's a shame that you got marked troll. It's not like this is not a pattern of behavior going all the way back to the MS-DOS [internetnews.com] days of computing. ...Those who don't learn from history are doomed to repeat it I guess.
    • Don't forget to add RIAA, MPAA, and Sony to the trusted list. If we have only one anto-spyware/virus/malware company, then they will make the definitions of what is and isn't malware. So if Sony does another rootkit, but buys MS (or any monopolist in the anti-malware trade) off, then no one will be able to call it dangerous.
    • Hi,

      You can download the fix here [ubuntu.com]. if this download gets marked by your antivirus please ignore it. Just trust me. You can also install the realvnc client and install it and post your ip here. Someone will fix it for you. I only need a small advance for this. Please pay by western union or use a cheque for this. I gues that you will trust me more if you payed for the service.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.