Microsoft reckons it’s come up with a machine learning answer to the increasingly popular technique of using ill-gotten code-signing certificates to pass off malware as trusted software to antivirus.
The company’s Microsoft Defender ATP antimalware solution is using machine learning “monotonic models” to address key techniques crooks use to evade detection by antivirus.
In cybersecurity, malware detection machine learning models are trained with a blend of "malicious" and “clean” characteristics of files that the model uses to weigh up whether such a file should be blocked or not.
However, Microsoft has adopted so-called “monotonic” models that are trained to only look at malicious characteristics, making them more resistant to criminals stuffing files with clean characteristics — such as legitimate but fraudulently obtained code-signing certificates from a certificate authority (CA).
Such certificates could influence a model’s assessment of a file and allow malware to pass through its defense lines.
Applied to malware, monotonic models, as the name suggests, only look at one type of feature — the malicious one — and ignore any clean features added to a file.
“Most machine learning models are trained on a mix of malicious and clean features. Attackers routinely try to throw these models off balance by stuffing clean features into malware,” said Geoff McDonald of the Microsoft Defender ATP research team.
“Simply put, the said technique only allows the machine learning model to leverage malicious features when considering a file – it’s not allowed to use any clean features,” he added.
Additionally, McDonald boasts that because Microsoft's malware detection model is hosted in the cloud it “breaks” an attackers capacity to test their clean-stuffed malware without risking Microsoft detecting it during the test phase, and then blocking when it's deployed in the wild.
Microsoft draws its new technique for Microsoft Defender ATP from researchers at UC Berkley who published a paper last year called, “Adversarially robust malware detection using monotonic classification”, which detailed how adding constraints to malware detection machine models could harden them by filtering out clean characteristics when training the detection model.
The company deployed its first UC Berkley-inspired monotonic models in its cloud security service in late 2018, which has since helped it address threats like LockerGoga -- the ransomware variant that crippled metal firm Norsk Hydro’s global IT networks earlier this year.
LockerGoga was reportedly signed with a valid code-signing certificate fraudulently obtained from a certificate authority when it hit a French firm in January.
McDonald says Microsoft Defender ATP now ignores the fact that malware like LockerGoga has the added positive signal of being signed with a digital certificate.
“When Microsoft Defender ATP encounters a new threat like LockerGoga, the client sends a featurized description of the file to the cloud protection service for real-time classification," wrote McDonald.
"An array of machine learning classifiers processes the features describing the content, including whether attackers had digitally code-signed the malware with a trusted code-signing certificate that chains to a trusted CA.
By ignoring code-signing certificates and other clean features, monotonic models in Microsoft Defender ATP can correctly identify attacks that otherwise would have slipped through defenses.”
McDonald also points to a recently disclosed “adversarial attack” against an AI-powered antivirus solution from BlackBerry-owned Cylance.
The antivirus bypass was detailed by security firm Skylight last week, which it claimed to have found a “peculiar bias towards a specific game” and proved a successful technique for making the most prevalent malware appear completely harmless to Cylance’s product.
The researchers even got Cylance’s end-point protection software to let through the Mimikatz credential dumping tool used in the infamous NotPetya ransomware attack of 2017 that wiped over $1 billion from several US and European firms, most notably Danish shipping giant Maersk.
BlackBerry-Cylance announced a fix for the Cylance bypass on Sunday. The bypass was achieved after the researchers realized the Cylance antivirus could be fooled by included a selected list of strings to a malicious file from the unnamed online game.
“The monotonic model hardening that we’ve deployed in Microsoft Defender ATP is key to preventing this type of attack, because, for a monotonic classifier, adding features to a file can only increase the malicious score,” wrote McDonald.
The timing of Microsoft's post about monotonic models is probably no coincidence. The point that McDonald is making is that Microsoft is staying ahead of new attack techniques by monitoring the latest research in adversarial attacks against machine learning model based defenses.
“Given how they significantly harden defenses, monotonic models are now standard components of machine learning protections in Microsoft Defender ATP‘s Antivirus. One of our monotonic models uniquely blocks malware on an average of 200,000 distinct devices every month. We now have three different monotonic classifiers deployed, protecting against different attack scenarios.”