FireEye announced the addition of its new MalwareGuard machine learning capability for endpoint threat detection to the FireEye Endpoint Security 4.5 update on July 31.
The MalwareGuard feature provides organizations with a new method to autonomously detect and classify malware. MalwareGuard complements behavior-based ExploitGuard, signature-based MalwareProtection and intelligence-based IOC detection capabilities in FireEye Endpoint Security.
“MalwareGuard really provides another added level of protection against both known and unknown attacks, and it’s a result of a multiyear research project where we’ve trained the system on unique real-world public and private data,” John Laliberte, senior vice president of engineering at FireEye, told eWEEK.
The machine learning behind MalwareGuard is able to make predictions on potential malware without the need for human involvement, he said.
“The way we think about MalwareGuard technology is that it automates and reduces the time from when a new threat is discovered and it eliminates the human component of the analysis, allowing for automatic protection,” Laliberte said.
Adversarial Intent
The use of machine learning to help detect malware is not a new idea, though Laliberte said the approach that FireEye took in building the MalwareGuard engine is different.
“We focused on building autonomous mechanisms that really identify and predict what the actual intent of the adversary behavior is,” he said. “Through our research project, we proved that we can train machines to identify attacks on a large majority of cases, when using our unique data that predicts the intent of the adversary tools, as well or better than our human experts.”
During the research phase to build the MalwareGuard engine, FireEye used between 3,000 and 5,000 systems in parallel, with over 20,000 compute cores, to produce the model. The data that the model trained on was also highlighted by Laliberte, as it was taken from FireEye sensors as well from incident response investigations.
“Our people have been on the front lines discovering the new threats and figuring out how other technologies were bypassed,” he said. “In addition, we have managed services and what they do is label a lot of the data for us, which is actually one of the hardest problems to solve.”
Many modern attacks are not just simple malware payloads; they often involve multiple steps in an attack chain. The combination of detection engines and the various points at which FireEye examines process on the endpoint helps to detect multistage attacks, Laliberte said. He added that the MalwareGuard machine learning engine is invoked at various points on an endpoint, including initial execution as well as post-execution actions.
Part of the FireEye Endpoint Security 4.5 suite is the Helix security operations platform, which will also benefit from the MalwareGuard model. With Helix, an organization can identify that a given piece of malware is present in different parts of an organization, and distributed remediation actions can be executed.
Looking forward, Laliberte said FireEye will continue to build out capabilities on the Endpoint Security platform.
“You’ll see significant improvements in prevention, investigation, detection and response across the board,” he said. “We’re really looking to enable the Helix platform to make it very simple for customers to go from alert to fix, tying together all the information.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.