Polymorphic, Preemptive, & AI-Generated Malware
As malware detection and defense systems evolve, so does the sophistication of the Threat Actors (TAs), those who are the promulgators of malware. When malware detection systems used purely “virus signatures” (i.e., the malware code) to detect malware, the TAs developed polymorphic malware, that is, malware that can dynamically change its own “signature” over time and space. When malware detection systems sought to use patterns of malicious behavior to detect malware attacks (i.e., to look for behavior that previously documented malware used), the TAs developed “preemptive” (now called “hunter-killer”) malware, that is, malware that attacks so quickly that it can disable the defensive systems before those defensive systems have time to analyze the exhibited behavior. Now that the defenders are starting to employ Artificial Intelligence (AI) tools to detect malware, the TAs are developing their own AI tools to enable their malware to evade and fool the defenders’ AI tools. The situation is essentially that of an infinite arms race, defenders versus TAs; one in which the TAs can afford to lose a thousand battles in order to win just one, and the defenders cannot afford to lose even one. It is a highly uneven contest and a no-win scenario for the defenders. Crytica’s Rapid Detection & Alert (RDA) system is, however, a means to break out of this vicious cycle, a way to detect polymorphic, preemptive, and IA-generated malware such that TAs cannot merely use the defenders’ tools against them.