本帖最后由 驭龙 于 2014-11-4 20:26 编辑
好像传说中的NightVision启用了,
官方博客好像是这个意思
http://blog.avira.com/evolutionary-antivirus/
Every now and then a quantum leap occurs. This time, it protects us all.
First evolution
The technologies antivirus companies use to detect malware evolve over time to meet the ever-changing threat landscape. The first evolution was signature-based detection, which had a lot of good properties. Signature-based malware detection extracts common byte sequences — also called signatures — from multiple files of the same malware variant. If these sequences also match another file, it is detected as being malicious. One drawback of signatures is that often a small number of differing bytes leads to the signature not matching anymore. As a result, polymorphic malware was created, which always has completely different sequences of bytes, and therefore malicious sequences could not be found any more. In many cases signatures are still very useful and especially the time to release a signature is very short.
Second evolution
The second evolution was generic detection, which was able to easily handle most polymorphic files. By manually researching malicious files in depth, file properties could be identified, which then in combination could be used not only to detect polymorphic files but, in general, are so powerful as to detect whole families of files. Often, generic detection uses a rule-based system. An example of a generic rule with the capability to detect malicious files writing to the Windows folder could be very simplified:
file_size < 5kb & file_writes_to_windows_folder & file_not_signed
Generic detection is in general very powerful and can also incorporate the program’s behavior. While this kind of detection is also old, it is still widely used. The reason why generic detection loses its relevance is not a matter of quality but a matter of quantity. Avira receives hundreds of thousands of potentially malicious files every day. The time to create one rule manually takes from 5 minutes to two hours, and probably thousands of rules have to be created per day. While it was possible in the past to write generic rules for the malware files received each day, it is not possible anymore.
Third (current) evolution
Fully automated learning systems — the third (current) evolution — try to combine the good properties of the first two evolutions, while avoiding their drawbacks. Rather than creating rules, learning systems often learn the difference between good stuff and malware files based on distances. In simple words, this means that if the learning system learned that a specific region only consists of malicious files and an unknown file has a very small distance to the files within that region, it will output that the probability of the unknown file being malicious is very high. This is equal to a human saying: “This file looks very similar to something that I have seen before”.
Five years ago, Avira started more seriously investigating these systems. In March 2010, my colleague Matthias Ollig and I showed in our master’s thesis, with the title “Recognition of malware by applying techniques of machine learning using static and behavior-based features,” that such a system is not just possible but that it can also deliver a high degree of automatism.
In our fight against malware, only one thing really counts. Speed. If a new malicious file is inserted into the learning system and it is well designed, it does not just detect this one file but the whole malware family — within minutes.
Over the last four years, Avira management have made several big investments in the automated learning system with the internal name NightVision. NightVision has ~8TB of RAM, ~750 CPU cores and ~50 CUDA capable GPUs. Due to these investments, NightVision now not only protects our paying customers but also all of our free-version customers around the globe. By having NightVision in place, the antivirus researchers can now put their attention towards the most important thing: Analyzing the most current daily threats.
大谷歌机器翻译,将就看吧
飘飞的飞跃发生。这一次,它保护了我们所有人。
进化,防病毒
首先进化
该技术的反病毒公司用来检测恶意软件随着时间的推移,以满足不断变化的威胁环境中。第一个变化是基于签名的检测,其中有许多优秀的性能。基于签名的恶意软件检测提取物共同的字节序列 - 也被称为签名的 - 从相同的恶意软件变体的多个文件。如果这些序列也匹配另一个文件时,它被检测为是恶意的。签名中的一个缺点是,通常是一个小数目的不同字节通向签名不匹配了。其结果是,多态恶意软件创建的,其中总是有完全不同的序列的字节,因此恶意序列无法找到任何更多。在许多情况下,签名还是非常有用的,特别是在时间释放的签名是非常短的。
第二个变化
第二个变化是常规检测,这是能够轻松处理最具多态性的文件。通过深入研究手动恶意文件,文件属性可以被识别,然后在组合可以不仅用于检测多态型的文件,但是,一般来讲,是如此强大,以检测文件的整个家庭。通常情况下,一般的检测采用的是基于规则的系统。有能力的通用规则的一个例子,以检测恶意文件写入到Windows文件夹可以很简单:
FILE_SIZE<5KB&file_writes_to_windows_folder&file_not_signed
通用检测一般非常强大,还可以将程序的行为。虽然这种检测也老了,但仍然被广泛使用。为什么通用检测失去了它的意义的原因不是质量问题,而是量的问题。查杀收到数百每天都有成千上万的潜在的恶意文件。创建一个规则的时间手动取为5分钟〜2小时,并可能数以千计的规则每天被创建。虽然有可能在过去编写通用规则,恶意软件文件接收的每一天,这是不可能的了。
三(电流)的演变
完全自动化的学习系统 - 第三(电流)的演变 - 尝试结合前两个变阵的良好性能,同时避免了它们的缺点。而不是创建规则,学习系统经常学习的好东西,并根据距离的恶意软件文件的差异。简单地说,这意味着,如果该学习系统得知一个特定区域只包含恶意文件和一个未知的文件具有区域内的文件的一个非常小的距离,这将输出的未知文件的概率是恶意的是非常高。这相当于一个人的说法:“这个文件看起来非常相似的东西,我以前见过。”
五年前,查杀开始更认真地研究这些系统。 2010年3月,我的同事马蒂亚斯Ollig和我发现在我们的硕士论文,标题为“恶意软件识别使用静态和基于行为的功能将机器学习技术,”这样的系统不仅是可能的,但它可以还提供自动性程度高。
在我们对恶意软件的斗争中,只有一件事真正重要的。速度。如果一个新的恶意文件被插入到学习系统,它是精心设计的,它不只是检测这一个文件,但整个恶意软件家族 - 分钟内。
在过去的四年中,查杀管理已经在自动学习系统的内部名称夜视几次大的投资。夜视了〜8TB的内存,750〜CPU内核和50〜CUDA的GPU。由于这些投资,夜视现在不仅保护了我们的付费用户,而且我们所有的全球的免费版本的客户。通过在地方夜视,防病毒研究人员现在可以把他们的注意力转移到了最重要的东西:分析最新的日常威胁。
|
发表于 2014-11-4 20:25:34
楼主