Threat intelligence-sharing platform VirusTotal has unveiled new research showing how AI can be used by cyber defenders to enhance malware analysis.
Through the research, VirusTotal found that AI is extremely effective in analyzing malicious code, identifying 70% more malicious scripts than traditional techniques alone.
Researchers also observed that AI was up to 300% more accurate than traditional techniques at detecting attempts by malicious scripts to target a device with a common vulnerability or exploit.
These findings are part of a report titled, Empowering Defenders: How AI is shaping malware analysis, in which Google-owned VirusTotal analyzed hundreds of thousands of samples of malware over a six-month period.
Speaking at the new flagship cybersecurity center in Europe, the Google Safety Engineering Centre (GSEC) in Málaga, Spain, Vincent Diaz, Threat Intelligence Analyst at VirusTotal, said that the team understood that large language models were great at creating code, so wanted to explore how the AI model could understand code.
“Many of the [traditional tools] overlooked the thing that is not part of the incentive for detection because they are focused on endpoint protection. What happens with all the toolsets that the attackers are using though? They are still important to detect and flag the problem,” Diaz explained.
Within security there is also a tremendous amount of data, Diaz added, and by automating the processing of this you can directly flag what you want people to spend time on.
Democratizing Cybersecurity
Kate Morgan, Security Engineering Manager at Google’s Threat Analysis Group (TAG), commented, “We might have seen some of those threat actors use [AI] but the advantage is well in our court. The amount, especially Google, will be able to scale up and use AI to defend means the advantage is completely ours.”
In addition, the European Union has stated that it needs 200,000 more cybersecurity experts than are available. Malware analysis is one of the most in-demand skills and requires highly technical ability that is often only available for the biggest and most well-resourced security functions.
According to Google, the research released today shows how AI can help make malware analysis faster, more accurate and more accessible for those without highly specialized knowledge or experience: in turn, increasing the protections available to organizations across Europe.
AI tools are able to explain to the analyst in simple language whether the code is malicious and what it is intended to do.
"The amount, especially Google, will be able to scale up and use AI to defend means the advantage is completely ours”
Is AI Generating Malware?
One of the greatest concerns surrounding threat actors’ use of generative AI is the possibility that it could be used to easily create malware.
Many cybersecurity experts acknowledge that AI can be used to create highly effective social engineering campaigns, but questions still remain around whether it is being used to write malware.
Diaz said: “When you write source code, where is the code coming from? You copy and paste it from somewhere, from your colleague, or it is from AI that is producing samples. So, it is very difficult to know if something is AI generated.”
“We could not find anything that provided that [malware] is being produced by AI,” he added.
In an analysis of the ransomware landscape, Dr Max Smeets, Co-Director of the European Cyber Conflict Research Incubator, said, “Where we see the future is going is one in which [ransomware gangs] will inevitably rely more on AI tools to improve their operational activity.”
“This can be as simple as using large language models to write better phishing emails… The other thing where we will see development is for them to be able to understand big datasets. They are acquiring all this data and have to think through ways in which they can make sense of this data. They will certainly move towards AI to help them do that.”
Regarding the use of AI by defenders, Smeets said that there is now a move away from detecting code snippets to identifying entire patterns of behavior.
VirusTotal and Google in Malaga
VirusTotal is a Malaga-born former startup that was acquired by Google in 2012 and is now the leading crowdsourced threat-sharing platform on the planet.
Google launched its new flagship cybersecurity center in Europe, GSEC, in Málaga on November 29, 2023.
Up to 100 Google engineers and staff will work on-site from a variety of Google teams, including the VirusTotal team.
Google teams will work directly with European policymakers, cyber experts, academic institutions and businesses to combat threats and deliver digital skills development and training.
The center will compliment two already established in Europe, one in Dublin and the other in Munich.