Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 13 subscribers
  • Views 8864 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOS/INVINCEA ML ENGINE UPDATE FREQUENCY

secronis

Hello all,

 

In our recent tests with Intercept X we noticed that in an offline test of zero day .exe malwares that the ML Engine(Deep Learning) has surprisingly low detection rates as compared to Cylance. When can we expect new models to come into the Invincea engines for intercept clioents?

 

Machine Learning Engine

1.3.0

1.3.0

Machine Learning Model

20171127

20171127

 When and how frequent does sophos plan to update these as it looking like detection's are starting to recede in rates sadly. 

75% of 0 days were blocked offline. Which is good, but wheres the 97%+ promised. 



This thread was automatically locked due to age.
Parents

  • Hello Secronis,

    Would you be able to provide samples/hashes of the files you tested so we can investigate the results for you.

    If you just email them to samples@sophos.com and let me know when you have done it that would be great. if you private message me the email address that you send them from I will be able to track them down and have SophosLabs look into them for you.

  • in reply to secronis

    Hi Secronis,

    Sorry for late reply. We have looked at both those files and confirmed that the current Deep Learning threat model does not detect these as you said. Both these files are from an older malware family but the files themselves are new. When they were first seen a couple of weeks ago, we added a Mal/Generic-S detection so our Endpoint Product would detect these via on-access scanning when they are read/written to a machine (this is done via our Live Protection feature and does not require an IDE file to be updated). However even without this even when we had never seen these files before if they had been executed they would have been automatically detected by the Endpoint product as Mal/Emogen-Y and HPmal/Zbot-k. This is without any updates being needed (i.e. zero-day protection).

    Naturally we would want the Deep Learning model to catch these as well but I'm sure I don't need to tell you that security is about layers. There is a layer created for each type of threat and no one layer will catch everything. There is no silver bullet when it comes to malware. The fact is if you were using Sophos Endpoint with Intercept X and had all our features enabled this attack would of failed without the need for any updates.

    To answer your other question, we expect to update the Deep Learning threat model about once a month, but this depends on lots of variables.

  • in reply to PeterM

    Great and thanks for the reply. Once a month is hard with deep learning.

Reply Children
No Data
Unfiltered HTML