A Self­learning Av Scanner

The nonzero "response time" of AV technologies offers a lacuna for hackers to exploit. By the time an AV company responds with a signature to detect a malicious sample, a hacker may release thousands of new variants. We present a self-learning AV scanner that effectively zeroes the response time needed to detect variants. The scanner uses methods from information retrieval research to determine whether a suspected sample is a variant of existing, known variant using an inexact match approach. The system is self-learning in that it is trained initially on known malicious samples in the AV research lab, but in the simplest case the knowledge base is not updated automatically. Utilizing the inexact matching properties of the scanner, this paper introduces several schemes for implementing automatic self-learning on top of the basic Vilo system, both for “in the cloud” learning and by integrating it into existing end-point scanners.