Stopping the New and Unknown

Machine Learning, often referred to as ML, is a signatureless technology that can block new malware variants before the execution stage. Symantec uses ML at various layers in our security stack to protect customers from cyberthreats. These layers have been designed to both proactively protect against a suspicious file, OS event, registry entry, URL or network activity seen by our products - including Endpoints, Gateways and in our backend analytics platform. 

Symantec has the ability to dynamically analyze new content as soon as it's available with a comprehensive set of threat scanning engines, feeding the data into the Symantec Global Intelligence Network (GIN). Symantec uses this security telemetry, gathered from millions of endpoints, gateways, and threat-related data feeds from third-party security vendors, along with a rich set of clean files to train and evaluate various ML models.  

Zero-day Protection is Critical

In addition to the analytics platform, we also apply a Cloud Sandbox Analysis Engine (rather aptly named "Cynic") running multiple ML models and Clustering algorithms to classify and cluster files according to their threat type, risk potential, dynamic and static metadata, and behavior. Symantec analyzes customer submissions using both automated systems and human malware analysts and the intelligence is fed into ML training models for improving classification efficacy. 

Our multi-model Advance Machine Learning technology runs on various file types, in both 32-bit and 64-bit avatars to provide actionable analysis. Where gaps in protection are identified, they are analyzed by backend ML models and blocked through Reputation lookups. The primary objective of Symantec Advanced Machine Learning is to protect against new and unknown malware, commonly known throughout the industry as Zero-day attacks. 

After rigorous testing these ML models are then deployed in numerous products and in our backend analysis systems to detect new and unknown threats. This is where ML excels.

In the last quarter alone, Symantec's Advanced Machine Learning blocked almost 23 million threats on Symantec Endpoints and Gateway products. Around 3.9 Million of these blocks were against Zero-day attacks - i.e. never before seen by any of our security products or protection technologies. This is what is meant by "proactive" protection, as opposed to "reactive".  Proactive protection is the panacea against cyberthreats and the bane of would-be cybercriminals everywhere.

During the past quarter Symantec Advanced Machine Learning provided the following protection:

• 13.5M threats blocked by Symantec Advanced ML on our Gateway products
• 9.3M threats blocked on Endpoints
• 3.9M Zero-day threats were blocked by ML, including:
  • 9K Ransomware (Cerber, Cryptodefence, Gandcrab, Ryuk, Wannacry, Zombie, etc.) 
  • 512K Trojan (Emotet, Cridex, Whispergate, etc.)
  • 160K Win32 (Qakbot, Fujacks, Expiro, etc.)
  • 230K Backdoors (Cobalt, Limitail, Berbew, etc.)
• 1.1M browser-based threats were blocked on Endpoints - 32% from Chromium, 24% from MSEdge and 15% from Firefox
• 731K threats launched through command line to download and execute malicious files were blocked on Endpoint products
• 585K threats were blocked attempting to enter the system from external sources such as USB drives
• 200K attacks blocked using SMB for network file sharing
• 105K threats blocked which were downloaded using peer to peer (P2P) networking programs such as Anydesk (RDP), Utorrent and Bittorrent
• 5.9K threats downloaded using Scripting host (Powershell/csript/wcript) blocked

For information on how Symantec protects you from the latest threats visit Symantec’s  Protection Bulletin where we share new threat information and deep dives on our protection technologies.  See the links below for more information on the technologies discussed in this blog.

Learn more about how Symantec Endpoint Protection uses AML

Learn more about Symantec Endpoint Security 

Learn about the Symantec Cloud Sandbox Analysis Engine (Cynic) 

A version of this blog first appeared on the Symantec Protection Bulletin. The Protection Bulletin was created to better communicate our proactive protections against new, unknown threats. It also offers "Protection Highlight" bulletins for in depth insights into how Symantec products and technologies prevented attacks.