The Windows Club

Machine Learning capabilities of Windows Defender in Windows 10

In its latest bid to offer increased protection against security threats facing consumers today, Microsoft has improved functionality of its very own built-in anti-virus system – Windows Defender in Windows 10. The tool aims to make the Windows 10 OS the most secure client operating system and at the same time address the critical issue of number of both false negative and false positive detections, via its newly designed automation pipeline which employs multiple tools and technologies to process malware and unwanted software. These include:

  1. Machine learning
  2. Clustering
  3. Cosmos
  4. Azure and Cloud

Machine Learning in Windows Defender

Apart from including several new technologies, it also offers Machine learning capabilities. Machine Learning is a technique that usually help human analysts to deal with innumerable malware samples. A classical example of this is the clustering process. After designing a similarity function based on the features extracted from the samples, the malware samples can be categorized into groups where members of the same group exhibit similar characteristics and none if dissimilar. Analysts can then focus on these groups.

Prior to all this, it is the automation process helps in detecting malware as it is first encountered. The process particularly helps in allowing researchers to write better generic detection signatures and device clean-up routines, produce malware eradication strategies, and identify control points to take malware down.

Upon detecting a suspicious file, it is extracted and run within a virtual environment. Automation process helps in sorting the sample into one of the following classes:

The above-mentioned classes are programmed to route to a specific output. For instance, a file upon being flagged as malware, is automatically shipped to protection for it to Microsoft’s cloud engines. Customers who have the Microsoft Active Protection Service (MAPS) enabled, enjoy the benefits of being better protected against the latest threats.

Every week there are new variants of malware coming up. As such they can mutate to evade detection. Detection of such variants via complex detection signatures can become a daunting task. The automation process helps release the best type of generic signature for a certain file or cluster of files. With this, the metrics attached to an automated signature can be easily analyzed.

Read: Is Windows Defender sufficient and enough for Windows 10.

Classifying malware families

If the automation system for some reason fails and can’t identify the real malware family with surety, it will assigns the malware a generic, synthetic family name. The family names for automation-classified malware are:

  1. Dorv
  2. Pocyx
  3. Toga
  4. Skeeyah
  5. Dynamer
  6. Anaki
  7. Bagsu
  8. Beaugrit
  9. Bulta
  10. Tefau

Individual threats within these families usually follow the format:

Trojan:Win32/<family name>

Using automation helps Microsoft detect and remove malware and unwanted software faster and better protect its customers.

To ensure you are getting the latest protection, keep your real-time security software, such as Windows Defender for Windows 10 up-to-date and ensure that Microsoft Active Protection Service (MAPS) which uses cloud protection to help guard against the latest malware threats, is enabled.