Location choice for your data

Location choice for your data

ACTIVE PROTECTION ENHANCED BY MACHINE LEARNING

SimoHost introduced Active Protection in January 2017. While performing well in independent testing and earning accolades from the media, SimoHost has worked diligently to make it even better. The result is an improved version that incorporates machine learning and artificial intelligence technologies. How does it work? The first step is a stack trace analysis. A stack trace is a report that provides information about program subroutines. It is commonly used for certain kinds of debugging, where a stack trace can help software engineers figure out where a problem lies or how various subroutines work together during execution. Put simply, it is possible to detect code injections from ransomware using process stack trace analysis based on a machine learning approach. Why is the ability to detect code injections important? Because injection into legitimate processes (e.g., explorer.exe, regsvr32.exe, svchost.exe, etc.) is a high-end technique used by sophisticated black hat developers to hide ransomware’s traces in a system and avoid detection. With code injection, attackers do not need to use custom processes that can be easily detected. If SimoHost Active Protection notices something strange is going on with a legitimate process, it takes a stack trace and sends it to our machine learning module, where the behaviour is compared with existing models of clean and infected stack traces to determine if it’s a threat or not. If the behaviour is confirmed to be malicious, the user gets an alert suggesting that they should block the ransomware-like process. As a result, machine learning not only raises the detection level but also reduces any potential false positives as it acts like second authority for heuristics to make the final decision.

IMPROVED AGAIN IN 2019

Since its introduction in 2017, SimoHost Active Protection has continuously been enhanced and improved. In 2019, self-defence was improved even further to prevent illicit termination of processes. If ransomware tries to stop Windows processes affecting work on SimoHost Active Protection, we will prevent this. Secondly, we improved multi- process injection detection, a technique used by some sophisticated ransomware families. Thirdly, core behavioural heuristics were updated to make ransomware detection even more effective. Last but not least, we did a lot in terms of performance, in some cases speeding up detection by 30% and

optimizing the whole process of communication with our SimoHost Cloud Brain. In terms of AI in SimoHost Active Protection – the stack trace detection model was reduced in size even further, which means faster reaction times. As a result, processing is accelerated and model training takes minutes instead of hours.

OTHER TECHNIQUES USED BY SimoHost ACTIVE PROTECTION TO SAFEGUARD DATA

Analysis of statistical distribution can also be used to fight ransomware. SimoHost Active Protection can create a histogram by inspecting individual bytes of the data before and after a ransomware attack. Due to the nature of encryption, the histogram of the data after encryption is distinct and easily recognizable. After that, a statistical distribution test is performed on the data. If the histogram closely resembles that of an encrypted file, it will be flagged as suspicious and result in a ransomware alert in end-user interface. Another technology that is now a part of SimoHost Active Protection: specially crafted honey pots that are used to find and disarm ransomware. Like a bee is drawn to honey, ransomware is often looking for certain kinds of files. If you place these kinds of files into controlled directories, you can catch and isolate the ransomware. Because SimoHost Active Protection controls these directories, the infection can’t spread. This technique is totally safe and secure. Users won’t see these files because they are hidden in the system and take up very little space on a hard drive, so this additional layer of security doesn’t create any inconveniences.

NEW LEVEL OF ANTI-RANSOMWARE DEFENSE

With machine learning leading the way, all of these technologies bring SimoHost Active Protection to a whole new level, especially when it comes to zero-day threats. It creates a model of which processes are legitimate, so even if bad guys find a new vulnerability or way to infiltrate the system, machine learning will detect the ransomware’s processes and put a stop to them. SimoHost’ machine learning infrastructure is built so that new anonymized user data will be uploaded regularly for analysis. But new behaviour models will be ready much faster and updates to product heuristics will be sent in a matter of seconds to further boost security.

SimoHost ACTIVE PROTECTION ALSO PROTECTS BACKUP FILES

Why would cybercriminals attack backups? Because regular backups are a key defence against ransomware. If the data on your machine is backed up and stored out of reach from hackers, ransomware is little more than nuisance. Projects like www. nomoreransom.org motivate users to do two simple and very important things – back up and don’t pay the ransom! So, bad guys have started attacking backup files. The only anti-ransomware that can stop this kind of attack is SimoHost Active Protection, which prevents any process in the system other than SimoHost software from modifying backup files. We have also implemented a robust self-defence mechanism that eliminates any typical attack and does not allow criminals to disrupt the work of the SimoHost software or alter the content of backup files.

A FEW THINGS TO REMEMBER

SimoHost Active Protection is a new generation of data protection that provides: • Real time protection from ransomware. There will be no time gap in restored versions of the files, so you do not have to lose any of your progress. • Future-proof protection that is enhanced further whenever new threats emerge. • Transparent, user friendly protection that works automatically. As you can see, machine learning and new heuristics algorithms make SimoHost Active Protection an even better layer of data protection against today’s ransomware and future variants.