VoodooShield uses ML.NET to detect malware

VoodooShield is a tangible toggling computer lock in cybersecurity that offers a multitude of highly advanced features not found in traditional application allowlisting products. It's designed to complement traditional and next-gen antivirus software, including Microsoft Defender. Using a combination of dynamic security postures, an antimalware contextual engine, an advanced file reputation service (WhitelistCloud), and machine learning enabled static feature analysis, VoodooShield automatically locks your computer when it is at risk.

Business problem

Organizations can no longer rely solely on traditional allow-by-default cybersecurity products and need to move towards a zero-trust security posture. The degree of protection applied to a system or endpoint is highly dependent on the threat level. In most cases, constantly operating at a high threat level is inconvenient and costly. Although high levels of protection can help minimize the risk of a breach, they add friction and interruptions to existing workflows. Conversely, operating at a low threat level increases the likelihood of a breach occurring. Therefore, it's important to have dynamic security postures that act based on the threat level context not only blocking threats but also auto-allowing what needs to be allowed. The transition to zero-trust is not an easy one. VoodooShield simplifies that transition. Utilizing a variety of techniques including machine learning, VoodooShield detects malware in real-time and provides the end-user file insights so they can make an informed decision on whether to allow or block files.

Why ML.NET?

VoodooShield has been using machine learning solutions since 2015. While their previous solution worked extremely well for them over the years, they were recently notified that it was going to be retired soon. They researched various new machine learning platforms and found that ML.NET was a perfect fit for VoodooShield. As part of their research, they noticed that machine learning algorithms have progressed significantly in the past seven years. The result of that has been unprecedented levels of malware detection efficacy along with a significant reduction of false positives.

ML.NET integrated into our solution perfectly and seamlessly."

Impact of ML.NET

Since using ML.NET, VoodooShield's malware detection and false positive rate have improved dramatically. Because all machine learning analysis is now performed on the local computer instead of the cloud, VoodooShield is able to provide file insights much quicker than before. Using ML.NET tools like Model Builder made it easy to validate whether ML.NET could solve their problem. As a result, they were able to go from experimentation to production in a matter of weeks.

Solution architecture

Data

The data used to train models comes from various sources such as malware repositories and online services. The training set of about 1.2 GB of data or about 500,000 samples is made up mainly of portable executable (PE) files. The dataset has about 224 features containing metadata and descriptive information about each of the samples. VoodooShield relies on Model Builder to assist them in choosing the data transforms, such as OneHotEncoding and FeaturizeText, to prepare their data for training.

Evaluation and consumption

When training completes, several of the top models chosen by Model Builder are evaluated against a test dataset to choose which one performs best against "real" data. When the best model is identified, that model is integrated into their desktop application to provide real-time malware analysis and recommendations to end-users on whether to block or allow certain files on their computer.