Friday, August 04, 2023

Crowdsourced AI += NICS Lab

We are pleased to share that NICS Lab, a security research group from the Computer Science Department at the University of Malaga, is joining the Crowdsourced AI initiative at VirusTotal. By extending our capabilities using a different AI model for processing PowerShell files, NICS Lab not only strengthens our collective understanding of the code and its behavior, but also provides verdicts on the potential threat level of each file according to model criteria - categorizing them as malicious, suspicious, or benign.

As a reminder, Crowdsourced AI is VirusTotal's initiative that taps into the power of diverse AI models and community contributions to fortify our cyber defense strategies. Just two weeks ago, we announced the integration of Hispasec's solution, which is specifically designed for analyzing Microsoft Office documents. As we have explained in the past, these solutions based on AI LLMs can make mistakes, but their contributions are very valuable in complementing other technologies in the analysis and detection of new threats.

This time, the solution offered by NICS Lab serves as a complement to the code explanations already generated by Code Insight, which is based on Google PaLM. As a result, numerous PowerShell file reports will now benefit from the insight of solutions based on two distinct AI models. This essentially encapsulates VirusTotal’s strategy of embracing diverse threat detection solutions to improve understanding and risk assessment.

Let's explore a few examples:

In this first showcase, we see that two analyses appear in the Crowdsourced AI section: one from NICS Lab and the other from Code Insight. In the case of the former, in addition to the explanation about the file's behavior, we can observe the "Malicious" verdict highlighted in red.


Similar example, this time with a ransomware case. Here we can see how both models, despite aligning on the overall analysis, complement each other by providing diverse details. The first model, for instance, outlines the file extensions that are encrypted by the ransomware, while the second model highlights the email where the ransom is demanded.


The next example shows how the models behave when analyzing a PowerShell file where attackers obfuscated the code by separating the text strings that constitute the instructions, and using a function to replace the encoded strings with their actual values at runtime.

As we can see, the sample manages to evade detection by antivirus engines, but the models succeed in deobfuscating its code, analyzing it, and providing an explanation of its behavior.


AI reports’ results are available via VT Intelligence, allowing the use of the "nics_ai_analysis:" modifier to search into the resulting AI’s output, and "nics_ai_verdict:" to search by verdict - malicious, suspicious, or benign. As an example, below we show the results of searching for NICS Lab reports where "telegram" is mentioned and the verdict is "malicious". This search is performed using the following query: nics_ai_analysis:telegram and nics_ai_verdict:malicious.

Here is the analysis of the first file that appears in the previous search:


Similarly, the rest of AI models have specific search parameters, such as "hispasec_ai_analysis:", "hispasec_ai_verdict:", and "codeinsight:". Moreover, there are two additional parameters that enable simultaneous searching across all Crowdsourced AI models: "crowdsourced_ai_analysis:" and "crowdsourced_ai_verdict:".

We want to express our gratitude to NICS Lab, for their contribution to the VirusTotal Crowdsourced AI initiative, and congratulate the School of Computer Science and Engineering of the University of Malaga for launching Spain's first-ever degree combining Cybersecurity and Artificial Intelligence. As we forge ahead, welcoming more contributors with diverse skill sets, we remain steadfast in our commitment to building a collaborative, powerful, and diverse defense strategy to tackle the ever-evolving cyber threats. We encourage others to join us in this endeavor.


Post a Comment