Research from Gartner

Emerging Technologies: Emergence Cycle for AI in Security for Malware Detection

This “early signal” research offers a deeper dive into early-stage AI innovations focused on malware detection use cases. Security product leaders should track these new developments to make critical decisions on product roadmap competitiveness and evolution.

Overview

Key Findings

• Artificial intelligence (AI) methods and techniques are being integrated into products in all security market segments, making this technology, in aggregate, the largest impact on malware detection development for the next five to eight years.
• Across security market segments, upcoming development in malware detection based on AI technology is clustered into six technology use-case groups: endpoint, performance monitoring, modeling, encrypted, ransomware and code analysis.
• The six technology use-case groups are at different states of maturity, meaning AI technology for some use-case groups will be available in products sooner than others. AI technology’s impact on malware detection products will be felt in waves over the next eight years, first with endpoint and performance monitoring and later with further innovations in ransomware and code analysis.

Recommendations

As a security product leader incorporating AI into your malware detection offerings and roadmaps as emerging technology, you should:

• Prepare for the capital investment for the infrastructure required to host and analyze data lakes. Most AI implementation for malware detection requires a data lake to store and analyze data. Although determining the right data to analyze will be more technically challenging, planning for the capital investment of the data lake often takes longer and involves adjustments to the business.
• Start your AI investment for malware detection with modeling and encrypted use cases. These use cases are foundational to AI-based malware detection.
• Strike a balance between developing AI technology to keep up with competitors and foundational technology that can fuel multiple use cases. Be wary of AI development projects for long-range use cases that still contain a great deal of uncertainty.

Analysis

The relative importance of malware detection became clear when conducting research for this document’s companion, Emerging Technologies: Emergence Cycle for AI in Security. At the highest level, malware detection examines a file, object or payload for its content, using AI, to determine whether or not it is malicious. This broad area has relevance to multiple security segments, including:

• Cloud access security brokers (CASBs)
• Cloud workload protection platforms (CWPPs)
• Endpoint detection and response (EDR)
• Endpoint protection platforms (EPPs)
• Extended detection and response (XDR)
• Intrusion prevention systems (IPSs)
• Network detection and response (NDR)
• Network firewalls
• Secure email gateways (SEGs)
• Secure web gateways (SWGs)
• Web application firewalls (WAFs)

This research expands the large malware detection group, further dividing it into the following subgroups and mapping them onto their own AI emergence cycle:

• Endpoint
• Performance monitoring
• Modeling
• Encrypted
• Ransomware
• Code analysis

Detailed definitions of each subgroup are provided in the sections below.

Gartner uses several data sources (e.g., VC investments, patent submissions, case examinations, etc.) to identify upcoming innovations. This document will highlight some of the most compelling AI developments we discovered that are targeted for security use cases and appropriate for security products and services. Security product leaders should use these early indicators to identify new and potentially disruptive innovations. These early signals will inform security product leaders about evolutions in the security market with enough time to incorporate them into product development or to develop mitigating actions should the decision be not to develop. While individual investments, patent submissions or filing organizations are not revealed here, this information can help strengthen competitive posture and serve to justify internal development or external partnership investments.

The groupings are based on innovations seen currently in play; the same research exercise done in the future is likely to result in different use-case groupings. As such, the use-case groupings should have application across multiple security market segments. Data used to create each grouping is drawn from organizations in disparate security market segments and sometimes even outside of traditional security market segments.

The emergence cycle in Figure 1 highlights AI for security innovations grouped around malware detection use cases. An emergence cycle represents the development of a technology from ideation through R&D. The position on the cycle represents the time since the innovation was initiated (x-axis) and the R&D maturity of the emerging technology or trend topic (the “quantified emergence maturity [QEM]”; y-axis). The position is set primarily based on U.S. Patent and Trademark Office submissions relevant to AI in security (see Note 1 for more details).

Figure 1: Security AI Emergence Cycle — Malware Detection

Table 1 shows the malware detection emerging technology groups by phase in the emergence cycle.

Table 1: Malware Detection Emerging Technology Groups by Phase in the Emergence Cycle

Source: Gartner (October 2020)

AI in Malware Detection for Endpoint

Description

This group of malware detection uses AI insights specifically for endpoint detection of malware. This would have direct relevance to the EPP, EDR, CWPP and XDR markets, or, more generally, security products that run on the endpoint (including workloads). For the most part, this implies detection analysis is performed against fully formed files.

Impact Potential

This group will have most of its impact on four security segments: EPP, EDR, CWPP and XDR. Combined, these segments represent a large total addressable market on their own, making the impact of this grouping medium to high. Potentially hedging this group’s impact is the fact that vendors in most of these markets today already employ AI technology. The data here predicts further AI innovation in these markets, but may be viewed as a natural progression from the current development course.

Growth Potential

The endpoint group is positioned on the AI emergence cycle in the transition phase, indicating that these technologies are finding their way into security solutions now and for the next year or two. That does not mean that no AI innovation for endpoint malware detection will take place after two years, but it does mean that much of the innovation in this area is still imminent. This is the earliest wave of malware detection that will reach the market.

Implications for Security Product Leaders

• Endpoint-focused security product leaders who have not incorporated some AI methods into their near-term roadmaps or already have AI in their product offerings are late. To take advantage of this wave, late product leaders should look to partner with another vendor to license their technology or acquire AI technology right away.
• Endpoint-focused security product leaders who already have some AI methods in their products should continue to develop and innovate, expecting competitors to do the same. AI technology today is likely to fall behind innovations coming in the next two years.
• Ideas for new AI innovation in endpoint may be sourced for other AI in malware detection groups. Use some of the other groups in this emergence cycle to plan for future innovation.

AI in Malware Detection Through Performance Monitoring

Description

This group of malware detection uses AI insights on device performance changes to detect malware. Rather than directly examining a file, these innovations focus on the indirect clues malware leaves as it runs, such as slowing down the device, too much memory consumption and so on. Significant performance events, whether sourced from logs or from direct observation, are the key analysis. Anomalies in device performance, identified through AI analysis, are used to detect the presence of malware.

Impact Potential

Much like the endpoint group, most of the technology here is likely to be focused on the same four security segments: EPP, EDR, CWPP and XDR. That makes the impact medium to large. This technology is unlikely to create a new security segment on its own, but is more likely to become a feature of technology in existing security segments. Product leaders with EPP, EDR, CWPP and XDR offerings should keep an eye on these methods, making room for them in product roadmaps.

This technology is more likely to uncover weak malware signals that may require additional investigation or analysis before being labeled as an actionable insight for end users. Security offerings that are more closely aligned with incident response and hunting workflows are more likely to use these methods at first.

Growth Potential

The performance monitoring group is also in the transition phase of the AI emergence cycle, but a little further out than the endpoint group. Some of this technology is likely to be in product offerings now, but the majority of innovations are probably a year or two out. Given the potentially high impact of this group, this is a technology that should be considered by most security product leaders. It is likely to grow quickly as a checkbox item for RFPs.

Implications for Security Product Leaders

• EDR, XDR and NDR product leaders should consider this technology for roadmaps very soon. As all of these segments increasingly rely on broad context for detection, this is a significant perspective that should be capitalized for discovery and investigation of weak signals.
• This approach might also be helpful in environments where endpoints are not managed or an agent cannot be used, such as IoT and OT. These segments are more likely to already have provisions to store and analyze large sets of data, and success here may be accomplished using or adapting existing AI methods.
• Other security product leaders could partner with security vendors in other segments to get access to this technology, as visibility of these weak signals is not likely to be a strong differentiator for offerings that do not focus on incident response (IR) or hunting workflows. These other product leaders should track these capabilities of other vendors in the market for the next two years, looking to release their own capability in three or four years.

AI in Malware Detection Through Modeling

Description

This group of malware detection assumes that models, developed and refined by AI analysis, will determine the presence of malware. Currently, vendors use unsupervised and supervised machine learning (ML) for this task. Data in this research points to expansion and innovation on top of these current techniques. This group usually requires a massive amount of data to discover patterns that lead to actionable models, but this grouping is not limited to AI analysis that requires data to be labeled. The models should directly predict malware from stronger signals. It is also possible that models could indirectly predict malware as well, potentially picking up weaker signals. Models based on behavioral observations could be set up to predict normal behavior. Then, the weaker signal of a deviation from normal could be deemed suspicious and lead to the detection of malware.

Impact Potential

This group of malware detection will be valuable to almost any security offering that can inspect files, objects or payloads for malware. This includes all of the security segments outlined in the general malware detection description. Hence, the impact is high because this technology could be applied to most segments of the security market.

Several of the current security segments with the ability to analyze large sets of malware data today — EDR, XDR and NDR — may already use AI to create models for malware detection. For these segments, these innovations will seem a continued and natural growth of existing product direction. Product leaders of these offerings should expect to continue to invest in AI to remain competitive and relevant because this technology is likely to appear here first.

Other security segments should consider augmenting current malware detection capabilities with this kind of technology as it matures. Much like sandbox technology is used as a feature of these offerings, modeling can offer similar value to buyers. This will require collection and analysis of massive sets of data, so if those capabilities are not part of the current roadmap, working them in soon is advisable. This is likely to be a large investment and probably a departure from current investment trends.

Growth Potential

The technologies and innovations in the modeling group are core capabilities that security product leaders should include in their product offerings. This group is part of the acceleration phase, which means development is ongoing and three to five years out. However, most security offerings using AI analysis today already make use of modeling. This indicates that a second wave of AI modeling is on its way, three to five years out. Security product leaders, especially development leaders, should plan to develop new AI models, potentially using newer and more sophisticated AI techniques. Given the signal that a second wave is coming, security product leaders should expect this technology discipline to grow in the coming years. Also, while this group appears to be in the middle of the emergence cycle, this is one subgroup with a longer tail on both sides of its peak. In other words, several of these innovations will come earlier and some will require more development investment in later years.

Implications for Security Product Leaders

• If not already part of their product offerings, security product leaders should plan for large data stores that can be used for malware detection modeling because this will be a core capability for many security segments going forward. Considerations for extracting data efficiently and legally (due to privacy concerns) should be of paramount importance, as well as developing cloud-based storage facilities. This is likely to be a multiyear process for most security providers.
• Given the critical nature of modeling — it is the most popular use of AI in malware detection today — this is not a technology that is an ideal candidate for OEMs. As modeling should be a core, differentiated component of an offering’s detection platform, it should either be developed or acquired.

AI in Malware Detection When Encrypted

Description

Recognizing that encryption is relatively commoditized and easy to enact today, more malware is attempting to hide from detection by encrypting or compressing itself. Encrypted or compressed files often evade signature-matching styles of detection. This group of malware detection focuses on encrypted (or compressed) files, objects and payloads, determining whether or not they are malicious without decrypting (or decompressing) them. This group may borrow methods or techniques that would otherwise have been grouped with endpoint, performance monitoring, modeling or code analysis subgroups. The reason those filings and patents are grouped here is because their sole use case is with encrypted files, objects or payloads.

Impact Potential

Similar to modeling, this category has broad applicability across almost all of the security segments mentioned. However, products that detect files and objects as payloads in network traffic are more likely to require these capabilities sooner. Much of the decryption and decompression is already complete by the time endpoint security offerings examine files. The security segments likely to benefit more from this technology sooner include CASB, IPS, NDR, network firewall, SEG, SWG and WAF.

Growth Potential

As the percentage of traffic that is encrypted continues to grow quickly on networks, we can expect that the percentage of encrypted files and objects is also growing. This also implies that malware will increasingly be obfuscated with techniques such as encryption. TLS 1.3 complicates some of the traditional, man-in-the-middle methods for decrypting traffic, further encouraging growth and maturity of technologies that can detect malware where the payloads are encrypted. This subgroup is poised to grow and is not in search of a reason to grow. This growth should be particularly strong in security segments where malware is detected directly from network flows.

Positioned in the acceleration phase of the AI emergence cycle, technologies that will help detect malware in encrypted files should emerge in two to five years. Similar technology is already used to inspect encrypted traffic (without decrypting) in many NDR offerings. These vendors are well-positioned to extend these techniques and utilize their experience with malware detection. Following innovations in this space, such as fingerprinting techniques built off of JA3 metadata, is a good way for security product leaders to familiarize themselves with some of the possibilities.

Implications for Security Product Leaders

• Product leaders should have a response to how they will detect malware in encrypted files, given the current course of greater use of encryption. The market trend to utilize AI for detection and development of this technology may take a year or more to reach early majority adoption.
• Security offerings that are particularly sensitive to the performance degradation from decryption — such as IPS, network firewall and WAF — may gain additional benefits of performance relief from this technology group. Using AI to detect files that are encrypted means the processing power that would have previously been used for decryption can now be used elsewhere.
• Security product leaders should consider their own options and exposure to encrypted and compressed files, objects, and payloads, planning to release and continuing to invest in this area of AI analysis. The technology here is still very immature, so there will not be many opportunities to resell this technology for a couple of years.

AI in Malware Detection for Ransomware

Description

The impact of ransomware as its own category of malware has sparked its own group of innovations. This group of malware detection uses AI analysis to detect ransomware. There are characteristics, behaviors and risks to storage that are unique to ransomware, encouraging many organizations to innovate specifically for this category of malware. This group inevitably borrows methods or techniques that would otherwise have been grouped with endpoint, performance monitoring, modeling or code analysis groups.

Impact Potential

Most security offerings claim to offer some help for ransomware, so innovations in this subgroup are likely to have broad applicability across all security segments. However, security segments that directly protect devices (usually meaning they are located on the devices as agents) — such as EPP, EDR and XDR — should benefit more. This is due to the fact that when ransomware attacks are successful, these solutions are more likely to be blamed for a failure to protect.

The focused nature of ransomware (one use case or one type of malware) makes its impact sensitive to the amount of concern that buyers have for ransomware. Spikes in newsworthy ransomware attacks will increase the impact of this technology. Conversely, a lack of ransomware reports in the news will lower the impact of this technology.

Growth Potential

The ransomware group is unexpectedly positioned in the initiation phase of the AI emergence cycle. This phase generally indicates that release of this technology into security offerings is five or more years away. Ransomware was a huge buyer concern three to four years ago, but interest has now waned compared to other threats. It is unclear that there will be a massive resurgence of ransomware in the next five years. Nor is it logical to assume that because many developers have initiated long-term development projects for ransomware, some pending threat is on the way.

While ransomware is relevant to all of the security segments outlined in this document, it is unclear that the evidence supports a need for additional development. Instead, security product leaders should consider ransomware a weak development signal that should be reevaluated in the next couple of years. It is more likely that development and experience learned from working with AI on relatively well-understood ransomware threats today will unlock insights that can be used on future, currently unknown threats.

Implications for Security Product Leaders

• EPP, EDR and XDR product leaders will require this technology more than other security segments and should have provisions for it in their roadmaps. When ransomware is successful, these products are more likely to receive blame for missing the detection. Because of this, there is more at stake for these products to successfully detect ransomware, and this technology will help.
• Expect innovations in this area to be features of existing solutions, as opposed to new offerings on their own.
• Security product leaders should monitor the market for uses of AI-based ransomware detection for malware detection. The time is not right to invest in these use cases at present, but they should be reevaluated for investment in the next two to three years.

AI in Malware Detection for Code Analysis

Description

Rather than analyzing the behavior of files or objects, this group examines the actual code, scripts or memory calls of files and objects. AI analysis is used on this metadata from the files and objects to detect malware. This appears to primarily be a static approach; simpler and non-AI forms of this technique are seen in some sandbox offerings today as additional analysis engines. This new AI-powered innovation could also be a feature of other security offerings, especially where limited compute power is available for detection. This implies that much of the AI analysis will not be done locally on the detection point. Instead, the insights from AI analysis performed in a cloud are applied locally. Note that while scripts are not compiled, reading source code from compiled applications is not practical in most cases. But examining the memory call activity (fingerprints) can be a useful observation point for this subgroup of innovations.

Impact Potential

This subgroup of malware detection is not restricted or otherwise synonymous with sandboxes, but if your security offering uses a sandbox service, this group is probably relevant to you. Because sandbox services are used by most of the security segments discussed in this section, the impact of this subgroup is broad. Malware-detection code analysis is another engine that can be used in sandbox services. Most AI analysis is done on collected data, looking for patterns or fingerprints that can be used where files or objects are about to be run. This analysis is probably offline and done in the cloud, before analysis of a single file or object occurs. This fits well as one engine in a sandbox service, but may have potential in real-time or limited compute resource environments that are not suitable for sandbox service.

Growth Potential

Code analysis is the furthest group from the likely release into security offerings. It is in the initiation phase and is not likely to see much introduction for at least five years. Code analysis, though potentially broad in its applicability across security segments, is still very focused on a very specific vector. Extremely few security offerings today have the ability to directly examine code, scripts or memory calls. This severely limits the growth of this innovation.

Implications for Security Product Leaders

• Security product leaders with sandbox and similar services available in their portfolio today should use this weak signal as a source of ideas for long-term roadmap consideration.
• Given the weak-signal nature of this approach, this technology may not be as well-suited for real-time detection and may be better-positioned as an intelligence feed if applied outside of sandbox solutions.
• Security product leaders should monitor the market for uses of AI-facilitated code analysis for malware detection. The time is not right to invest in these use cases at present, but they should be reevaluated for investment in the next two to three years.

Source: Gartner Research Note G00735652, By Analyst(s): Nat Smith, Rustam Malik, 27 October 2020