MAL{ai} – Bringing Artifical Intelligence To PHP Malware Scanning

ShieldPRO has provided adaptive Malware scanning for WordPress, for several years already. We designed and built the engine ourselves and use a variety of methods to detect and remove false positives from malware scan results, leaving only malware or ambiguous code that could be malware.

It’s complex and costly to maintain in terms of infrastructure, and for quite some time we’ve been working on ideas on designing a much better system to completely replace the older one.

You’d need to have been living under a rock to have missed the shift of Artificial Intelligence (AI) from background noise, to the fore in the minds of the global population.

This shift is huge, and will change everything.

We decided to do some deep research into how we could leverage the power of Artificial Intelligence to better detect and eliminate PHP malware from our WordPress sites.

First, A Reminder Of The Malware Hype

Before we go any further, we must state that our position on PHP Malware on a WordPress site hasn’t changed.

There is a lot of hype around PHP Malware & WordPress and frankly we see it used to manipulate people’s emotions by scaring them. The ability to scan for malware is a critical component of any security strategy, but it is by no-means a panacea.

Remember, malware detection doesn’t actually improve your security posture, detecting malware simply means that you have areas you must address because you’re vulnerable to intrusion.

Anyway, back to the discussion on our malware AI engine…

What Is Machine Learning As It Relates To PHP Malware Detection?

First let’s look at Machine Learning (ML).

Machine Learning is the process by which a computer develops its “intelligence” that it then uses to “think” like a human.

AI is the process of thinking like a human (or as close as it’s possible to do so) based on the knowledge (learning) acquired during the ML process.

All of this is to say that ML is what a machine does as it learns to think for itself.

So how can we apply this to Malware scanning and detection?

Well we basically want a machine to be able to look at PHP code and determine either:

• this is clean PHP; or
• this PHP contains malware

If we can do this, then, in theory, we can automate PHP malware detection within files that until now, have never been seen before.

It opens a door to powerful PHP malware detection, not only for WordPress, but absolutely anywhere. Of course, detecting PHP malware on a WordPress site is our primary focus, but that’s not where the story has to end.

How Our New Malware AI Engine For WordPress Works

We’ve built our v2.0 malware scanning engine, which we’re calling MAL{ai} .

We can now train MAL{ai} on known, existing, malware files along with clean WordPress files, and also include some PHP malware false positives for edge cases.

After the training, we’ve managed to achieve a scanning accurracy of between 80%-90%.

This means that if you were to provide our MAL{ai} engine with 10 malware samples that it’s never seen before, it could correctly predict at least 8 of them were malware.

This is exciting stuff!

The wonderful thing about a malware scanner that has the capacity to learn, is that each time we discover new malware, we can feed this back into MAL{ai} to train on, making it even smarter.

If you’ve ever played about with the various AI tools available online, you’ll know that they’re not perfect and have always got room to grow. That’s how we’re looking at MAL{ai} … it’s not perfect, but 8/10 isn’t bad!

The Difference Between Known and Unknown PHP Malware

There are several components to our new PHP malware scanner for WordPress. One of which we’ve already discussed – MAL{ai} adaptive learning.

The other major component is keeping track of known PHP malware. Afterall, if the same malware file has been detected in 1 WordPress site, then it would make sense to leverage that knowledge for all other WordPress sites.

So one part of MAL{ai} is learning and adapting, while another part is keeping track of all malware discovered so that those file signatures can be looked-up at any time to discover whether it’s a known infection and therefore doesn’t even need to be fed through MAL{ai} ‘s prediction engine.

We plan to hold a library of all malware reports we ever receive. At some point in the future we’ll look to opening this up for more wider access. There are several options available to us with this, but we’ll first see how MAL{ai} develops over the next few months.

Beyond PHP Malware…

To-date ShieldPRO has only scanned for PHP malware. We’ve never tried to do the same for other types, such as Javascript.

If we get early success with our MAL{ai} scanner for PHP, we’re definitely going to look towards apply the same technology to Javascript.

How To Get Hold Of Our MAL{ai} PHP Malware Scanning Engine

We’re just adding the finishing touches to the 1st version our new PHP malware scanner for WordPress.

We’re going to release it into ShieldPRO 17.1 very shortly and while it won’t have all the features we’ve discussed in this article, many elements will be in-place so that we can gradually roll-out various components over time, as we monitor and adapt the system to usage and demand.

Comments and Suggestions

AI is an exciting topic, and Malware within WordPress is an emotive one. We hope this article helps you see where we’re headed with the ShieldPRO malware scanner and how exciting it is to be able to scan for PHP Malware more accurately on your WordPress sites.

If you have any comments or questions, please do leave a comment below and we’ll get right back to you.