We are happy to announce the release of the Nexus Embedded AI SDK as GA version. Nexus SDK is an embeddable AI-based technology that uses SentinelOne’s predictive models to classify files as benign or malicious based on their static characteristics and without using signature or cloud lookup. It is extremely fast (classification is done within milliseconds) and simple to use. It can be useful, for example, in network appliances, file servers, email gateways, cloud services and more. Nexus SDK also provides information about various characteristics that exist in the analyzed files that are indicative of maliciousness. For example, an executable may be classified as malicious due to its high entropy and unusual binary format.
There are plenty of use cases for which Nexus SDK could be valuable:
- Email / Web / Next-Gen Firewall Gateways – Detect file-based attacks by conducting a static analysis at network ingress points
- File servers / Shared Folders – Detect malicious files residing on file servers
- USB Kiosks – Scan for threats at a USB Kiosk upon plugging a USB device
- Sandboxing – Pre-scan files prior to sandboxing for better prioritization and use the SDK indicators and verdict as an additional factor to consider
- Cloud Services – Scan threats backed up by enterprise file synchronization and sharing products, as well as provide embedded scanning of cloud storage devices
How does the Nexus Embedded AI SDK work?
SentinelOne implements an AI technology to detect threats is Portable Executables (PE), PDFs and Office Documents. We extract thousands of characteristics from each of the millions of samples in our repository. Using supervised learning approach, we are able to produce a statistical model that encapsulates the correlation of various features to malicious or benign file.
Figure 1: Generating the Statistical Model
Then for classification, the SDK extracts the same features from a given sample and the model predicts according to the calculated statistics whether this file is a threat or not.
Figure 2: Classification of a Given Sample Based on the Model
For each scanned file, the SDK classification determines the following:
- Verdict – Whether the analyzed file is Malware, Suspicious or Benign.
- Malware – Files that the AI engine considers very likely to be malware. We recommend that access to these files be blocked.
- Suspicious – Files that are suspected of being malware. These are low confidence detections and files should be reviewed.
- Benign – Files that the AI engine detects as benign
- Score – Maliciousness score given to the analyzed file
- Indicators – The scanned file characteristics that contributed to the AI verdict. Among these indicators are:
- High file entropy
- Existence of specific packers
- File overlay
- Improper file format
The SDK is a C library that is provided also with a Python wrapper. It’s now available as GA.