New Sophos facial recognition technology uses webcams to stop hackers and virus writers in their tracks

Sophos appeals for computer users to send in pictures to increase accuracy of new system

Singapore. April 2, 2008 – IT security and control firm Sophos today announced its new RAPIL (Recognition and Analysis of Potentially Intruding Lifeforms) system which is able to produce a real-time forensic analysis of a PC or Mac user's facial features to determine if they exhibit any characteristics commonly associated with hackers. The new system uses webcams, now in widespread use on modern computers, to assess the facial characteristics of computer users, and cross-references them against features typically found in cybercriminals. Current tests show that with a clear background and provided the face is free of any obstructions, including hats, moustaches and sunglasses, the beta version of RAPIL has a success rate of 97.78 per cent.

As the amount of malware created each month continues to grow, Sophos experts note that most hackers are now working for organised criminal gangs intent on breaking into the PCs of innocent victims to steal sensitive and confidential information which can then be used for financial gain. Until today, most security companies have focused their efforts on preventing these attacks by detecting the malicious software and stopping it running. With RAPIL, Sophos can identity and stop the hacker before the malware is ever even written.

A video of the technology in action can be found at: www.youtube.com/SophosLabs

“Being able to stop the hackers before they even get a chance to write their malware, let alone spread it, is a breakthrough in the fight against cybercrime. Frankly this technology will put Sophos lightyears ahead of its competitors,” said Graham Cluley, senior technology consultant at Sophos. “With the amount of new cyberattacks we're discovering every month, it's increasingly difficult for computer users to ensure there are no holes in their security defences and that their PCs are fully defended. With our new solution that can identify key physical characteristics, we can literally see when someone has hacker written all over them.”

RAPIL samples the signal from the webcam 32 times a second. Using various new and existing machine learning techniques, such as K-Means clustering, SVM classifiers, decision trees, cross validation and genetic programming, thousands of facial characteristics including retinal patterns, shape of the philtrum, symmetry of the lips, size of the forehead and facial expression are tested to establish the probability of the user being a hacker. Once identified as a cybercriminal, the PC screen automatically goes blank, the keyboard freezes and the first 512 GB of the hard drive is encrypted with a user-defined key - many hard drives will therefore be encrypted in their entirety. The solution is fully protected against rootkits which hackers may attempt to use to disable it.

At present, advanced evasion techniques such as facial polymorphism and metamorphism can be used by hackers to evade the system. The face is polymorphic if it is randomly obstructed by an item such as hat, moustaches and glasses. Facial metamorphism, which occurs when the user changes their facial characteristics for every command run on the system, is even more difficult to detect. As part of the beta testing for RAPIL v0.401, Sophos is appealing for computer users to upload polymorphic pictures of themselves to help improve the accuracy of RAPIL still further. To add to the Sophos library of faces and help fight against cybercrime, please upload your photographs at: www.flickr.com/groups/ra-pil

To learn more about RAPIL, please visit the SophosLabs blog at: http://www.sophos.com/security/blog/2008/04/1246.html