Many people understand that AI systems can generate code. From that, it’s often assumed they could produce endless variations of the same program to evade antivirus detection. That assumption is not quite accurate.
A useful analogy helps clarify this: imagine you run an art gallery that frequently experiences theft. You give your security guard a list of known thieves and descriptions of their typical clothing; instructing the guard to remove anyone matching those appearances. Naturally, thieves respond by changing their outfits. Relying on appearance alone proves ineffective. A better strategy is to focus on behavior; instead of identifying how thieves look, identify what they do: stealing paintings. Detecting suspicious actions is far more reliable than matching superficial traits. This shift mirrors how antivirus technology has evolved.
Earlier generations of antivirus software relied on “signatures”; specific patterns in code that identified known threats. These signatures acted like fingerprints: flagging programs that matched known malicious structures. However, there are effectively infinite ways to write code that performs the same function. Attackers exploited this by rewriting their programs to avoid matching known signatures.
This led to the development of polymorphic techniques, including mutation engines as early as the 1980s. These systems generated varied versions of the same underlying program by introducing randomness in implementation details. For example, a loop could be written in multiple ways: using for, while, recursion, or other constructs. By randomly selecting among many equivalent approaches for each task, attackers could produce countless distinct versions of the same program; rendering signature-based detection ineffective. In response, security shifted toward behavioral detection. Instead of analyzing how code looks, modern systems focus on what it does. For instance, ransomware must still perform a limited set of actions: open files, read data, encrypt it and write it back. While the code implementing these steps can vary infinitely, the underlying behavior is constrained by the operating system’s capabilities.
However, this approach is not a complete solution. The distinction between malicious and legitimate software often depends on intent; which can be ambiguous. For example, a password backup utility and an information-stealing tool may perform very similar actions. This creates a gray area where software can appear benign while serving malicious purposes.
As a result, modern attackers aim to mimic legitimate behavior closely enough to avoid detection. Instead of relying on code obfuscation alone; they attempt to blend in with normal system activity.
This brings us back to AI. While AI can generate code, its capabilities are limited by its training data. It learns patterns from existing, documented examples. In the context of malware, this means it primarily reproduces known techniques; methods that are already studied and often well-detected. Consequently, asking an AI system to produce “evasive” malware without deeper expertise will typically result in conventional approaches, not novel ones. The idea that AI can trivially bypass security through polymorphism is based on an outdated model of how antivirus systems work. Modern defenses have not relied solely on code signatures for over two decades. Polymorphism, as a standalone evasion technique, has already been addressed through behavioral analysis.
Therefore, concerns about AI-driven polymorphism often stem from a misunderstanding. The underlying problem was solved long before AI entered the picture. While AI may lower the barrier to entry in some areas, it does not fundamentally change the effectiveness of polymorphism as an evasion strategy.