Anti-Malware Before it’s a Threat

Tuesday, January 20, 2015 @ 12:01 PM gHale


One of the issues behind detecting malware is how can you discover the bad software if you don’t even know it is bad software.

That issue can soon go away as a cyber security technology created at the Department of Energy’s (DoE) Oak Ridge National Laboratory (ORNL), can recognize malicious software even if the specific program has not been identified as a threat.

RELATED STORIES
Breach: When Minutes Count
Data Breach Awareness on Rise
Malware Creation Skyrockets in Q3
ICS Targeted in Malware Campaign

By computing and analyzing program behaviors associated with harmful intent, ORNL’s Hyperion technology can look inside an executable program to determine the software’s behavior without using its source code or running the program, said one of its inventors, Stacy Prowell of ORNL’s Cyber Warfare Research team.

“These behaviors can be automatically checked for known malicious operations as well as domain-specific problems,” Prowell said. “This technology helps detect vulnerabilities and can uncover malicious content before it has a chance to execute.”

Hyperion, which has been under development for a decade, offers more comprehensive scanning capabilities than existing cyber security methods.

“This approach is better than signature detection, which only searches for patterns of bytes,” Prowell said. “It’s easy for somebody to hide that — they can break it up and scatter it about the program so it won’t match any signature.”

Washington, D.C.-based R&K Cyber Solutions LLC (R&K) licensed Hyperion and is looking to go to market with the program this month.

“Software behavior computation is an emerging science and technology that will have a profound effect on malware analysis and software assurance,” said R&K Cyber Solutions Chief Executive Joseph Carter. “Computed behavior based on deep functional semantics is a much-needed cyber security approach that has not been previously available. Unlike current methods, behavior computation does not look at surface structure. Rather, it looks at deeper behavioral patterns.”

Carter said technology’s malware analysis capabilities can apply to multiple related cyber security problems, including software assurance in the absence of source code, hardware and software data exploitation and forensics, supply chain security analysis, anti-tamper analysis and potential first intrusion detection systems based on behavior semantics.

The licensed intellectual property includes two patent-pending technologies invented by Kirk Sayre of the Computational Sciences and Engineering Division and Richard Willems and former ORNL employee Stephen Lindberg of the Electrical and Electronics Systems Research Division. Others contributing to the technology were David Heise, Kelly Huffer, Logan Lamb, Mark Pleszkoch and Joel Reed of the Computational Sciences and Engineering Division.

Hyperion strengthens the cyber security of critical energy infrastructure by providing evidence of the secure functioning of energy delivery control system devices without requiring disclosure of the source code. This can advance resilient energy delivery systems designed, installed, operated and maintained to survive a cyber incident while sustaining critical functions.



Leave a Reply

You must be logged in to post a comment.