Malicious software (“Malware”) includes software that is designed to gain access and/or damage a computer or subvert its functioning without the knowledge of the owner. Malware is a tremendous problem with the number of computer security incidents continuing to increase. Malware infections can have enormous direct and indirect costs on individuals, businesses and other organizations.
One type of malware is the Remote Access Trojan horse. Generally, a Trojan horse includes malware embedded in an application or system that performs or appears to perform a useful function but also is performing some form of unauthorized action. A Remote Access Trojan horse generally includes a back door for administrative access and/or control over a target computer.
Malware and Remote Access Trojan horse software which are placed on computing devices use network resources to connect back to the controller/attacker associated with the software. It is very typical for such software to be required to transmit network traffic through host, and network resident firewalls. Such firewalls have stateful mechanisms which only permit traffic to be transmitted for a specific duration of time before considering that the connection in question is no longer viable. As such, malware of this nature invariably exhibits a periodic traffic transmission behavior resembling a beacon. In order to detect this behavior, traditional network defenses have focused on a content signature approach. In the content signature approach, a characterization of what is known to be malicious is used to determine whether particular software is malicious. This characterization or model may involve significant resources (including human resources) and additional signatures may be needed whenever new instances of malware are identified. Of course, the effectiveness of content signature-based malware detection methods depend upon characterizations that may not necessarily be accurate or complete.
A further problem with malware is that some malware has evolved and now may use Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL) protocols to encrypt communications. Where SSL and/or TLS protocols are used to encrypt communications, content signature-based malware detection methods are ineffective. Moreover, use of SSL and/or TLS protocols is further problematic because such protocols are widely used for web-based communications and firewalls usually allow such traffic. Allowing such traffic presents an opportunity for the malware to reach command and control (C2) channels.
Therefore, problems remain with malware detection, especially when SSL and/or TLS protocols are used to encrypt communications. What is needed are improved methods of malware detection where SSL and/or TLS protocols are used to encrypt communications.