1. Field of Invention
This invention relates generally to cybersecurity and, more specifically, to the application of membership queries to software behavior to identify, among other things, unknown cybersecurity risks.
2. Description of Related Art
The global nature of today's computing world has evolved to a point where almost any transaction, whether economic, social, governmental, etc., requires involvement of computer systems and the Internet. The execution of these transactions aptly depends upon the proper functioning of both computer systems and the Internet. In order to shield these transactions from malicious threats, it is critical to identify and deploy efficient and rapidly-performing peripheral tools capable of enhancing cyber situational awareness.
Today's cybersecurity technologies seek to detect known bad entities, e.g., malware, in the computing environment. As used herein, malware refers to any form of hostile or intrusive software including, but not limited to viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. Malware can take the form of executable code, scripts, active content, and other software. Adversaries are generating malware and finding new vulnerabilities faster than security software companies can respond. The approach today is very much based on prevention by securing systems using best practices and utilization of tools for the detection of known threats (referred to herein as “known bads”). Threats must first be realized in some capacity before today's cybersecurity detection tools can be deployed to search for known bad entities. These detection methods, however, are limited to searching only for known bad signatures. Conventional methods generally use a blacklist, i.e., a register of known malware or sources of malware (e.g., malicious websites). Google, for example, finds thousands of new malicious websites every day. Millions of pieces of malware are identified every month. Thus, blacklisting requires a significant amount of computer resources to store and process the enormous volume of known bads. Moreover, blacklisting cannot detect things that are bad, but not known. Zero-day threats are not known and blacklisting lets them in as if they were good.
A whitelist is a register of known goods, e.g., executables known to be acceptable. In whitelisting, all that's on the whitelist is allowed while everything else is prevented. However, maintaining a whitelist is difficult from an administrative perspective. For example, the problem arises when one wants to register or re-register every dynamic link library (DLL) every time a new or existing application patch is installed. Which bits of software can make changes and which can't? Whitelisting may be fundamentally better than blacklisting because if something is not on the list, it gets stopped. However, whitelisting suffers from the same issue as blacklisting—eventually, a significant amount of computer resources are required to store and process the enormous volume of known goods.
Therefore, there exists a need for an efficient and rapidly-performing peripheral tool capable of enhancing cyber situational awareness by identifying known good entities and allowing these objects to proceed, identifying known bad entities and blocking those objects, while simultaneously identifying novel entities worthy of further analysis and characterization without requiring significant computer resources.