An advanced persistent threat (APT) is a network attack in which an unauthorized person(s) attempts to gain access to a network through a long-term pattern of sophisticated exploits. Persons behind APT attacks typically have a full spectrum of intelligence-gathering techniques at their disposal. The intention of an APT attack is often to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.
An APT detection process is typically based on static (e.g., non-executing) file object scans. This process systematically scans a binary file object searching for exact byte-level sequences previously identified to be present in known malware-embedded files. These sequences, commonly referred to as malware signatures, are typically a calculated numerical value (hash) of a 16 byte or greater section of code found within a known malware application(s). Many APT and advanced malwares demonstrate a polymorphic feature. This feature allows the malware to constantly mutate, or change, thereby rendering a traditional hash-based malware signature approach ineffective.
APT attacks can also include zero-day (i.e., original, occurring for the first time) type threats that exploit computer application vulnerabilities unknown to others (e.g., commercial software application developers). Traditional malware signature-based detection is not effective against zero-day exploits as the opportunity to define the malware signature in advance is not available. APT malware detection software must address obfuscation techniques aimed at masking a file object's content; address the polymorphic nature of malware; also employ an advanced analysis technique to detect newly developed malware in software; etc.
Furthermore, current APT malware detection software typically detects a malware-embedded file after it is stored within an organization's infrastructure (e.g., email server, file server, file transfer protocol (FTP) server). It would be advantageous to detect and remove a malware-embedded filed before it is stored and accessible from within an organization.