Over the last decade, cybersecurity attacks have become a pervasive problem for internet users as many networked devices and other resources have been subjected to attack and compromised. The attack may involve the infiltration of malicious software onto a network device or concentration on an exploit residing within a network device to perpetrate the cybersecurity attack (generally referred to as “malware”). In most situations, malware is a program or file that is embedded within downloadable content and designed to allow or directly influence, undermine, disrupt, alter or otherwise attack normal operations of a network device. Examples of different types of malware may include bots, computer viruses, worms, Trojan horses, spyware, adware, or any other programming that operates within an electronic device without permission by a user of the electronic device or a network administrator responsible for protecting an enterprise network with which the electronic device is in communication. In some cases, the attack is designed to exploit a previously unknown vulnerability within software executing on a targeted network device.
Malware may be distributed through a variety of different attack vectors. For example, malware may be installed on a network device through activation of a uniform resource locator (URL), which redirects the user to unknowingly download content from a malicious web site for installation on his or her computer. Similarly, malware may also be installed on a network device upon receipt or opening of an electronic mail (email) message or an attachment with embedded executable malware (e.g., an infected document such as a Portable Document Format “PDF” or word processing document, an infected image, etc.). As yet another example, malware may exist in files that are uploaded from an infected network device onto a networked storage device such as a file share. Also, malware may be imbedded as part of a data stream that are directed to multiple (two or more) network devices. Identifying an advanced malware attack at the network device, such as a zero-day attack or a polymorphic malware attack for example, has been challenging.
A zero-day attack typically poses the substantial threat to an enterprise network. as these types of attacks are designed to exploit a previously unknown vulnerability within software executing on one or more targeted network devices, and often constitutes a previously unseen type of malware or malware that has not been detected before. In either case, no known signature is available for that malware. As “zero day” malware, by definition, has not been detected before, there are no known signatures for detection of this malware type. Accordingly, signature-based solutions typically fail to detect zero-day malware.
Moreover, advanced malware may co-opt and use previously whitelisted domains, i.e., domains not previously known to be malicious. Accordingly, solutions relying on domain-blacklists fail to be sufficiently effective. Finally, advanced malware is often polymorphic, and thus has signatures that change over time while retaining their core malicious functions, and, once again, may escape detection by such solutions.
Known malware detection systems effectively deal with these problems by employing virtualized behavior detection systems, typically at the periphery of an enterprise network. Unfortunately, the overhead necessary to run a virtualized behavior detection system in user space of a network device interferes and significantly impacts the user experience normally offered by a laptop or other endpoint device.