The present invention is related to detection and prevention of malicious code execution, and more specifically to detection and prevention of malicious code execution using risk scoring.
Malicious software is a constant battle that security practitioners must deal with, especially in large enterprises. Currently, most corporations rely on several control mechanisms (such as spam filters, virus scanning on email, and Intrusion Detection/Prevention Systems) to look for signatures in flowing network traffic, and anti-virus software installed on host computers that look at each file and compare it against signatures stored in the anti-virus software's memory system. The drawback to each of these systems is the reliance on signatures, or known sequences or patterns, which can be used to identify bad software files.
Current methods to detect malicious software files typically include a combination of heuristic scanning and signature definitions based on reverse engineering each malware sample. Thus, the anti-virus solution is always behind the release of new variants of malware. This is because anti-virus (AV) solutions typically require a virus sample in order to help identify new definitions to detect the virus. This methodology ensures that malicious software will, for a period of time, be able to spread and infect machines with little to no detection or remediation until the virus is discovered, a sample obtained, and new definitions to detect and prevent the virus identified.
Heuristic scanning techniques rely on observable behavior of the execution of malicious software to accurately detect and identify software as malicious. The problem with this technique is that it relies on consistent execution techniques. Malware writers have introduced poly/meta-morphism and custom packing and encrypting into their malicious software, thus changing the observable execution characteristics making heuristic scanning much less reliable.
Another technique makes use of observable characteristics of the files themselves and not on the execution pattern. Furthermore, the observable characteristics make use of, and rely on, the obfuscation techniques themselves as this behavior is not present in most normal software. The malware obfuscation techniques are then turned against the malware writers. One version of this technique relies heavily on the entropy of the code sections themselves to detect the obfuscation and probable packing of malicious software. However, it has been determined that this is not completely reliable and prone to error in sophisticated malware trials.