1. Field of the Invention
The present invention generally relates to computer and network security and, more particularly, to detecting malware in an operational computing environment.
2. Description of the Related Art
The widespread adoption of networked Information and Communication Technologies (ICT) by all facets of society has made massive amounts of valuable information vulnerable to digital theft. As organizations and individuals embed ICT into their core operational processes, many have unwittingly exposed themselves to exploitation. The result is an extremely appealing target for competitors and a new wave of cyberspace criminals lured by easy profit and unlikely prosecution. More information is available today for surreptitious exploitation than ever before, while organizations continue to struggle with standard passive computer network defense (CND) practices and are only beginning to realize true attacker perceptions of their information's value.
Malware has become the cyberspace weapon system of choice enabling attackers to conduce a wide gamut of offensive information operation s as evidenced by the now infamous Stuxnet worm. The Stuxnet worm payload causes a loss of data integrity for supervisory control and data acquisition (SCADA) systems, which run industrial control systems, such as power grids. One of the most dangerous operations is data exfiltration, where attackers can increase their competitive edge by harvesting sensitive information from unsuspecting victims. Imagine the value and impact of obtaining blueprints for the most advanced jet fighter at no substantial cost or obtaining millions of sensitive customer records.
Malware detection has been an active computer security research area for decades. Advances in this area have not produced a “silver bullet” solution to this problem because it is ultimately a human enterprise. Consequently, a relatively small set of malware can hide amongst a million unique executables on large networks making it difficult for humans to find without a form of automated assistance.
With attacker motivation at an all-time high, customized malware attacks are becoming more common and allow adversaries to sidestep the traditional front-line defense, signature-based antivirus software. These antivirus systems are passive and reactive by nature, because they require previous malware analysis and signature development. Contemporary antivirus products often fail to detect modified threat tools that use evasive methods such as no-operation instruction insertion, reordering of subroutines, register reassignment, and instruction substitution, among others.
Cyberspace adversaries are adaptable foes, and methods to detect them must also be capable of adaption or risk becoming obsolete. This observation has produced unique research momentum for new detection technologies that do not require a continual stream of updated antivirus signatures. Generic detection technologies make extensive use of classic pattern recognitions and machine learning techniques. If hackers can victimize governments and high-profile corporations by avoiding antivirus software, the risk to lesser-financed organizations is likely higher than perceived. Visibility into network activity is limited, because of the immense volume of data and the difficulties associated with effective data reduction.
In order to understand the current state of a conventional network, individuals must have sufficient situation awareness, or “the perception of elements in an environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future” as defined in Endsley, M. R., “Design and evaluation for situation awareness enhancement,” Proceedings of Human Factors Society 32nd Annual Meeting, Volume 1, pp. 97-100. With adequate situation awareness, organizations can perceive previously unknown threats, comprehend threat capability and ultimately project future threat activity. Sufficient situation awareness may assist in enabling organizations to short circuit the impact of continuing threat activity.
Competitive threats can easily employ similar techniques to make unique malware samples that victim defensive tools cannot detect. An advanced persistent threat (APT) is a nation-state or large corporate-sponsored competitive threat that is capable and determined to accomplish its goals. While malware is not the only method of gaining information at the APT's disposal, it can satisfy their operational needs for victim network access, data exfiltration and data corruption. Achieving cyberspace SA may assist in allowing organizations to potentially discover and thwart APT operations. Major asymmetric advantages of the competitive threat may include unauthorized access to competitor sensitive data, low likelihood of discovery and prosecution, and low tool development cost, making cyberspace attacks attractive to the attackers.
Accordingly, there is a need in the art for a method of increasing situational awareness to identify malware, predict its behavior, and halt any such cyberspace attacks.