The invention relates to computer security, and in particular to hardware-assisted detection of computer security threats such as malware.
Malicious software, also known as malware, affects a great number of computer systems worldwide. In its many forms such as computer viruses, worms, rootkits, and spyware, malware presents a serious risk to millions of computer users, making them vulnerable to loss of data and sensitive information, identity theft, and loss of productivity, among others.
In recent years, malware attacks are increasingly targeting corporate networks, for instance to extract sensitive corporate data. In one example known as a spear-phishing attack, an attacker sends an email to an employee of a particular corporation, the email containing an attached PDF file. The PDF file is carefully crafted to contain an exploit for a vulnerability of Adobe Acrobat® software, the exploit being able—once triggered—to download a backdoor service to the respective employee's computer. The backdoor service may allow the attacker to connect to the respective computer, and to use it as an entry point to the corporate network.
Modern computer security operations commonly include automated malware analysis. Computer security providers receive a large number (sometimes hundreds of thousands) of malware samples every day. To process such substantial amounts of data, the company may set up an automated analysis system comprising tens or hundreds of computing nodes configured to employing various detection technologies to process a continuous flux of samples. Such systems typically have databases to store samples and analysis results, one or more controller/scheduler systems, and a user interface allowing operators to control operations and to display results.
In another example of automated malware detection, a network appliance is used as a gateway device for perimeter defense of a corporate computer network. In typical configurations, the network appliance, which may be a physical machine or a virtual machine, may act as an interface between the corporate network and the Internet, so that a substantial fraction of data traffic between computers on the corporate network and the outside world is routed through the network appliance. An automated traffic analysis system may be installed on the network appliance, and configured to detect malware arriving at the appliance, for instance, as email attachments. Automated analysis may include opening and/or executing such attachments in a sandboxed environment and determining whether their behavior is indicative of malice.
Some advanced malicious agents are targeted towards specific companies, corporate networks or individuals. Such agents may be able to detect their environment, and only perform their malicious activity when executing within the targeted network or computer system. Other malware agents are designed to evade detection by conventional automated detection systems.
There is an increasing interest in developing computer security solutions which are capable of handling substantial amounts of samples, and are effective in detecting advanced forms of malware.