Profiling Your Best Behavior

Behavior recognition helps decrease malware and browser-based attacks as spyware becomes and epidemic

WEB-borne threats are among the most serious security risks facing corporations today. An alarming trend shows that malware and browser-based attacks are increasing in frequency. A 2005 FBI Computer Crime survey reported that spyware has reached epidemic proportions effecting 79 percent of the U.S. companies surveyed. According to a Sophos Security Threat Management Report published in November 2005, the number of new malware threats increased 48 percent during 2005 alone.

In today's network-connected business world with real-time online needs, malicious applications often reach corporate PCs before they arrive at the security vendor's lab for inspection, and this is where the true value of behavior profiling and blocking technology is realized.

As malicious code becomes increasingly complex and pervasive, one proven technology -- behavior profiling and blocking -- is demonstrating its effectiveness in keeping corporate networks safe from unknown and new types of malicious code.

Detecting Malicious Behavior
In general terms, behavior profiling is a method that assesses how something or someone will behave in a given situation. Decision-makers use behavioral profiling methods in a wide range of situations to determine whether a behavior is acceptable.

A psychologist, for example, may review a patient's behavior profile to determine whether it deviates from what is defined as normal in a particular environment. In behavior profiling and blocking technology, the smart algorithm in the security engine carries out the same function as the psychologist.

Smart algorithms are used in security products to inspect applications and to review their respective execution/behavior profiles. Using an application profile, security engines can decide whether a given application is acceptable or malicious before allowing it to invade a user's computer. Other security products use behavior profiles to monitor running applications for deviations from an accepted behavior.

Market Trends Swinging Proactive
In global competition, there is no time to lose to ensure a competitive edge. That edge can be destroyed quickly through malicious code that results in the loss of intellectual assets and productivity. In order for companies to safeguard themselves from Web-based threats, they need to incorporate a behavior-based, proactive security technology that will work with traditional anti-virus, spyware and other technologies to provide a comprehensive, layered defense.

The major advantage of behavior profiling and blocking technology in the security industry is that it does not rely on known or previously identified malicious content to block it before it can do any damage. It does not need signatures or pre-defined patterns to decide whether an application is about to perform a prohibited operation. This enables the security engine to identify and block new and unknown malware attacks from a first-time strike. There is no waiting for patches to arrive.

Behavior profiling technology generates application profiles in real time. Simply by crawling the application's code and identifying its needed resources or trapping its events, this technology can create a behavior profile and make a determination of whether a particular code is malicious or not.

Smart algorithms identify operations, parameters, function calls, scripts and other resources used by the inspected code. In addition to these elements, the behavior profiling technology simulates on-the-fly possible uses of such elements by the written code, and the result is the application's behavior profile. Then, in accordance with an organization's security policy, the behavior profiling algorithm decides whether to allow the code to go through, block it or just eliminate the malicious code, and let the rest go through to users so they can see what has been removed.

Successfully Identifying the Unknown
Clearly, if a program can be inspected in a lab and manually profiled, it is relatively simple to create a security product that will stop it from doing bad things, such as actions we define as malicious. However, what has traditionally been a major limitation for security vendors is the ability to provide protection against a program or virus which they never have been previously exposed to or experienced. Companies wait for patches and then distribute them throughout the network. this is known as the window of vulnerability. Proactive, behavior-based technology closes that window by offering the needed protection in real time against the latest threats permeating the Web. This long-standing vulnerability is why behavior profiling technology is needed so critically today in the security industry.

History has shown that signature-based and heuristic-based security solutions fall short in its ability to identify an unknown or previously un-inspected piece of code to determine whether it is malicious. Traditional anti-virus is a classic example. As long as a signature is not available (i.e., a new virus did not reach the security vendor's lab for inspection and/or a signature update is not released), the anti-virus product is helpless in preventing such malicious code from executing, as it relies solely on previous knowledge.

In today's network-connected business world with real-time online needs, malicious applications often reach corporate PCs before they arrive at the security vendor's lab for inspection, and this is where the true value of behavior profiling and blocking technology is realized.

Unlike programs operating in a security vendor's lab, behavior profiling and blocking technology is used to inspect programs "in the wild." The goal is to analyze programs and applications that reach computers from an external, untrusted source. Such applications may include malicious code that can damage machines or data, violate privacy or compromise intellectual property.

By using behavior profiling in security products, on-the-fly profiles can be generated and enforced by the security engine based on a defined security policy. Unauthorized behaviors can be blocked instantly before execution and prior to reaching targeted machines.

Behavior profiling and blocking technology is in use by corporations today, enabling them to remain connected and receive data from both trusted and untrusted resources. Corporations know that proactive security measures are in place to ensure that malicious content will be blocked from entering the corporate network and systems environment. Moreover, application behavior profiling and blocking technology offers the only solution that provides real-time capabilities required to address today's influx of increasingly complex and varied malicious code.

This article originally appeared in the October 2006 issue of Security Products, pgs. 46-47.

Featured

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West

  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

  • Cyber Overconfidence Is Leaving Your Organization Vulnerable

    The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced. Read Now

  • Mission 500 Debuts Refreshed Identity Ahead of Security 5K/2K at ISC West

    Mission 500, the security industry’s nonprofit charity dedicated to supporting children in need across the US, Canada, and Puerto Rico, has unveiled a refreshed brand identity ahead of ISC West. The charity’s new look includes a modernized logo with refined messaging to reinforce Mission 500’s nearly decade-long commitment to serving the needs of children and families in crisis. Read Now

    • Industry Events
Most   Popular

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.