Profiling Your Best Behavior

Behavior recognition helps decrease malware and browser-based attacks as spyware becomes and epidemic

WEB-borne threats are among the most serious security risks facing corporations today. An alarming trend shows that malware and browser-based attacks are increasing in frequency. A 2005 FBI Computer Crime survey reported that spyware has reached epidemic proportions effecting 79 percent of the U.S. companies surveyed. According to a Sophos Security Threat Management Report published in November 2005, the number of new malware threats increased 48 percent during 2005 alone.

In today's network-connected business world with real-time online needs, malicious applications often reach corporate PCs before they arrive at the security vendor's lab for inspection, and this is where the true value of behavior profiling and blocking technology is realized.

As malicious code becomes increasingly complex and pervasive, one proven technology -- behavior profiling and blocking -- is demonstrating its effectiveness in keeping corporate networks safe from unknown and new types of malicious code.

Detecting Malicious Behavior
In general terms, behavior profiling is a method that assesses how something or someone will behave in a given situation. Decision-makers use behavioral profiling methods in a wide range of situations to determine whether a behavior is acceptable.

A psychologist, for example, may review a patient's behavior profile to determine whether it deviates from what is defined as normal in a particular environment. In behavior profiling and blocking technology, the smart algorithm in the security engine carries out the same function as the psychologist.

Smart algorithms are used in security products to inspect applications and to review their respective execution/behavior profiles. Using an application profile, security engines can decide whether a given application is acceptable or malicious before allowing it to invade a user's computer. Other security products use behavior profiles to monitor running applications for deviations from an accepted behavior.

Market Trends Swinging Proactive
In global competition, there is no time to lose to ensure a competitive edge. That edge can be destroyed quickly through malicious code that results in the loss of intellectual assets and productivity. In order for companies to safeguard themselves from Web-based threats, they need to incorporate a behavior-based, proactive security technology that will work with traditional anti-virus, spyware and other technologies to provide a comprehensive, layered defense.

The major advantage of behavior profiling and blocking technology in the security industry is that it does not rely on known or previously identified malicious content to block it before it can do any damage. It does not need signatures or pre-defined patterns to decide whether an application is about to perform a prohibited operation. This enables the security engine to identify and block new and unknown malware attacks from a first-time strike. There is no waiting for patches to arrive.

Behavior profiling technology generates application profiles in real time. Simply by crawling the application's code and identifying its needed resources or trapping its events, this technology can create a behavior profile and make a determination of whether a particular code is malicious or not.

Smart algorithms identify operations, parameters, function calls, scripts and other resources used by the inspected code. In addition to these elements, the behavior profiling technology simulates on-the-fly possible uses of such elements by the written code, and the result is the application's behavior profile. Then, in accordance with an organization's security policy, the behavior profiling algorithm decides whether to allow the code to go through, block it or just eliminate the malicious code, and let the rest go through to users so they can see what has been removed.

Successfully Identifying the Unknown
Clearly, if a program can be inspected in a lab and manually profiled, it is relatively simple to create a security product that will stop it from doing bad things, such as actions we define as malicious. However, what has traditionally been a major limitation for security vendors is the ability to provide protection against a program or virus which they never have been previously exposed to or experienced. Companies wait for patches and then distribute them throughout the network. this is known as the window of vulnerability. Proactive, behavior-based technology closes that window by offering the needed protection in real time against the latest threats permeating the Web. This long-standing vulnerability is why behavior profiling technology is needed so critically today in the security industry.

History has shown that signature-based and heuristic-based security solutions fall short in its ability to identify an unknown or previously un-inspected piece of code to determine whether it is malicious. Traditional anti-virus is a classic example. As long as a signature is not available (i.e., a new virus did not reach the security vendor's lab for inspection and/or a signature update is not released), the anti-virus product is helpless in preventing such malicious code from executing, as it relies solely on previous knowledge.

In today's network-connected business world with real-time online needs, malicious applications often reach corporate PCs before they arrive at the security vendor's lab for inspection, and this is where the true value of behavior profiling and blocking technology is realized.

Unlike programs operating in a security vendor's lab, behavior profiling and blocking technology is used to inspect programs "in the wild." The goal is to analyze programs and applications that reach computers from an external, untrusted source. Such applications may include malicious code that can damage machines or data, violate privacy or compromise intellectual property.

By using behavior profiling in security products, on-the-fly profiles can be generated and enforced by the security engine based on a defined security policy. Unauthorized behaviors can be blocked instantly before execution and prior to reaching targeted machines.

Behavior profiling and blocking technology is in use by corporations today, enabling them to remain connected and receive data from both trusted and untrusted resources. Corporations know that proactive security measures are in place to ensure that malicious content will be blocked from entering the corporate network and systems environment. Moreover, application behavior profiling and blocking technology offers the only solution that provides real-time capabilities required to address today's influx of increasingly complex and varied malicious code.

This article originally appeared in the October 2006 issue of Security Products, pgs. 46-47.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3