Profiling Your Best Behavior

Behavior recognition helps decrease malware and browser-based attacks as spyware becomes and epidemic

• By Yuval Ben-Itzhak
• Oct 01, 2006

WEB-borne threats are among the most serious security risks facing corporations today. An alarming trend shows that malware and browser-based attacks are increasing in frequency. A 2005 FBI Computer Crime survey reported that spyware has reached epidemic proportions effecting 79 percent of the U.S. companies surveyed. According to a Sophos Security Threat Management Report published in November 2005, the number of new malware threats increased 48 percent during 2005 alone.

In today's network-connected business world with real-time online needs, malicious applications often reach corporate PCs before they arrive at the security vendor's lab for inspection, and this is where the true value of behavior profiling and blocking technology is realized.

As malicious code becomes increasingly complex and pervasive, one proven technology -- behavior profiling and blocking -- is demonstrating its effectiveness in keeping corporate networks safe from unknown and new types of malicious code.

Detecting Malicious Behavior
In general terms, behavior profiling is a method that assesses how something or someone will behave in a given situation. Decision-makers use behavioral profiling methods in a wide range of situations to determine whether a behavior is acceptable.

A psychologist, for example, may review a patient's behavior profile to determine whether it deviates from what is defined as normal in a particular environment. In behavior profiling and blocking technology, the smart algorithm in the security engine carries out the same function as the psychologist.

Smart algorithms are used in security products to inspect applications and to review their respective execution/behavior profiles. Using an application profile, security engines can decide whether a given application is acceptable or malicious before allowing it to invade a user's computer. Other security products use behavior profiles to monitor running applications for deviations from an accepted behavior.

Market Trends Swinging Proactive
In global competition, there is no time to lose to ensure a competitive edge. That edge can be destroyed quickly through malicious code that results in the loss of intellectual assets and productivity. In order for companies to safeguard themselves from Web-based threats, they need to incorporate a behavior-based, proactive security technology that will work with traditional anti-virus, spyware and other technologies to provide a comprehensive, layered defense.

The major advantage of behavior profiling and blocking technology in the security industry is that it does not rely on known or previously identified malicious content to block it before it can do any damage. It does not need signatures or pre-defined patterns to decide whether an application is about to perform a prohibited operation. This enables the security engine to identify and block new and unknown malware attacks from a first-time strike. There is no waiting for patches to arrive.

Behavior profiling technology generates application profiles in real time. Simply by crawling the application's code and identifying its needed resources or trapping its events, this technology can create a behavior profile and make a determination of whether a particular code is malicious or not.

Smart algorithms identify operations, parameters, function calls, scripts and other resources used by the inspected code. In addition to these elements, the behavior profiling technology simulates on-the-fly possible uses of such elements by the written code, and the result is the application's behavior profile. Then, in accordance with an organization's security policy, the behavior profiling algorithm decides whether to allow the code to go through, block it or just eliminate the malicious code, and let the rest go through to users so they can see what has been removed.

Successfully Identifying the Unknown
Clearly, if a program can be inspected in a lab and manually profiled, it is relatively simple to create a security product that will stop it from doing bad things, such as actions we define as malicious. However, what has traditionally been a major limitation for security vendors is the ability to provide protection against a program or virus which they never have been previously exposed to or experienced. Companies wait for patches and then distribute them throughout the network. this is known as the window of vulnerability. Proactive, behavior-based technology closes that window by offering the needed protection in real time against the latest threats permeating the Web. This long-standing vulnerability is why behavior profiling technology is needed so critically today in the security industry.

History has shown that signature-based and heuristic-based security solutions fall short in its ability to identify an unknown or previously un-inspected piece of code to determine whether it is malicious. Traditional anti-virus is a classic example. As long as a signature is not available (i.e., a new virus did not reach the security vendor's lab for inspection and/or a signature update is not released), the anti-virus product is helpless in preventing such malicious code from executing, as it relies solely on previous knowledge.

In today's network-connected business world with real-time online needs, malicious applications often reach corporate PCs before they arrive at the security vendor's lab for inspection, and this is where the true value of behavior profiling and blocking technology is realized.

Unlike programs operating in a security vendor's lab, behavior profiling and blocking technology is used to inspect programs "in the wild." The goal is to analyze programs and applications that reach computers from an external, untrusted source. Such applications may include malicious code that can damage machines or data, violate privacy or compromise intellectual property.

By using behavior profiling in security products, on-the-fly profiles can be generated and enforced by the security engine based on a defined security policy. Unauthorized behaviors can be blocked instantly before execution and prior to reaching targeted machines.

Behavior profiling and blocking technology is in use by corporations today, enabling them to remain connected and receive data from both trusted and untrusted resources. Corporations know that proactive security measures are in place to ensure that malicious content will be blocked from entering the corporate network and systems environment. Moreover, application behavior profiling and blocking technology offers the only solution that provides real-time capabilities required to address today's influx of increasingly complex and varied malicious code.