G DATA is using BEAST technology to break new ground in behavioural analysis. The technology uses a graph database to trace suspicious processes. BEAST can also recognise complex cyber attacks in this way. Even malware that distributes each individual activity over separate processes can be identified. In this interview, developer Arnas Staude explains the requirements that the new technology needs to fulfil and how the fight against cyber attacks has changed.
What role does behaviour analysis play in the fight against malware?
We use static and dynamic analysis methods as a matter of principle in the fight against malware. Static methods analyse the properties of suspicious files such as the hash, character strings, code fragments, file size and header properties. The good thing about this is that we do not have to execute the malware during the analysis. With dynamic methods, however, we execute the potentially harmful file and observe its behaviour. The difference between the two methods is that, in static analysis, we block the malware before we execute it. With dynamic methods, we detect the malicious behaviour downstream and then stop the malware. With static methods, we have to create a separate detection rule for each malware family. With behaviour-based rules, we can define what is harmful in a more general and long-lasting way.
However, the static properties of malware can be changed very easily. For example, cyber criminals often use packers to change the size and appearance of files, so antivirus programs can no longer detect them immediately. With DeepRay, we are already using a technology that reliably detects such malware by scanning the unpacked data.
The behaviour of malware, on the other hand, is much more difficult to change than the program code. The cyber criminals cannot and do not want to do away with the malicious behaviour. If they did, they would no longer be able to use the operating system to read passwords or encrypt important data, for example. In short, they can no longer cause any damage.
Why was it necessary to develop new procedures?
Behavioural analysis has been an integral part of G DATA’s security solutions for years. Our Behaviour Blocker has done some sound work in this respect. This involves very stable behavioural analysis, which has matured over the years with very good results. Nevertheless, we have noticed that the potential for behaviour-based recognition is far from exhausted. The previous approach did not offer the potential to expand this further. In addition, it was sometimes difficult to understand how individual results came about. This is because the previous approach is score-based and therefore calculates a numerical value between zero and one for each program. If a pre-defined threshold value is exceeded, the program is then considered malicious. This value is calculated using a lengthy mathematical formula. However, this also means that the outcome is not always immediately comprehensible to us, and this aspect led to a file being classified as malicious. This makes case-by-case consideration complex. Dealing with false positive detections is therefore particularly difficult and requires a different approach. But it is difficult to adapt the formula. Unfortunately, we cannot always foresee how a small change in the calculation may have aContinue reading