Malware detection technology identifies malware without examining source code

January 19, 2015

Cybersecurity is one of the top emerging and standing issues facing the electric sector over the next 10 years (credit: 2009 NERC Long Term Reliability Assessment, October 2009)

Hyperion, new malware detection software that can quickly recognize malicious software even if the specific program has not been previously identified as a threat, has been licensed by Oak Ridge National Laboratory (ORNL) to R&K Cyber Solutions LLC (R&K).

Hyperion, which has been under development for a decade, offers more comprehensive scanning capabilities than existing cyber security methods, said one of its inventors, Stacy Prowell of the ONRL Cyber Warfare Research team. By computing and analyzing program behaviors associated with harmful intent, Hyperion can determine the software’s behavior without using its source code or even running the program,

“These behaviors can be automatically checked for known malicious operations as well as domain-specific problems,” Prowell said. “This technology helps detect vulnerabilities and can uncover malicious content before it has a chance to execute.”

Trumps signature detection

“This approach is better than signature detection, which only searches for patterns of bytes,” Prowell said. “It’s easy for somebody to hide that — they can break it up and scatter it about the program so it won’t match any signature.”

“Software behavior computation is an emerging science and technology that will have a profound effect on malware analysis and software assurance,” said R&K Cyber Solutions CEO Joseph Carter. “Computed behavior based on deep functional semantics is a much-needed cyber security approach that has not been previously available. Unlike current methods, behavior computation does not look at surface structure. Rather, it looks at deeper behavioral patterns.”

Carter adds that technology’s malware analysis capabilities can be applied to multiple related cyber security problems, including software assurance in the absence of source code, hardware and software data exploitation and forensics, supply chain security analysis, anti-tamper analysis, and potential first intrusion detection systems based on behavior semantics.

R&K Cyber Solutions plans to release the software this month. The company specializes in information assurance services and certified security processes for federal government and selected commercial customers.

According to ORNL, Hyperion also further strengthens the cybersecurity of critical energy infrastructure by providing evidence of the secure functioning of energy delivery control system devices without requiring disclosure of the source code. This advances the vision of resilient energy delivery systems designed, installed, operated and maintained to survive a cyber incident while sustaining critical functions, as articulated in the energy sector’s Roadmap to Achieve Energy Delivery Systems Cybersecurity.

DOE’s Cybersecurity for Energy Delivery Systems program within the Office of Electricity Delivery and Energy Reliability funded portions of this technology.