Week 9. Improving Threat Detection



Antivirus companies have tried different methods to detect and stop threats.  Unfortunately, they seem to be one step behind the malware makers.  There are many various types of malware detections; all can be summarized into three groups:  pattern matching, instruction matching, and behavioral detection.  

Pattern matching is usually referred to as signature or fingerprint matching.  It searches the files for known patterns.  Once a match or close match is found, the file is flagged as a threat and is classified according to the pattern's threat class.  With that said, the pattern was found and studied from one of the infected machines.  By the time the pattern gets extracted from the malware and updated to the installed detection software, the malware already infected many more.

Instruction matching is similar to pattern matching technique.  However, instead of look for known fingerprints, it looks for known instructions or commands.  This method usually keeps track and monitor system and other important files.  When detecting a suspected operation such as delete or modify is being done on the files, the malware is either deleted or blocked and wait for user action.  The instruction matching method requires permission at OS level.

The behavioral detection method takes a completely different approach than the other two categories.  This method monitors all programs on the system for abnormal behaviors.  When detected, the system can either delete the program or suspend the operation and notify the user.  This mechanism is better at detecting new threats before they can spread.  

With all the improvement, malware still manages to get in computer systems.  So what is the missing links?  I don't know the answer.  I do however believe that the suspicious behavior method should be able to contain the threat.  If that does not work, there must be constraints that limit the capabilities of the approach.  I think one of the limitations is the inability to reach low-level control.  Let's assume the OS can to distinguish between user actions versus system, remote, or scripting actions.  Suppose the detection programs can communicate with each other within the same network.  The detection mechanism can make a better prediction about the potential threats.  When detected, it then can notify other systems to prevent the threat from spreading.

Comments

Post a Comment

Popular posts from this blog

Week 4 - STRIDE: Spoofing

Image
On week one, I briefly mentioned STRIDE as a method for threat identification. From this week, I want to go into a little more detail on each of its Mnemonic.  First, let's talk a little more about STRIDE.  In security , there are three fundamental aspects of the asset when speaking of security.  They are Confidentiality, Integrity, and Availability, which are referred to as the CIA triad.  To protect the asset means to protect its confidentiality, integrity, and availability.  STRIDE provides six ways to identify threats that would target the three areas. Spoofing: pretend to be someone or something that has legitimate permission to access the asset.  It is one of the ways to break the confidentiality . Tampering: ways to change the integrity of the asset. Repudiation: ways to obtain proves of violation Information Disclosure: access restricted information without permission (confidentiality) Denial of Service: ca...
Read more

Week 12 - The Final Words

Finally, I get to take a week of break.   This is the busiest Term so far.   Lots of demands from work plus things keep breaking at home made it tough.   I am glad it over.   With that said, I learned much from this class. In the first four weeks, I got to understand the threat modeling process and different threat modeling tools.   In a nutshell , threat modeling is about understanding your current state of the network; find all vulnerabilities, threats, and risks; formulate action plan and priority.   The process is carried out in a systematic way .   Initially, I thought the threat modeling is a process for finding the threats.   The name sounds small, but it also covers asset identification and action planning, as I realized after the comment on my assignment.  I spent the following weeks working on a security project where I apply the threat modeling process.   The first phase in threat modeling is the asset assessmen...
Read more

Week 7 - STRIDE: Repudiation

Image
In 2000, couple individuals at Signal Lake were sued for $25 million by a man named Suni Munshani.   He alleged that Signal Lake’s officers promised him a large amount of asset.     Munshani provided an email that purportedly sent from the dependents as the proof for his allegation.   The court ordered security professional to investigate and concluded that the plaintiff altered one of the emails the dependent sent to him.   Although this does not relate to repudiation, it brings an important aspect of non-repudiation.   (memecrunch.com) Repudiation, in short, is the denial of any wrongdoing , which is the very first thing anyone would do when they get caught doing something illegal.   Professional hackers learn to cover their track very well.   Likewise, security professionals learn to track.   For the email tampering case I mentioned, the defendant would not win the lawsuit if old emails weren’t available for invest...
Read more