The landscape of software attacks is both evolving and growing, as an ever wider variety and quantity of advanced malware is developed and released. It’s no longer enough for security solutions to track the signatures of known malware and their derivatives. Today, they must identify previously unrecognized vulnerabilities – so-called Zero Days – and proactively protect against malware that causes them, without ever having encountered that malware before.
In HP’s Bristol-based Security Lab, the team is using statistical and behavioral analysis techniques to study and detect malware.
“By doing advanced analytics and detection research, we can find malware that can’t be identified through conventional methodologies,” says Jonathan Griffin, senior researcher in the Lab.
To inform their strategies, HP’s researchers need to keep abreast of malware state-of-the-art and have therefore created a dedicated malware lab to support that approach.
“Malware labs are isolated, protected environments that let us investigate how a particular piece of malicious software carries out its attack,” explains Simon Shiu, Head of Security Research for HP Labs. “They let us capture and experiment with the malicious software with no danger of accidentally infecting our own network or anyone else.”
HP’s malware lab helps its researchers both understand their adversaries and test techniques for detecting, mitigating, and recovering from real world attacks. “Having a lab like this allows us to test how robust what we are doing really is from an overall, architectural point of view,” Shiu explains.
There’s a useful analogy here with laboratories that help us understand infectious diseases, adds Griffin. “We can’t just do forensic analysis on dead samples,” he says. “We have to watch how they behave live to know what they’re doing.”
As a complement to their malware lab, the HP Labs security team is also developing techniques to simulate malware and the behaviors they typically exhibit.
“Simulating a piece of malware allows us to easily tweak its behaviors and to mimic its evolution over time,” Shiu says. “We predict how the malware will change, and then test possible behavioral evolutions against our security techniques and see if they are still able to mitigate the danger.”
The overall process moves us towards a truly evidence-based method for assessing how useful any malware detection technique will actually be in a real world environment, Shiu argues.
It’s essential to improve how we test the efficacy of our malware detection approaches, he believes. “For any idea that we have, we need to answer: how future-proof is it? How robust is it? What assumptions do we need to make to be confident that it will be effective? That’s what our research is pushing towards.”