Norton Internet Security logo

Behavior-Based Protection

May 6, 2012

Millions of end users today are tricked into clicking on malware that are masquerading as video players or rogue antivirus applications that do nothing except infect the user and social engineer the user into paying for software that doesn’t do anything. Drive-by downloads and web-attack toolkits are silently infecting users who visit mainstream websites by the hundreds of millions. Some malware will install rootkits or inject malicious code into running programs and system processes. Malware today can be dynamically generated rendering file-based detection insufficient for protecting end users systems.

Why Behavior-based security?

In 2010, Symantec saw more than 286 million variants of malware and blocked more than 3 Billion attacks. With the continued growth of malware threats and variants, Symantec saw the need to create industry-leading innovative approaches that to prevent malware infections and to protect users silently and automatically no matter what the end user does or how the malware gets on the end users systems. Symantec’s Insight Reputation Technology and Symantec’s Online Network for Advanced Response (SONAR) behavior-based security are two of those innovate approaches.

Behavior-based security technologies are best positioned to scale to this rate of rapid growth due to the fact that behaviors can generalize a vast population of malicious files and good files far better than file-based heuristics. Behaviors hardly change or cannot be changed very easily without serious effort that is detrimental to malware propagation and creation strategies.

Behavior-based protection technology provides an effective and non-invasive protection from previously unseen zero-day computer threats. SONAR is the solution that provides protection against threats based on what the application does rather than what the application looks like. SONAR is the main engine of Symantec’s behavior-based technology and features: a classification engine based in artificial intelligence, human-authored behavioral signatures, and a behavioral policy lockdown engine. Together these components combine to provide industry-leading security protection against threats that are most often social engineered and targeted attacks.

Top Threat Vectors Symantec’s Behavior-Based technology protects against:
  • Targeted Attacks including Advanced Persistent Threats (APT)s, Trojans, Spyware, Keyloggers and general Malware
  • Social Engineering Attacks – FakeAV, Rogue Key Generators and Fake Codecs
  • Bots and Botnets
  • Non-Process and Injected Threats (NPT)
  • Zero-day threats
  • Malware as the result of drive-by downloads that bypassed other layers of protection
  • Malware using rootkit techniques to hide

When does the Symantec Behavior Based technology layer provide protection?

No matter if the users executes the malicious application on purpose (tricked by social engineering) or malware attempts to automatically and silently get installed by a web-based attack like a drive-by download, SONAR stops malware from infecting systems in real-time after the malware is executed or started or tries to inject itself into running processes (NPTs). Providing zero-day protection against Hydraq/Aurora, Stuxnet, as well as malware embedding rootkits like Tidserv and ZeroAccess have shown SONAR is an essential technology for endpoint protection.

How does it work? Classification Engine Based in Artificial Intelligence

Symantec has built up one of the world’s largest databases of behavioral profiles on nearly 1.2 Billion application instances. By analyzing the attributes of what good applications and bad applications do using machine learning analysis, Symantec is able to create profiles of behaviors for applications that haven’t even been created yet! Relying on almost 1,400 different behavioral attributes and rich context that Symantec can gather from Symantec’s other endpoint security components such as the Insight, IPS, and AV engine, the SONAR classification engine is quickly able to spot malicious behaviors and take action to remove bad applications before they do damage. In 2011, more than 586 million executables, dll’s and applications were analyzed by SONAR for Norton and Symantec customers.

Non-process Based Threat Protection

Today’s threats are not always just standalone malware executables. They try to hide as soon as possible by injecting into commonly running processes, applications or registering components to extensible applications, thereby concealing their malicious activity on behalf of trusted OS processes or trusted applications. As an example, when a malware runs, it can inject malicious code into running processes, such as explorer.exe (desktop shell process) or IExplorer.exe (Internet Explorer browser) or register malicious components as extensions to such applications. Henceforth the malicious activity is exhibited by well-known and trusted OS components. SONAR prevents the code from being injected into the target process by classifying the source process that attempts the injection. It also classifies and if necessary prevents malicious code from being loaded or executed in the target/trusted process.

Behavioral Policy Lockdown

Drive-by downloads work by exploiting vulnerabilities in browser plugin such as Adobe Reader, Oracle Sun Java, and Adobe Flash. After the vulnerability has been exploited the drive-by download can get the vulnerable application to silently launch any application it wants. By creating a behavioral policy lockdown definition, Symantec can block malicious behaviors such as “Adobe Acrobat should not be creating other executables” or “dll’s should not be allowed to be inject into the explorer.exe process thereby protecting the system. This can be described as locking down a behavior based on a policy or rule. These SONAR definitions/policies are created by the Symantec STAR team and automatically deployed in blocking mode and require no management by the customer. This prevents suspicious behaviors from good applications and automatically protects users.

Behavioral Policy Enforcement (BPE) Signatures

Being able to evolve with the continually changing threat landscape is the essential part of Symantec’s SONAR technology and Symantec’s protection is expanded with the ability to target tomorrow’s threats as well. When a new family of threats is seen, such as a new rootkit, Trojan, FakeAV or other type of malware, Symantec can now create new behavioral signatures in order to detect a new family of threats and release them without having to do code updates to the product. These are called SONAR Behavioral Policy Enforcement signatures. These signatures are fast to write, test, and deploy and they give SONAR the flexibility and adaptability to respond to certain classes of emerging threats with a very low false-positive rate. Symantec have many SONAR BPE signatures targeting FakeAV misleading apps to specific malware threats and rootkits like Graybird, Tidserv, ZeroAccess and Gammima.

So how do the BPE Signatures work?

Let’s take a look at an application that gets executed.
  • It drops certain components in the windows temp directory
  • It adds a bunch of registry entries
  • It changes the hosts file
  • It doesn’t have a user interface
  • And it opens up communications on high ports

Any one of these behaviors alone may not be “bad”, but taken as a whole the behavioral profile is bad. Symantec’s STAR analyst creates a rule that says if Symantec this sequence of behaviors with executables with certain Insight Reputation characteristics, then Symantec should stop the process from executing and roll-back the changes — SONAR has the ability to implement a virtual sandbox around the infected but legitimate application and by doing so can prevent the infected application from taking any malicious actions that might harm a user’s computer. This is quite a new paradigm in endpoint security protection by leveraging what the application does and how it behaves rather than what it looks like.

Automation Remediation of malicious files with sandboxing

Real-time behavioral protection engine monitors and sandboxes applications, process and events as they are happening instead of statically. System changes can be rolled-back to prevent the malicious activity from impacting the system.

Real-time application and process monitoring

SONAR monitors and protects against over 1,400 aspects of all running applications, dll’s and processes delivering real-time protection against threats as they execute.

STAR Intelligence Communication Bus

The SONAR technology doesn’t work by itself. This engine shares intelligence with Symantec’s other protection technologies using the STAR Intelligence Communication Protocol (STAR ICB). The SONAR engine communicates with the Network IPS, AV and the Insight Reputation engine allowing for more informed and accurate protection that no other security company can deliver.

0 comments: (+add yours?)

Post a Comment