Navy Rear Admiral William E. Leigher, one of the nation's top military experts on cyber security, is reflected in a computer screen displaying a numerical code.

Navy Rear Admiral William E. Leigher, one of the nation's top military experts on cyber security, is reflected in a computer screen displaying a numerical code. AP

Researchers Develop Program That Can Read Malware’s Mind

The future of malware detection are analyzers that compute malware “intent.” By Patrick Tucker

After a decade in development, researchers from the Oak Ridge National Laboratory, or ORNL, have unveiled a new type of malware detection program that points to the future of cybersecurity tools. It’s called Hyperion, after the Greek titan who first came to understand the movement of the sun and the moon. The product can predict whether or not a program is going to cause problems before the program actually executes. That’s significant, because for cybersecurity professionals it’s often hard to tell if a piece of malware is present and what it will do.

The innovation makes use of the fact that malware code must execute on a target computer, and what that the code intends to do, the net functional effect, of that code can be computed. As ORNL cybersecurity and information intelligence researcher Rick Linger, the inventor of the technology, explains in this presentation, the Hyperion program computes behavior using deep functional semantics, not just syntax. Every computer language like Java or Python uses syntax the same way as does English or any other language. It’s just the very basic rules for putting symbols together in that language to make sentences. But syntax alone isn’t what allows a sentence to make sense. Consider that “Brown cows are purple on Thursday,” is syntactically true, just not actually true. Computer language syntax refers to rules for how symbol should appear to make a program. Just like in English, the computer symbols can be combined in ways that are syntactically correct but don’t make sense, or that have hidden meanings.

Hyperion is an example of what’s called software behavior computation—or analysis of a piece of code or program by computing all of its behavior, both legitimate and malicious. 

The difference between what’s grammatically true as opposed to what’s actually true is the distinction between syntax and semantics in programmer speak. Semantics here is concerned with the code’s meaning, not just the question of whether or not it adheres to the rules of the language.

(Related: This Could Be the Biggest Cyber Attack of 2015)

“It doesn’t look for things in code…we don’t look for anything. We just compute all the behavior,” Linger explained to Defense One. He cautioned that while Hyperion doesn’t provide “a silver bullet,” to all malware problems, it’s an essential improvement over the way a lot of computer security programs work today, by looking primarily at semantic issues.

Hyperion is an example of what’s called software behavior computation. It analyzes the piece of code or program it’s looking at not by searching for known malware signatures—pieces of code that have been revealed to cause harm--but instead by computing all of its behavior, both legitimate and malicious. 

So-called spaghetti code, or code that’s branched in a way that’s overly complex to the point of being nonsensense, is one example. Lots of “write_file” commands can also be indicative of a program that, upon execution, will overwrite and destroy existing data, a la the Sony hack.  Spaghetti code by itself isn’t malware. Hanging around a bank lobby for hours looking up at the cameras doesn’t constitute a bank robbery. But whereas human bank guards can spot strange behavior patterns and make inferences, this sort of thing is harder for software, until now.

Hyperion users can define very general Behavior Specification Units or BSUs that specify malicious behaviors, such as keylogging, a surveillance behavior or other malicious acts that the user wants to catch, even those that aren’t specifically malware. It’s the difference between a bank guard on the lookout for all bank robbers that may be casing the joint versus a bank guard on looking only for people engaged in the act of robbing the bank at that moment.

“This approach is better than signature detection, which only searches for patterns of bytes,” Stacy Prowell of ORNL’s Cyber Warfare Research team said in a statement.

“It’s easy for somebody to hide that—they can break it up and scatter it about the program [in spaghetti code] so it won’t match any signature.”

Hyperion has been licensed to R&K Cyber Solutions, which will make it available in January.

“Software behavior computation is an emerging science and technology that will have a profound effect on malware analysis and software assurance…Computed behavior based on deep functional semantics is a much-needed cyber security approach that has not been previously available.” R&K Cyber Solutions CEO Joseph Carter said.

The Cyber Warfare Research team developed the program as part of the Roadmap to Achieve Energy Delivery Systems Cybersecurity, in other words, with a clear focus on protecting the nations infrastructure from attack. That’s an issue that concerns the military as well, since the Defense Department plays a role in critical infrastructure protection under Presidential Decision Directive 63. In November, Vice Admiral Michael Rogers, commander of U.S. Cyber Command, said that China and perhaps “one or two others” could cause huge blackouts across the United States via a well executed cyber attack. Chinese and North Korean hackers are fond of malware as an attack tactic.

This may be one tool to counter that threat.