In a new article by Hal Hodson of the New Scientist, he suggests treating the difficult task of classifying different kinds of malware as a biology problem. By treating computer viruses as biological puzzles we could help cyber security specialists better understand the wide world of malware.
An example of this methodology was recently conducted by Ajit Narayanan and Yi Chen at the Auckland University of Technology, New Zealand. In their work, they converted the signatures of 120 worms and viruses into an amino acid representation. Malware signatures are typically presented in hexadecimal format - a base-16 numbering system which uses the digits 0 to 9 as well as the letters a to f. According to Narayanan and Chen, they believe the amino acid "alphabet" is better suited to machine-learning techniques, enabling these machines to analyze a piece of code and determine whether it matches a known malware signature.
"Generally, malware experts identify and calculate the signatures of new malware, but it can be hard for them keep up. While machine learning can help, it is limited because the hexadecimal signatures can be different lengths: Narayanan's team found that using machine learning to help classify the hexadecimal malware signatures resulted in accuracy no better than flipping a coin", said Hodson.
However, some techniques used by bioinformatics for comparing amino acid sequences take differing lengths into account in their methodology. Using this same methodology but applying it to malware, Narayanan and Chen were able to achieve average accuracy of 85% for classifying the signatures automatically using machine learning.
Classification is just one we may be able to utilize amino acid methodologies to fight malware. Narayanan and Chen note that further studies of malware using this framework may show that malware evolution follows some of the same rules as amino acids and proteins.
Malware threats continue to grow in volume and sophistication. Proactive methodologies, like those proposed by Narayana and Chen, are directly in line with our thinking here at ThreatSTOP. Providing IT departments with greater understanding and control of their networks leads to increased security. The IT security industry could learn another lesson from bioinformatics. That is, disseminating information around pathogens, diseases, or in this case amino acids, to the community rather than holding it in a silo, leads to breakthroughs and cures. Our world of IT security often operates in different silos, despite the fact that we are all dealing with the same threats. We created ThreatSTOP for this very reason: to develop a product that leveraged the community and turned it against the attackers, while simultaneously learning from the collective knowledge of these attacks and disseminating that information back out to the community.