Catching malware red-handed: Behavioral threat fingerprinting


Level 47
Thread author
Top Poster
Mar 16, 2019

As defenders, one of the challenges today in cybersecurity detection is our ability to determine whether a multitude of observations on network communications, setting changes, website downloads, and so on represent malicious artifacts leading to fraud, ransomware, and other attacks impacting our customers.

Bad actors continuously work on methods to hide those artifacts, which are also known as tactics, techniques, and procedures (TTPs) used while attacking our customers. If they are successful in hiding their TTPs, then it’s more likely that they will succeed in their objective. This challenge results in an arms race of sorts in which bad actors continue to develop more sophisticated techniques to hide and defenders look for new ways to detect them.

At Avast, we continuously invest in new ways to detect malicious activities, even if they employ hidden techniques. One such analysis technique is generally known as behavioral threat analysis. This post outlines some of the key aspects of how Avast performs such analysis.

Behavioral threat analytics enables the detection of threats that would otherwise fall under the radar of threat analysis techniques that are focused on static analysis of individual elements such as processes, network connections, or executables. A key element of threat analysis underpinning the behavioral approach is a graph-based representation of the dynamics unfolding on the client (such as a PC or mobile phone).

Each event, such as an execution of a file or network communication, is represented in a graph as a node connected by edges representing the relationships between the events. For example, an executed file creates a process which can then download some data from a particular IP or hostname, which is subsequently executed and thus another process is created and so on, as illustrated by the figure below. The graph thus represents a snapshot of behavior observable during a particular period of time.


As malware authors often employ so-called “living off the land” strategies.....................
Read the full blog post here

Andy Ful

From Hard_Configurator Tools
Honorary Member
Top Poster
Dec 23, 2014
Graph Neural Networks (and similar methods) are in the arsenal of several AV vendors - that is why many AVs get similar scorings in the malware tests. The only requirement is having access to the big telemetry data from the customers' computers.

Here are the articles related to Microsoft:

Nice video:

Other vendors can use slightly different naming.(y)

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.