- Mar 16, 2019
Read the full blog post hereAVAST AI RESEARCH LAB 23 DEC 2021
As defenders, one of the challenges today in cybersecurity detection is our ability to determine whether a multitude of observations on network communications, setting changes, website downloads, and so on represent malicious artifacts leading to fraud, ransomware, and other attacks impacting our customers.
Bad actors continuously work on methods to hide those artifacts, which are also known as tactics, techniques, and procedures (TTPs) used while attacking our customers. If they are successful in hiding their TTPs, then it’s more likely that they will succeed in their objective. This challenge results in an arms race of sorts in which bad actors continue to develop more sophisticated techniques to hide and defenders look for new ways to detect them.
At Avast, we continuously invest in new ways to detect malicious activities, even if they employ hidden techniques. One such analysis technique is generally known as behavioral threat analysis. This post outlines some of the key aspects of how Avast performs such analysis.
Behavioral threat analytics enables the detection of threats that would otherwise fall under the radar of threat analysis techniques that are focused on static analysis of individual elements such as processes, network connections, or executables. A key element of threat analysis underpinning the behavioral approach is a graph-based representation of the dynamics unfolding on the client (such as a PC or mobile phone).
Each event, such as an execution of a file or network communication, is represented in a graph as a node connected by edges representing the relationships between the events. For example, an executed file creates a process which can then download some data from a particular IP or hostname, which is subsequently executed and thus another process is created and so on, as illustrated by the figure below. The graph thus represents a snapshot of behavior observable during a particular period of time.
As malware authors often employ so-called “living off the land” strategies.....................