Remediation and Malware Detection Overview

The SRX Series devices use intelligence provided by Sky Advanced Threat Prevention to remediate malicious content through the use of security policies. If configured, security policies block that content before it is delivered to the destination address.

For inbound traffic, security policies on the SRX Series device look for specific types of files, like .exe files, to inspect. When one is encountered, the security policy sends the file to the Sky Advanced Threat Prevention cloud for inspection. The SRX Series device holds the last few kilobytes of the file from the destination client until Sky Advanced Threat Prevention provides a verdict. If Sky Advanced Threat Prevention returns a bad verdict, the SRX Series device drops the connection and the file is blocked.

For outbound traffic, the SRX Series device monitors traffic that matches the C&C feeds it receives, blocks these C&C requests, and reports them to Sky Advanced Threat Prevention. A list of compromised hosts is available so that the SRX Series device can block inbound and outbound traffic.

How Malware Is Analyzed and Detected

Sky Advanced Threat Prevention uses a pipeline approach to analyzing and detecting malware. If an analysis reveals that the file is absolutely malware, it is not necessary to continue the pipeline to further examine the malware.

Each analysis technique creates a verdict number, which is combined to create a final verdict number from 1 through 10. A verdict number is a score or threat level. The higher the number, the higher the malware threat. The SRX Series device compares this verdict number to the policy settings and either permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets are dropped from the server.

Cache Lookup

When a file is analyzed, a file hash is generated, and the results of the analysis are stored in a database. When a file is uploaded to the Sky Advanced Threat Prevention cloud, the first step is to check whether this file has been looked at before. If it has, the stored verdict is returned to the SRX Series device and there is no need to re-analyze the file. In addition to files scanned by Sky Advanced Threat Prevention, information about common malware files is also stored to provide faster response.

Cache lookup is performed in real time. All other techniques are done offline. This means that if the cache lookup does not return a verdict, the file is sent to the client system while the Sky Advanced Threat Prevention cloud continues to examine the file using the remaining pipeline techniques. If a later analysis returns a malware verdict, then the file and host are flagged.

Antivirus Scan

The advantage of antivirus software is its protection against a large number of potential threats, such as viruses, trojans, worms, spyware, and rootkits. The disadvantage of antivirus software is that it is always behind the malware. The virus comes first and the patch to the virus comes second. Antivirus is better at defending familiar threats and known malware than zero-day threats.

Sky Advanced Threat Prevention utilizes multiple antivirus software packages, not just one, to analyze a file. The results are then fed into the machine learning algorithm to overcome false positives and false negatives.

Static Analysis

• Metadata information—Name of the file, the vendor or creator of this file, and the original data on which the file was compiled.
• Categories of instructions used—Is the file modifying the Windows registry? Is it touching disk I/O APIs?
• File entropy—How random is the file? A common technique for malware is to encrypt portions of the code and then decrypt it during runtime. A lot of encryption is a strong indication that the file is malware.

The output of the static analysis is fed into the machine learning algorithm to improve the verdict accuracy.

Dynamic Analysis

The majority of the time spent inspecting a file is in dynamic analysis. With dynamic analysis, often called sandboxing, a file is studied as it is executed in a secure environment. During this analysis, an operating system environment is set up, typically in a virtual machine, and tools are started to monitor all activity. The file is uploaded to this environment and is allowed to run for several minutes. Once the allotted time has passed, the record of activity is downloaded and passed to the machine learning algorithm to generate a verdict.

• Generate a realistic pattern of user interaction such as mouse movement, simulating keystrokes, and installing and launching common software packages.
• Create fake high-value targets in the client, such as stored credentials, user files, and a realistic network with Internet access.
• Create vulnerable areas in the operating system.

Deception techniques by themselves greatly boost the detection rate while reducing false positives. They also boost the detection rate of the sandbox the file is running in because they get the malware to perform more activity. The more the file runs, the more data is obtained to detect whether the file is malware.

Machine Learning Algorithm

Sky Advanced Threat Prevention uses its own proprietary implementation of machine learning to assist in analysis. Machine learning recognizes patterns and correlates information for improved file analysis. The machine learning algorithm is programmed with features from thousands of malware samples and thousands of goodware samples. It learns what malware looks like, and is regularly reprogrammed to get smarter as threats evolve.