Anti-Malware , Technology

DHS Eyes Malware Provenance to Identify Malicious Code Seen as a Complement to Signature-Based Einstein Intrusion Detection System
DHS Eyes Malware Provenance to Identify Malicious Code
DHS Deputy Undersecretary for Cybersecurity Phyllis Schneck

The U.S. federal government designed Einstein, the Department of Homeland Security's intrusion detection and prevention system, to use signatures - or patterns of malicious data - to identify cyber incursions. However, Einstein cannot detect intrusions employing methods such as analyzing anomalous behaviors in an IT system.

But DHS is working on new ways to detect intrusions that would either be incorporated into Einstein or operate separately as a complementary system. One area is malware provenance, the art and science of attributing elements of one object to another, similar to genetics. Simply, malware provenance examines malicious code to identify attributes that could be shared by other malware.

A team of IT security experts at DHS will host a session March 3 at the RSA Conference 2016 in San Francisco titled Understanding Malware Provenance: A Federal View, moderated by Peter Fonash, DHS chief technology officer for cybersecurity and communications, and including Phyllis Schneck, DHS deputy undersecretary for cybersecurity.

In an audio report (click player beneath image to listen):

  • Schneck compares malware provenance to genetic drug therapy as an approach to battle a cyber virus. She has been a longtime advocate of developing information security systems that mimic the human immune system (see Spotting Abnormal Behavior Automatically Without Need for Signatures).
  • Gregory Wilshusen, the Government Accountability Office information security issues director, discusses the weaknesses in Einstein.
  • Hear about a pilot conducted at the U.S. Air Force Academy's Center for Innovation that rapidly detected previously unidentified relationships between families of malware by employing malware provenance.

Before becoming DHS deputy undersecretary for cybersecurity in 2013, Schneck served as chief technology officer for the public sector for McAfee, now part of Intel security, as well as the company's vice president of threat intelligence. She has a strong academic and research background, having earned a Ph.D. in computer science from Georgia Tech. Schneck holds three patents in high-performance and adaptive information security and has six research publications in the areas of information security, real-time systems, telecom and software engineering.

As a director at GAO, Wilshusen leads cybersecurity and privacy-related studies and audits of the federal government and critical infrastructure. He has more than 30 years of auditing, financial management and information systems experience. Prior to joining GAO in 1997, Wilshusen held a variety of public- and private-sector positions. He was a senior systems analyst at the Department of Education, controller for the North Carolina Department of Environment, Health and Natural Resources and held several senior auditing positions at Irving Burton Associates and the U.S. Army Audit Agency.




Around the Network