Oak Ridge Cyber Security Technology Hyperion Offers More Powerful Malware Detection
R&K Cyber Solutions has licensed Hyperion, a cyber security technology from the Department of Energy’s Oak Ridge National Laboratory (ORNL), which can detect malware by looking inside an executable program to determine the software’s behavior without using its source code or running the program. The Hyperion technology, which has been under development for a decade, offers more comprehensive scanning capabilities than existing cyber security methods.
Computer programs are mathematical artifacts, subject to mathematical analysis. The Hyperion system is based on function extraction (FX) algorithms, first developed by IBM and Carnegie Mellon University and then refined using the high performance computing facility at ORNL, program structuring, behavior computation, and stepwise computation.
Uncovering Malicious Content Before Execution
Hyperion developer Stacy Prowell of ORNL’s Cyber Warfare Research team said:
These behaviors can be automatically checked for known malicious operations as well as domain-specific problems. This technology helps detect vulnerabilities and can uncover malicious content before it has a chance to execute. This approach is better than signature detection, which only searches for patterns of bytes. It’s easy for somebody to hide that – they can break it up and scatter it about the program so it won’t match any signature.
ORNL developed the Hyperion system to compute the behavior of software as a means to gain understanding of software functionality and security properties. Computation of functionality is critical to revealing security attributes, which are, in fact, specialized functional behaviors of software. ORNL collaborated with MITRE Corporation on a demonstration project to compute the behavior of legacy IBM Assembly code for a federal agency. The ultimate goal is to understand functionality and security vulnerabilities for code modernization. The paper “Computing legacy software behavior to understand functionality and security properties: an IBM/370 demonstration” reports on the first phase, to define functional semantics for IBM instructions and conduct behavior computation experiments.
An open access presentation by Rick Linger of ORNL Cyber Security and Information Intelligence Research Group, titled “The Hyperion System: Computing Software Behavior with Function Extraction Technology,” provides in-depth information about the Hyperion system. The presentation includes examples of behavior computation for computer viruses and embedded systems. The last slide states the long-term vision of the project: Computed behavior available for all common software and behavior computation available for one-off software.
Hyperion further strengthens the cyber security of critical energy infrastructure by providing evidence of the secure functioning of energy delivery control system devices without requiring disclosure of the source code. This advances the vision of resilient energy delivery systems designed, installed, operated and maintained to survive a cyber incident while sustaining critical functions, as articulated in the Department of Energy’s Road map to Achieve Energy Delivery Systems Cybersecurity.
R&K Cyber Solutions specializes in information assurance services and certified security processes for the federal government and selected commercial customers. They expect to make the Hyperion technology available in January. CEO Joseph Carter said:
Software behavior computation is an emerging science and technology that will have a profound effect on malware analysis and software assurance. Computed behavior based on deep functional semantics is a much-needed cyber security approach that has not been previously available. Unlike current methods, behavior computation does not look at surface structure. Rather, it looks at deeper behavioral patterns.
Images from ORNL and Shutterstock.