Cybersecurity: Zero-Day Vulnerability and Heuristic Analysis

Cybersecurity: Zero-Day Vulnerability and Heuristic Analysis

Ahmed Banafa 04/06/2021
Cybersecurity: Zero-Day Vulnerability and Heuristic Analysis

What is a Zero-Day Vulnerability?

A zero-day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and fix it. Uses of zero-day attacks can include infiltrating malware, spyware or allowing unwanted access to user information.

The term “zero day”, also known as 0-day, refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

Zero-Day Exploit

A zero-day exploit is one that takes advantage of security vulnerability on the same day that the vulnerability becomes generally known. There are zero days between the time the vulnerability is discovered and the first attack.

Ordinarily, when someone detects that a software program contains a potential security issue, that person or company will notify the software company (and sometimes the world at large) so that action can be taken. Given time, the software company can fix the code and distribute a patch or software update.

Zero-Day Threat

Zero-day attacks occur within a time frame, known as the vulnerability window. This extends from the first vulnerability exploit to the point at which a threat is countered. Attackers engineer malicious software (malware) to exploit common file types, compromise attacked systems and steal valuable data. Zero-day attacks are carefully implemented for maximum damage - usually in the span of one day. The vulnerability window could range from a small period to multiple years.


Defending Against Zero-Day Threats 

There is no method of detection for zero-day exploits that is 100% reliable however there are two things that could greatly help an administrator:

The first is patch management. The effect of this method will be somewhat limited since the attack would still be unknown and no patch would be available to address the exploit. However, if all systems are up-to-date, the scope of attack might be limited and the attacker can only cause minimal damage while further threats are contained.

Furthermore, with a robust patch management and vulnerability scanning system in place the administrator will receive notification as soon as the attack is made public and security companies implement vulnerability checks for it. These two important software solutions allow the administrator to take proactive action until a patch for that exploit is released. The administrator will also be notified when the patch for the zero-day attack is made public thus minimizing the window of opportunity for an attack to take place.

The second option is to use a good antivirus solution. A zero-day attack does not become public knowledge for a period of time and during that period the antivirus program will not detect any file containing this specific vulnerability by using standard pattern analysis techniques.

However, effective antivirus solutions do not rely solely on antivirus definitions to detect threats. A good antivirus also uses a technique called heuristics analysis. This technique does not only look for certain patterns in a file, but it will also analyze what the file actually does during its normal execution. Depending on the file’s behavior, the AV (Anti-Virus) product may then classify the file as a virus if suspicious behavior is detected. This technique can help to detect a zero-day threat even though no one knows of the vulnerability’s existence.

While antivirus solutions that use heuristic analyses can be a great weapon against Zero-day malware there is no guarantee that the malware behavior will always be classified as malicious. However, when AV is coupled with a strong patch management strategy, the administrator has a much stronger defense against infection by zero-day threats.

Other techniques used for early detection:

  • Use VPNs to protect the contents of individual transmissions.
  • Deploy an intrusion detection system IDS (e.g.: stateful firewall).
  • Introduce network access control to prevent rogue machines from gaining access to the network, in technical terms; least privilege access LPA
  • Lock down wireless access points and use a security scheme like Wi-Fi Protected Access for maximum protection against wireless-based attacks.

What are Heuristics?

It is generally well-understood that anti-malware (including antivirus) programs work by scanning files using signatures they already have. A signature could be as simple as a string (like using the "find" command in your word processor to locate a particular piece of text) or as complex as a tiny macro or subroutine which tells the scanning engine what to look for and where to find it. 

Signature scanning works very well for detecting threats which have already been identified but how do anti-malware programs detect new, previously unseen threats?  One of the methods used is heuristics

Heuristic (from the Greek for "find" or "discover" : the most popular/proper pronunciation is “hyoo-ris-tik.”) is an adjective for experience-based techniques that help in problem solving, learning and discovery.

In computer science, a heuristic is an algorithm which consistently performs quickly and/or provides good results. But for anti-malware software, heuristics can also have a more specialized meaning: Heuristics refers to a set of rules—as opposed to a specific set of program instructions—used to detect malicious behavior without having to uniquely identify the program responsible for it, which is how a classic signature-based "virus scanner" works, i.e., identifying the specific computer virus or other program.

The heuristic engine used by an anti-malware program includes rules for the following:

·        a program which tries to copy itself into other programs (in other words, a classic computer virus)

·        a program which tries to write directly to the disk

·        a program which tries to remain resident in memory after it has finished executing

·        a program which decrypts itself when run (a method often used by malware to avoid signature scanners)

·        a program which binds to a TCP/IP port and listens for instructions over a network connection (this is pretty much what a bot—also sometimes called drones or zombies—do)

·        a program which attempts to manipulate (copy, delete, modify, rename, replace and so forth) files which are required by the operating system

·        a program which is similar to programs already known to be malicious

Some heuristic rules may have a heavier weight (and thus, score higher) than others, meaning that a match with one particular rule is more likely to indicate the presence of malicious software, as are multiple matches based on different rules.

Even more advanced heuristics might trace through the instructions in a program’s code before passing it to the computer’s processor for execution, allow the program to run in a virtual environment or "sandbox" to examine the behavior performed by and changes made to the virtual environment and so forth. In effect, anti-malware software can contain specialized emulators that allow it to "trick" a program into thinking it is actually running on the computer, instead of being examined by the anti-malware software for potential threats.

A heuristic engine could be examining processes and structures in memory, the data portion (or payload) of packets traveling over a network and so forth.

The advantage of heuristic analysis of code is it can detect not just variants (modified forms) of existing malicious programs but new, previously-unknown malicious programs, as well. Combined with other ways of looking for malware, such as signature detection, behavioral monitoring and reputation analysis, heuristics can offer impressive accuracy. That is, correctly detecting a high proportion of real malware yet exhibiting a low false positive alarm rate as well, since misdiagnosing innocent files as malicious can cause severe problems.

Share this article

Leave your comments

Post comment as a guest

terms and condition.
  • No comments found

Share this article

Ahmed Banafa

Tech Expert

Ahmed Banafa is an expert in new tech with appearances on ABC, NBC , CBS, FOX TV and radio stations. He served as a professor, academic advisor and coordinator at well-known American universities and colleges. His researches are featured on Forbes, MIT Technology Review, ComputerWorld and Techonomy. He published over 100 articles about the internet of things, blockchain, artificial intelligence, cloud computing and big data. His research papers are used in many patents, numerous thesis and conferences. He is also a guest speaker at international technology conferences. He is the recipient of several awards, including Distinguished Tenured Staff Award, Instructor of the year and Certificate of Honor from the City and County of San Francisco. Ahmed studied cyber security at Harvard University. He is the author of the book: Secure and Smart Internet of Things Using Blockchain and AI


Latest Articles

View all
  • Science
  • Technology
  • Companies
  • Environment
  • Global Economy
  • Finance
  • Politics
  • Society