Reflecting the growing realization that traditional signature-based approaches to malware detection aren’t working any more, Hewlett-Packard Co. today is rolling out an analytics-based tool that identifies infected hosts by inspecting an enterprise’s Domain Name System (DNS) traffic.

The HP DNS Malware Analytics (DMA) service inspects all of an organization’s DNS records and applies a Big Data approach to detecting malware according to its behavior, rather than characteristics of its code. HP says its approach, which the company has been using internally for several months, reduces false positives by a factor of 20  compared to other malware detection systems.

The technology was originally developed by ArcSight, Inc., a (SIEM) company that HP acquired in 2010. By combining the ArcSight SIEM engine with HP’s Vertica database, the company says it can store petabytes of DNS data to analyze for patterns of malicious behavior.

DNS is the service that maps Internet URLs to underlying server addresses. By analyzing DNS records rather than URLs, the HP service can more accurately detect abnormal activity, said Frank Mong, vice president and general manager of solutions in HP’s Enterprise Security Products group.

The approach is intended to attack a type of behavior that is common to nearly every form of malware: “They always call home to get instructions,” Mong said. “We’re looking for that call home.”

The new breed of malware HP is targeting typically installs as benign agents which are then activated by a command and control center that instructs them on what malicious activity to initiate. This type of attack is specifically designed to evade today’s most advanced detection systems and to settle in for the long term, according to McAfee, Inc.’s latest Threat Report. McAfee says attacks are increasingly designed for corporate espionage, evading detection while intercepting corporate data over a period of weeks or months.

One of the characteristics of this insidious malware is that the command and control points may only exist for a few hours, Mong said. That makes the task of identifying specific URLs pointless. However, the connection process itself generates a large number of seemingly random connection requests. “If we see that every week on Thursday a device calls out to thousands of random addresses, that’s a problem,” Mong said.

HP cited a recent Ponemon Institute study that found that organizations get an average of 17,000 malware alerts per week, and spend an average of $1.27 million annually in time and resources responding to inaccurate and erroneous threat intelligence.

The new HP service integrates with the existing ArcSignt SIEM platform. HP also introduced a cloud-based version of its machine-learning-based HP Fortify scan analytics that scans historical application data to reduce the number of issues that require review. Intended primarily for organizations that develop software, the cloud-based service “takes what we’ve learned from all the scans we’ve done in the past and identifies patterns we’ve seen,” Mong said. He noted that most commercial software today is assembled from existing code, which may have known vulnerabilities that tend to show up again and again as the code is re-sued. .

HP DNS Malware Analytics will be available on September 15 with one-year subscriptions starting at $80,000 for analysis of up to five million DNS packets per day. A run-time version of the Vertica database is included. The package will initially be available only in an on-premise version, but Mong said cloud options are being investigated. HP Fortify scan analytics is currently available as part of HP Fortify on Demand.

Photo by John Starnes