Malware often generates random file names when writing Trojans to the system directory. When I perform light forensic analysis on a Windows machine, my first clue that it's been compromised is one or more very strange-looking file names, such as vx3kjngq.exe or bb9[qamz.exe, in the Windows/System32 folder. Many malware programs use nonrandom names, but enough use randomly generated names that high-entropy filenames are a fairly good -- if only rudimentary -- indicator of something bad. (If you want to perform an experiment on your system, look for high-entropy file names in unexpected places, such as Windows/System32 or a root folder. Not every extremely weird name is a sign of maliciousness -- but it's a consistent characteristic.)
Vigilant has figured out that the average domain name has from 2.5 to 3.9 bits of entropy per byte. The company's analysis algorithms flag DNS domains with more than 4.0 bits of entropy per byte; it also looks for less frequently occurring top-level domains, such as .biz and .info, with less entropy.
Vigilant's services also looks for high-entropy file names and network connections to unexpected locations. But perhaps my favorite Vigilant check is for high entropy within HTTP content. Most HTTP content is close to the English language (or whatever native language is used) and should have low entropy. Encryption, on the other hand, has -- or should have -- high entropy. In fact, good crypto should have such high entropy that its encrypted ciphertext is indistinguishable from "noise." Vigilant knows that advanced persistent threats often send out victims' data in encrypted form using HTTP versus the normally expected encrypted HTTPS. If Vigilant's service sees an outbound data stream using HTTP with high entropy, it raises a red flag.
Again, Vigilant isn't the first company to use randomness in its anomaly detection, but it's the first company of which I am aware that looks for, measures, and alerts of entropy characteristics. Sure, the company does all the traditional anomaly detection, but I like the fact that Vigilant uses mathematics and expected probabilities to add in another type of measurement.
This story, "Defeating hackers and malware with disorder," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.