What is dynamic analysis

COMBINED DEFENSE: Why You Need Static Analysis, Dynamic Analysis, and Machine Learning

This post is also available in: Français (French) Español (Spanish)

Security point solutions are exactly what their name suggests: They focus on a single point of intervention throughout the life cycle of an attack. Even if the security solution promises a 90 percent success rate, there is still a likelihood that one in ten cases will not prevent an attack at this point. Companies cannot rely on point solutions to increase the chances of preventing successful cyber attacks. Rather, they need different levels of defense and must be able to act at several points. The combination of several effective methods increases the overall effectiveness of the security solutions and offers companies the opportunity to interrupt the life cycle of an attack at various points.

The following describes the three threat detection methods that, when combined, can prevent successful cyberattacks:


Dynamic analysis

The only tool that detects zero-day threats

As part of dynamic analysis, a suspicious file is detonated on a virtual machine such as a malware analysis environment. It then analyzes how the file behaves. The file is classified based on how it behaves when it is executed, rather than just relying on signatures to identify threats. This enables the dynamic analysis to identify threats that are completely different from those previously known.

For particularly accurate results, the file should have access to the Internet, as would be the case at an average endpoint in a corporate network, since threats often require commands and control from outside in order to develop their potential. As a prevention mechanism, malware analysis can prevent Internet access and simulate external reactions so that the threat can be identified. However, this can be unreliable and is therefore not a real alternative to Internet access.

Malware analysis environments are detectable and the process is time consuming

In order to remain undetected, the attackers try to use network profiling to find out whether their attack is taking place in a malware analysis environment. They look for signs that the malware is in a virtual environment, such as whether the file is always detonated at similar times or from the same IP addresses, whether there is valid user activity such as keyboard input or mouse movements, or other factors such as an unusually high disk space indicates virtualization technology. If an attacker can identify that he is dealing with a malware analysis environment, he will terminate his attack. As a result, the results are prone to analytical errors. If, for example, the malware contacts the attacker during the detonation, but the attacker does not react because he has seen through the malware analysis, the file does not behave maliciously and is therefore not recognized as a threat by the analysis. Similarly, if the threat requires the execution of a specific version of a certain piece of software. In this case, there is nothing recognizably suspicious about the malware in the malware analysis environment.

It can take several minutes to create a virtual machine, place the file in it, observe it, and then delete the machine and analyze the results. While dynamic analysis is the most expensive and time-consuming method, it is the only tool that can effectively identify unknown or zero-day threats.


Static analysis

Fast results and no special requirements

Unlike dynamic analysis, static analysis deals with the contents of a specific file on a hard drive and not with its behavior in the event of a detonation. It analyzes data, extracts patterns, attributes and artifacts and reports irregularities.

For static analysis, the problems of dynamic analysis are insignificant. It's extremely efficient - it only takes a fraction of a second - and significantly cheaper. Static analysis can also be applied to any file because it does not require any specific requirements, environments to set up, or outbound communications to analyze the file.

Compressed files result in less visibility

However, static analysis reaches its limits relatively quickly when the suspicious file is compressed. While compressed files are not a problem for dynamic analysis, static analysis loses the visibility of the actual file because recompression renders the entire file unusable. What can be extracted statically tends towards zero.


Machine learning

Behavior-based correlation of new versions of threats with known threats

Instead of comparing specific patterns or detonating a file, machine learning extracts and analyzes thousands of features from the file. These characteristics are subjected to a classification, also known as a feature vector, in order to determine whether the file is benign or malicious based on known identifiers. Instead of looking for specifics, the system assigns the file to a previously evaluated file cluster if one of its characteristics behaves similarly to this cluster. Good machine learning requires training sets with positive and negative examples, and new data or characteristics will improve the process and reduce the number of false positives.

Machine learning makes up for what is missing from dynamic and static analysis. A file that is inactive, not detonated, paralyzed by compression, not receiving commands, not being controlled, or otherwise unreliable can still be identified as malicious using machine learning. If numerous versions of a particular threat have been observed and bundled into a cluster, and a suspicious file has characteristics like those in the cluster, the machine will assume a connection to the cluster and mark the file as malicious within seconds.

Finds only more of what is already known

Like the other two methods, machine learning should be viewed as a tool with many advantages, but also some disadvantages. Because with machine learning, the model is only trained on the basis of known identifiers. In contrast to dynamic analysis, machine learning does not find anything new or unknown. A threat that does not have any of the learned characteristics will not be flagged as harmful, as the machine will only find more of the material it was trained with.

Combined processes on one platform

To thwart the plans of savvy opponents, you need more than one piece of the puzzle. You need a combined process - a concept that unites the solutions of several providers. While defense-in-depth is still appropriate and relevant, it needs to evolve from a point solution of multi-vendor products to a platform that integrates static analysis, dynamic analysis, and machine learning. All three in combination create a real defense in depth through multiple layers of integrated solutions.


The Palo Alto Networks Security Operating Platform can be integrated with the cloud-based threat analysis service WildFire in order to provide the individual components with context-related, practical threat data and thus enable secure use in the network, at the endpoint and in the cloud. WildFire combines a specially developed dynamic analysis engine with static analysis, machine learning and bare metal analysis for even more effective defense against threats. While many malware analysis environments rely on open source technology, WildFire has replaced all open source virtualization within the dynamic analysis engine with a completely redesigned virtual environment. As a result, attackers must develop completely different strategies than those used against other cybersecurity providers in order to escape detection by WildFire. Of the few attacks that manage to bypass WildFire's three layers of defense - dynamic analysis, static analysis, and machine learning - all files with evasive behavior are redirected to a bare metal environment for hardware execution.

These processes work together non-linearly within the platform. If one of the processes detects a file as malicious, this is recognized by the entire platform, which increases the security of all other functions.