Biosequence-based approach to analyzing binaries (MLSTONES)

Battelle Number: 30751 | N/A

Technology Overview

Protecting against malicious malware is an everyday problem for consumers, enterprises, industrial control systems, and government agencies. In response to these threats, PNNL developed a biosequecing approach to analyzing binaries, also known as Machine Learning String Tools for Operational and Network Security (MLSTONES). This technology is designed to protect national infrastructures and defend against large-scale attacks that have the potential to debilitate a nation. This one-of-a-kind detection tool identifies never-before-seen malware—something other commercially available detection tools can’t do.

Leveraging protein structures to identify malware

MLSTONES detects malware in a way in which other products cannot—by identifying cyber threats through similarities in coding patterns. Like the evolution of DNA passed down through generations, software is frequently built from reused pieces of code. When adversaries create zero-day attacks, it is often by modifying existing malware to bypass traditional detection tools. A zero-day attack takes place when hackers exploit the flaw before it can be addressed. By applying tools and concepts developed in biology, MLSTONES converts software to something that looks like DNA and identifies code that contains similarities to known malware.

This building-block approach makes it difficult for attackers to evolve malware that evades detection and gives cyber analysts a head start in understanding the intent of the malware. MLSTONES offers a new level of protection for critical infrastructures and defense against large-scale, debilitating cyberattacks.

Available detection products typically require prior knowledge of the specific malware at hand. Many tools require a signature match for detection. This means an incoming software’s code must duplicate known malicious code for it to be identified and flagged as potentially harmful. Further, not all tools can detect true zero-day exploits. While some products can catch malware that is largely identical to previously seen malware, adversaries can simply modify existing malware to bypass traditional detection tools. MLSTONES addresses this problem by creating families of malware. By doing this, MLSTONES reduces the number of comparisons needed by orders of magnitude. Rather than comparing each piece of software to a list containing hundreds of millions of pieces of known malware, MLSTONES must only compare software to a far more manageable number of malware families. This enables detection in near real time and with increased accuracy because nothing ever gets “aged off” of the list.

MLSTONES has already been deployed in government spaces and is supporting defense missions across the nation. While other tools are often sold only as a full suite or platform of cybersecurity products, this is not what government agencies need. They need a stand-alone component that can easily integrate with their current systems to not only detect malware but also provide analysis that can feed threat intelligence efforts. This is exactly what MLSTONES achieves. Government agencies and industry partners alike have recognized the truly unique and efficient method by which MLSTONES detects malware and protects national infrastructures and nation states.

Benefit a variety of industries

Available for licensing, MLSTONES would benefit a variety of industries, including critical infrastructures for utilities, most businesses, and banking institutions, and could also be incorporated by current cyber defense solutions.


  • Unlike other malware detection tools, MLSTONES can identify true zero-day exploits—malware that has never been seen before—prior to a system becoming infected.
  • MLSTONES’ configurability allows users to establish their own unique definition of malware or determine the appropriate level of permissibility or restriction needed to minimize false positives and maintain secure networks.
  • MLSTONES does not require a particular platform to run and can therefore be deployed independently or easily built into existing platforms, including those not connected to the internet or in secure spaces.

State of Development

MLSTONES is available for licensing in all fields of use.


Available for licensing in all fields


Data Sciences
Electricity Infrastructure
Sensor Systems

Market Sectors

Data Sciences