Orthogonal Approach to Malware Detection and Classification
Navy SBIR 2015.1 - Topic N151-067
ONR - Ms. Lore-Anne Ponirakis - [email protected]
Opens: January 15, 2015 - Closes: February 25, 2015 6:00am ET
N151-067 TITLE: Orthogonal Approach to Malware Detection and Classification
TECHNOLOGY AREAS: Information Systems
OBJECTIVE: Develop technologies and tools for detecting and classifying malwares using methods and techniques which are orthogonal to existing methods of binary/code analysis, binary and behavioral signatures.
DESCRIPTION: Today�s networked computer systems are continuously under attack. Large and complex systems of software are difficult to completely verify and secure. These systems are vulnerable to compromises which take advantage of their weaknesses and flaws. Adversaries use these flaws and force access into our systems. Exacerbating the problem is the brittleness of current computing systems as initial penetration may quickly escalate to complete system control/compromise, rendering a computing system non-operational or worse, leading to corrupted, leaky and misleading information systems.
Current state-of-the-art practice for defending the system is mostly based on scan and patch processes. To protect against exploits and attacks, the system often employs a perimeter defense which scan files and executables as they enter the system to detect (and sometime classify) potential exploits. The detection process relies on binary as well as behavioral signature filtering and heuristics which are slow to react to new threats and unable to keep up with novel attack vectors. The polymorphic and metamorphic obfuscation techniques for malware and exploits, along with availability of toolkits for generating the exploits, make malware/exploit production relatively inexpensive. The adversary can use the same obfuscation techniques and toolkits to continually produce seemingly new exploits and continually evade detections. A battle is being fought between cyber defender and attacker in the code analysis or binary and behavioral signature front.
PHASE I: Investigate and develop a novel technique and tools for reliably detecting and classifying malware, orthogonal to current generation of malware detection techniques. Develop proof of concept prototype and identify the metrics that determine the prototype�s efficacy.
PHASE II: Develop and enhance the prototype into a fully functioning tool. Demonstrate and evaluate the capability of the tool on a large number of actual malware, constructed new malware variants and benign programs. Address potential deficiencies and enhance the performance and robustness of the technique and tool.
PHASE III: Upon successful completion of phase II, the small business will provide support in transitioning the technology for Navy use. The small business will develop a plan for integrating the product into the Navy�s information infrastructure and to determine the effectiveness of the novel orthogonal malware detection techniques in an operationally relevant environment. The small business will support the Navy with certifying and qualifying the system for Navy use.
PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: A novel orthogonal exploit detection tool can be independently marketed or integrated into current computer security product offerings, providing defense in malware detection area. If successful, the tool developed within this SBIR should find its market in the commercial sector as well as military sector.
2. L. Nataraj, S. Kartikeyan, G. Jacob, and B.S. Manjunath, "Malware images: visualization and automatic classification", Proc. the ACM 8th International Symposium on Visualization for Cyber Security (VizSec �11), pp. 4:1�4:7.
3. D. Kirat, L. Nataraj, G. Vigna, and B.S. Manjunath, "SigMal: A Static Signal Processing Based Malware Triage", Proc. the 29th Annual Computer Security Applications Conference (ACSAC�13), pp. 89-98.
4. J. Hoffmann, S. Neumann, T. Holz, "Mobile Malware Detection Based on Energy Fingerprints�A Dead End?", Proc. Research in Attacks, Intrusions and Defenses symposium (RAID �13), pp. 348-368.
KEYWORDS: malware similarity, malware detection, malware classification, malware signature, defense-in-depth, multi-vantage-point detection
Offical DoD SBIR FY-2015.1 Solicitation Site: