SBIR Phase II: SAFE: Behavior-based Malware Detection and Prevention

SBIR 第二阶段：SAFE：基于行为的恶意软件检测和预防

• 批准号: 0750299
• 负责人: Hao Wang
• 金额: --
• 依托单位: NOVASHIELD, Inc.
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-03-01 至 2011-02-28
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0750299&HistoricalAwards=false
• 关键词: SBIR; Phase; II; SAFE; Behavior

This SBIR Phase II project has the objective of implementing a commercially-competitive, host-based, malware detection and prevention system. During Phase I, a host-based malware detection system that demonstrated the practicality of detecting a malicious process by dynamically monitoring its system events was developed. The prototype called SAFE (Secure Activity Filtering Engine) filters system events using a stateful policy engine whose policies specify malicious behavior and the appropriate response. Because the technology does not rely upon the detection of "signatures" (i.e. patterns of bytes), it can detect previously unseen malware. During Phase II a number of significant enhancements to the policy engine including a checkpoint/rollback capability will be developed. The proposed functionality removes file system and registry changes associated with a process when a policy violation is detected. The ability to delay detection of malicious behavior until detailed system events are observed provides a just-in-time detection capability that increases the accuracy of the detection process while reducing false positives. The SAFE technology has the potential to demonstrate an effective approach to combating at least two of the dominant trends in the threat landscape. One such trend is the crafting of blended threats which use multiple infections vectors like email readers, web browsers, and messaging software to infect a host computer. Another trend is the popularity of "malware toolkits" which can be used by malware writers to quickly generate multiple variants of the same virus. The rapid proliferation of obfuscated variants is a potent threat to traditional signature-based solutions on two fronts: the rate of malware infection may overwhelm efforts to produce signatures to detect these variants and the logarithmic increase in the size of signatures databases reduces the performance of signature scanning. The SAFE technology addresses both of these trends. The stateful policy engine can correlate non simultaneous events across multiple sub systems and processes and thus detect and block blended threats. If successful, the architecture of the proposed system will have the potential to address a myriad of security threats and make a commercially-significant impact.

SBIR二期项目的目标是实现一个具有商业竞争力的、基于主机的恶意软件检测和预防系统。在第一阶段，开发了一个基于主机的恶意软件检测系统，该系统展示了通过动态监控其系统事件来检测恶意进程的实用性。称为SAFE（安全活动过滤引擎）的原型使用有状态策略引擎过滤系统事件，该引擎的策略指定恶意行为和适当的响应。由于该技术不依赖于检测“签名”（即字节模式），因此它可以检测到以前未见过的恶意软件。在第二阶段，将开发对策略引擎的许多重要增强，包括检查点/回滚功能。当检测到策略违反时，建议的功能将删除与进程相关的文件系统和注册表更改。在观察到详细的系统事件之前延迟检测恶意行为的能力提供了实时检测功能，提高了检测过程的准确性，同时减少了误报。SAFE技术有潜力展示一种有效的方法，至少可以对抗威胁领域的两种主要趋势。其中一个趋势是混合威胁，它使用多种感染媒介，如电子邮件阅读器、网络浏览器和消息软件来感染主机。另一个趋势是“恶意软件工具包”的流行，恶意软件编写者可以使用它来快速生成同一病毒的多个变体。混淆变体的快速扩散在两个方面对传统的基于签名的解决方案构成了严重威胁：恶意软件感染的速度可能会超过生成检测这些变体的签名的努力；签名数据库大小的对数增长降低了签名扫描的性能。SAFE技术解决了这两种趋势。有状态策略引擎可以跨多个子系统和进程关联非同步事件，从而检测和阻止混合威胁。如果成功，所提议的系统架构将有可能解决无数的安全威胁，并产生重大的商业影响。