SBIR Phase II: SAFE: Behavior-based Malware Detection and Prevention

SBIR 第二阶段：SAFE：基于行为的恶意软件检测和预防

• 批准号: 0750299
• 负责人: Hao Wang
• 金额: --
• 依托单位: NOVASHIELD, Inc.
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-03-01 至 2011-02-28
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0750299&HistoricalAwards=false
• 关键词: SBIR; Phase; II; SAFE; Behavior

This SBIR Phase II project has the objective of implementing a commercially-competitive, host-based, malware detection and prevention system. During Phase I, a host-based malware detection system that demonstrated the practicality of detecting a malicious process by dynamically monitoring its system events was developed. The prototype called SAFE (Secure Activity Filtering Engine) filters system events using a stateful policy engine whose policies specify malicious behavior and the appropriate response. Because the technology does not rely upon the detection of "signatures" (i.e. patterns of bytes), it can detect previously unseen malware. During Phase II a number of significant enhancements to the policy engine including a checkpoint/rollback capability will be developed. The proposed functionality removes file system and registry changes associated with a process when a policy violation is detected. The ability to delay detection of malicious behavior until detailed system events are observed provides a just-in-time detection capability that increases the accuracy of the detection process while reducing false positives. The SAFE technology has the potential to demonstrate an effective approach to combating at least two of the dominant trends in the threat landscape. One such trend is the crafting of blended threats which use multiple infections vectors like email readers, web browsers, and messaging software to infect a host computer. Another trend is the popularity of "malware toolkits" which can be used by malware writers to quickly generate multiple variants of the same virus. The rapid proliferation of obfuscated variants is a potent threat to traditional signature-based solutions on two fronts: the rate of malware infection may overwhelm efforts to produce signatures to detect these variants and the logarithmic increase in the size of signatures databases reduces the performance of signature scanning. The SAFE technology addresses both of these trends. The stateful policy engine can correlate non simultaneous events across multiple sub systems and processes and thus detect and block blended threats. If successful, the architecture of the proposed system will have the potential to address a myriad of security threats and make a commercially-significant impact.

这个SBIR II期项目的目的是实施商业竞争，基于主机的恶意软件检测和预防系统。在第一阶段，开发了一种基于主机的恶意软件检测系统，该系统证明了通过动态监控其系统事件来检测恶意过程的实用性。原型称为安全（安全活动过滤引擎）使用状态策略引擎过滤系统事件，其策略指定了恶意行为和适当的响应。由于该技术不依赖于“签名”的检测（即字节模式），因此它可以检测到以前看不见的恶意软件。在II阶段期间，将开发对策略引擎的许多重大增强功能，包括检查点/回滚功能。当检测到违反策略的情况时，所提出的功能将删除文件系统和注册表更改与过程相关联。延迟检测恶意行为直到观察到详细的系统事件的能力提供了一种即时检测能力，可以提高检测过程的准确性，同时降低误报。安全技术有可能证明一种有效的方法来打击威胁格局中至少两种主要趋势。 这样的趋势之一是制作混合威胁，这些威胁使用多种感染向量，例如电子邮件读取器，网络浏览器和消息传递软件来感染主机计算机。另一个趋势是“恶意软件工具包”的受欢迎程度，恶意软件作者可以将其快速生成同一病毒的多种变体。混淆变体的快速扩散是对两个方面的传统基于签名的解决方案的有效威胁：恶意软件感染的发生率可能不堪重负，努力产生签名来检测这些变体，并且签名数据库规模的对数增加会降低标志性扫描的性能。安全技术解决了这两种趋势。国家政策引擎可以将多个子系统和流程之间的非同时事件相关联，从而检测并阻止混合威胁。 如果成功的话，拟议的系统的架构将有可能应对无数的安全威胁并产生商业上的影响。