USA flag logo/image

An Official Website of the United States Government

SBIR Phase II: SAFE: Behavior-based Malware Detection and Prevention

Award Information

Agency:
National Science Foundation
Branch:
N/A
Award ID:
84675
Program Year/Program:
2008 / SBIR
Agency Tracking Number:
0638170
Solicitation Year:
N/A
Solicitation Topic Code:
N/A
Solicitation Number:
N/A
Small Business Information
NOVASHIELD, Inc.
918 Deming Way Floor 3 Madison, WI 53717-1945
View profile »
Woman-Owned: No
Minority-Owned: No
HUBZone-Owned: No
 
Phase 2
Fiscal Year: 2008
Title: SBIR Phase II: SAFE: Behavior-based Malware Detection and Prevention
Agency: NSF
Contract: 0750299
Award Amount: $500,000.00
 

Abstract:

This SBIR Phase II project has the objective of implementing a commercially-competitive, host-based, malware detection and prevention system. During Phase I, a host-based malware detection system that demonstrated the practicality of detecting a malicious process by dynamically monitoring its system events was developed. The prototype called SAFE (Secure Activity Filtering Engine) filters system events using a stateful policy engine whose policies specify malicious behavior and the appropriate response. Because the technology does not rely upon the detection of signatures (i.e. patterns of bytes), it can detect previously unseen malware. During Phase II a number of significant enhancements to the policy engine including a checkpoint/rollback capability will be developed. The proposed functionality removes file system and registry changes associated with a process when a policy violation is detected. The ability to delay detection of malicious behavior until detailed system events are observed provides a just-in-time detection capability that increases the accuracy of the detection process while reducing false positives. The SAFE technology has the potential to demonstrate an effective approach to combating at least two of the dominant trends in the threat landscape. One such trend is the crafting of blended threats which use multiple infections vectors like email readers, web browsers, and messaging software to infect a host computer. Another trend is the popularity of malware toolkits which can be used by malware writers to quickly generate multiple variants of the same virus. The rapid proliferation of obfuscated variants is a potent threat to traditional signature-based solutions on two fronts: the rate of malware infection may overwhelm efforts to produce signatures to detect these variants and the logarithmic increase in the size of signatures databases reduces the performance of signature scanning. The SAFE technology addresses both of these trends. The stateful policy engine can correlate non simultaneous events across multiple sub systems and processes and thus detect and block blended threats. If successful, the architecture of the proposed system will have the potential to address a myriad of security threats and make a commercially-significant impact.

Principal Investigator:

Hao Wang
DSc
6088332610
hwang@novashield.com

Business Contact:

Hao Wang
DSc
6088332610
hwang@novashield.com
Small Business Information at Submission:

NOVASHIELD, Inc.
1200 John Q Hammons Dr 5th Floor Madison, WI 53717

EIN/Tax ID: 203771937
DUNS: N/A
Number of Employees:
Woman-Owned: No
Minority-Owned: No
HUBZone-Owned: No