TECHNOLOGY AREA(S): Sensors
OBJECTIVE: Endpoint/host protection based on automated, signature-less (i.e. artificial intelligence based), malware detection algorithms run locally on hosts.
DESCRIPTION: A solution is desired to autonomously detect and prevent zero-day and other exploits of Air Force hosts in real time with a passive, self-learning system from different sources (mail servers, boundary devices and other hosts). It should also be able to contain any found exploitation with the capability to remove and quarantine malicious code. The solutions should be based on self-learning, artificial intelligence algorithms, and not primarily on signatures. It must be capable of analyzing all static non-executables or interpreted documents and scripts in a minimum of Microsoft Office products, PDFs, bash scripts, powershell scripts, etc. The solution must be able to interact and report findings to existing SIEM (ArcSight) systems within 45 minutes. When malicious activity is detected, the solution must notify any existing SIEM systems and host-based agents of the attempted activity. The solution must be able to integrate with current AF enterprise Host Intrusion Protection Systems/Host Based Security Systems. The solution should be capable of running in an autonomous fashion if connectivity to a server is interrupted. It should have a high degree of fault tolerance and reliability during abnormal host events and/or disconnection, and if failure occurs it fails into a known safe state. The solution should be able to perform a Static Analysis of malware executables while minimizing the degradation of the host performance. The solution should provide the capability to inject customized instruction checks and perform Behavior Analysis on web requests and network traffic. The solution shall notify all other host-based agents of newly discovered malware threats. The solution must have the capability to detect malicious activity that have not been previously detected regardless of network connectivity. The solution must be able to protect itself if there is unauthorized manipulation/control of the host. Capability must support an out-of-band connection, with support that includes, but is not limited to bi-directional authentication, authorization and accounting that is secured via an encrypted command, control and data channel, and virtual LANs. Capability must be interoperable with virtualized environments.
PHASE I: Provide a design for a laboratory scale version to demonstrate its proof of concept. Determine a method for verifying the capabilities of the design to detect and block malicious activity and demonstrate the results.
PHASE II: Continuation of Phase I. Adapt the laboratory version to a full version which can be installed and run on actual or simulated hardware. Verify that this can be trained to detect and potentially block malicious activity with the goal of a false alarm rate less than 10%. This solution may only interface with a subset of existing AF SIEM products.
PHASE III: Create a final version which can run autonomously on actual AF hardware and will detect and block malicious activity with the goal of a false alarm rate less than 2%. This must interface with any existing AF SIEM products.
1: Tamar Shafler. "Protecting the Endpoint Against Advanced Malware and Zero-Day Threats" IBM. March 10, 2015. https://securityintelligence.com/protecting-the-endpoint-against-advanced-malware-and-zero-day-threats/
2: George Tubin. "Blocking zero-day application exploits: A new approach for APT prevention" HelpNetSecurity. April 3, 2013. https://www.helpnetsecurity.com/2013/04/03/blocking-zero-day-application-exploits-a-new-approach-for-apt-prevention/
KEYWORDS: Zero Day, Endpoint, Malware, Detection, Malicious