SBIR Phase II: SAFE: Behavior-based Malware Detection and Prevention

Award Information
Agency:
National Science Foundation
Branch
n/a
Amount:
$500,000.00
Award Year:
2008
Program:
SBIR
Phase:
Phase II
Contract:
0750299
Award Id:
84675
Agency Tracking Number:
0638170
Solicitation Year:
n/a
Solicitation Topic Code:
n/a
Solicitation Number:
n/a
Small Business Information
1200 John Q Hammons Dr, 5th Floor, Madison, WI, 53717
Hubzone Owned:
N
Minority Owned:
N
Woman Owned:
N
Duns:
621641252
Principal Investigator:
Hao Wang
DSc
(608) 833-2610
hwang@novashield.com
Business Contact:
Hao Wang
DSc
(608) 833-2610
hwang@novashield.com
Research Institute:
n/a
Abstract
This SBIR Phase II project has the objective of implementing a commercially-competitive, host-based, malware detection and prevention system. During Phase I, a host-based malware detection system that demonstrated the practicality of detecting a malicious process by dynamically monitoring its system events was developed. The prototype called SAFE (Secure Activity Filtering Engine) filters system events using a stateful policy engine whose policies specify malicious behavior and the appropriate response. Because the technology does not rely upon the detection of signatures (i.e. patterns of bytes), it can detect previously unseen malware. During Phase II a number of significant enhancements to the policy engine including a checkpoint/rollback capability will be developed. The proposed functionality removes file system and registry changes associated with a process when a policy violation is detected. The ability to delay detection of malicious behavior until detailed system events are observed provides a just-in-time detection capability that increases the accuracy of the detection process while reducing false positives. The SAFE technology has the potential to demonstrate an effective approach to combating at least two of the dominant trends in the threat landscape. One such trend is the crafting of blended threats which use multiple infections vectors like email readers, web browsers, and messaging software to infect a host computer. Another trend is the popularity of malware toolkits which can be used by malware writers to quickly generate multiple variants of the same virus. The rapid proliferation of obfuscated variants is a potent threat to traditional signature-based solutions on two fronts: the rate of malware infection may overwhelm efforts to produce signatures to detect these variants and the logarithmic increase in the size of signatures databases reduces the performance of signature scanning. The SAFE technology addresses both of these trends. The stateful policy engine can correlate non simultaneous events across multiple sub systems and processes and thus detect and block blended threats. If successful, the architecture of the proposed system will have the potential to address a myriad of security threats and make a commercially-significant impact.

* information listed above is at the time of submission.

Agency Micro-sites


SBA logo

Department of Agriculture logo

Department of Commerce logo

Department of Defense logo

Department of Education logo

Department of Energy logo

Department of Health and Human Services logo

Department of Homeland Security logo

Department of Transportation logo

Enviromental Protection Agency logo

National Aeronautics and Space Administration logo

National Science Foundation logo
US Flag An Official Website of the United States Government