You are here

Malicious Behavior Detection for High Risk Data Types (DetChambr)

Award Information
Agency: Department of Defense
Branch: Air Force
Contract: FA8750-15-C-0195
Agency Tracking Number: F151-031-1621
Amount: $148,300.00
Phase: Phase I
Program: SBIR
Solicitation Topic Code: AF151-031
Solicitation Number: 2015.1
Solicitation Year: 2015
Award Year: 2015
Award Start Date (Proposal Award Date): 2015-09-02
Award End Date (Contract End Date): 2016-06-01
Small Business Information
3220 1st Ave South, Suite 100
Seattle, WA 98134
United States
DUNS: 787942528
HUBZone Owned: No
Woman Owned: No
Socially and Economically Disadvantaged: No
Principal Investigator
 Falcon Darkstar Momot
 Security Consultant
 (206) 486-6879
Business Contact
 Chad Thunberg
Phone: (866) 452-6997
Research Institution

ABSTRACT: Leviathan Security Group (LSG) has previously created a system called Major Myer, under the DARPA CINDER program, which is capable of detecting exploitation attempts in images of application memory using emulation. It has focused on crashdumps, but is theoretically not limited to this purpose. LSG has since commercialized the technology developed under that project into a product called Lotan, which is currently offered for sale as a detector for exploit code in crashdumps collected through existing error reporting facilities. However, the solution is fundamentally reactive in nature, since it can only detect exploits after they have reached the target system. LSG now proposes to extend this methodology to filter files, at the point of network ingress and any other point designated by network administrators, in order to apply this technology in a proactive manner and shift the asymmetry further in favour of the defender. Like Major Myer and Lotan, the technology will rely on behavioural heuristics and inactive emulation, rather than the traditional technique of explicit signatures and sandboxes. Research work on the project will include generalization of the Lotan technology, construction of exploitation context required for detection, result presentation, and domain-specific security hardening.; BENEFIT: The chief benefit of this project will be the ability to detect malicious files per se, without a need for signatures, at the point of network ingress. For example, email attachments and file downloads could be filtered. Later stages of the project will improve the filtering speed and harden the security of the filter. The method used is capable of detecting previously unknown (0-day) remote code execution exploits, provided they use at least some known technique. As a modular addition to a commercial project, the commercialization potential of the results of this project are clear and strong; products with similar use cases have been successful in the marketplace and file scanners in general are viewed as a critical component in network defense.

* Information listed above is at the time of submission. *

US Flag An Official Website of the United States Government