SBIR-STTR Award

This Small Business Innovation Research Phase I project aims to design and develop a novel solution that addresses the spyware problem; one of the fastest growing security threats today. To address the growing spyware epidemic, this effort proposes a solution that can: (1) detect previously unseen spyware, and (2) automatically generate signatures for a newly detected spyware so that all other computers within a same network (e.g., a corporate network) can automatically gain protection from the new spyware. Two key challenges that must be addressed include: how to efficiently detect spyware behavior, and how to automatically generate succinct spyware signatures and propagate the information to other computers. Recent studies have suggested that the anti-spyware market is expected to expand from $12 million in 2003 to more than $300 million in 2008 with significant growth potential in the future. As part of the commercialization strategy, this effort plans to leverage the capability of the proposed system with two existing open-source based products: ClamAV and Snort

This SBIR Phase II project has the objective of implementing a commercially-competitive, host-based, malware detection and prevention system. During Phase I, a host-based malware detection system that demonstrated the practicality of detecting a malicious process by dynamically monitoring its system events was developed. The prototype called SAFE (Secure Activity Filtering Engine) filters system events using a stateful policy engine whose policies specify malicious behavior and the appropriate response. Because the technology does not rely upon the detection of "signatures" (i.e. patterns of bytes), it can detect previously unseen malware. During Phase II a number of significant enhancements to the policy engine including a checkpoint/rollback capability will be developed. The proposed functionality removes file system and registry changes associated with a process when a policy violation is detected. The ability to delay detection of malicious behavior until detailed system events are observed provides a just-in-time detection capability that increases the accuracy of the detection process while reducing false positives. The SAFE technology has the potential to demonstrate an effective approach to combating at least two of the dominant trends in the threat landscape. One such trend is the crafting of blended threats which use multiple infections vectors like email readers, web browsers, and messaging software to infect a host computer. Another trend is the popularity of "malware toolkits" which can be used by malware writers to quickly generate multiple variants of the same virus. The rapid proliferation of obfuscated variants is a potent threat to traditional signature-based solutions on two fronts: the rate of malware infection may overwhelm efforts to produce signatures to detect these variants and the logarithmic increase in the size of signatures databases reduces the performance of signature scanning. The SAFE technology addresses both of these trends. The stateful policy engine can correlate non simultaneous events across multiple sub systems and processes and thus detect and block blended threats. If successful, the architecture of the proposed system will have the potential to address a myriad of security threats and make a commercially-significant impact.