N151-067 TITLE: Orthogonal Approach to Malware Detection and Classification

TECHNOLOGY AREAS: Information Systems

OBJECTIVE: Develop technologies and tools for detecting and classifying malwares using methods and techniques which are orthogonal to existing methods of binary/code analysis, binary and behavioral signatures.

DESCRIPTION: Today�s networked computer systems are continuously under attack. Large and complex systems of software are difficult to completely verify and secure. These systems are vulnerable to compromises which take advantage of their weaknesses and flaws. Adversaries use these flaws and force access into our systems. Exacerbating the problem is the brittleness of current computing systems as initial penetration may quickly escalate to complete system control/compromise, rendering a computing system non-operational or worse, leading to corrupted, leaky and misleading information systems.

Current state-of-the-art practice for defending the system is mostly based on scan and patch processes. To protect against exploits and attacks, the system often employs a perimeter defense which scan files and executables as they enter the system to detect (and sometime classify) potential exploits. The detection process relies on binary as well as behavioral signature filtering and heuristics which are slow to react to new threats and unable to keep up with novel attack vectors. The polymorphic and metamorphic obfuscation techniques for malware and exploits, along with availability of toolkits for generating the exploits, make malware/exploit production relatively inexpensive. The adversary can use the same obfuscation techniques and toolkits to continually produce seemingly new exploits and continually evade detections. A battle is being fought between cyber defender and attacker in the code analysis or binary and behavioral signature front.

While this binary/behavioral signatures battle front is being fought, it may be beneficial for defender to open several more cyber battle fronts to make it more expensive for the adversary to develop successful/undetected exploits. A new cyber battle front implies that it employs new detection vectors which is/are orthogonal (independent) to the current techniques of binary/behavioral signature based detections, such as [1,2,3,4]. We are hoping that these novel orthogonal detection techniques can raise the difficulty factor and cost for successfully developing and deploying an exploit or malware by requiring attackers to contend with many distinct and orthogonal detection vectors, multiplying their cost. Orthogonal detections can help reduce the sheer number of malwares and exploits targeted toward our military networked computing systems.

This topic solicits the development of technologies and tools for detecting and classifying malware using approaches which are independent or orthogonal to the current family of malware detection techniques. Current malware detection techniques rely on code or binary analysis and binary and behavioral signatures. If successful, the tools and techniques developed in this SBIR can significantly raise the cost for developing exploits by requiring the attackers to evade a large number of orthogonal detection techniques, and thus reduce the sheer number of the distinct exploits targeting our networked computing systems.

PHASE I: Investigate and develop a novel technique and tools for reliably detecting and classifying malware, orthogonal to current generation of malware detection techniques. Develop proof of concept prototype and identify the metrics that determine the prototype�s efficacy.

PHASE II: Develop and enhance the prototype into a fully functioning tool. Demonstrate and evaluate the capability of the tool on a large number of actual malware, constructed new malware variants and benign programs. Address potential deficiencies and enhance the performance and robustness of the technique and tool.

PHASE III: Upon successful completion of phase II, the small business will provide support in transitioning the technology for Navy use. The small business will develop a plan for integrating the product into the Navy�s information infrastructure and to determine the effectiveness of the novel orthogonal malware detection techniques in an operationally relevant environment. The small business will support the Navy with certifying and qualifying the system for Navy use.

PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: A novel orthogonal exploit detection tool can be independently marketed or integrated into current computer security product offerings, providing defense in malware detection area. If successful, the tool developed within this SBIR should find its market in the commercial sector as well as military sector.

REFERENCES:
1. K. Kancherla, S. Mukkamala, "Image Visualization based Malware Detection", Proc. IEEE Symposium on CICS 2013 (2013), pp. 40-44.

2. L. Nataraj, S. Kartikeyan, G. Jacob, and B.S. Manjunath, "Malware images: visualization and automatic classification", Proc. the ACM 8th International Symposium on Visualization for Cyber Security (VizSec �11), pp. 4:1�4:7.

3. D. Kirat, L. Nataraj, G. Vigna, and B.S. Manjunath, "SigMal: A Static Signal Processing Based Malware Triage", Proc. the 29th Annual Computer Security Applications Conference (ACSAC�13), pp. 89-98.

4. J. Hoffmann, S. Neumann, T. Holz, "Mobile Malware Detection Based on Energy Fingerprints�A Dead End?", Proc. Research in Attacks, Intrusions and Defenses symposium (RAID �13), pp. 348-368.

KEYWORDS: malware similarity, malware detection, malware classification, malware signature, defense-in-depth, multi-vantage-point detection

** TOPIC AUTHOR (TPOC) **

DoD Notice:   Between December 12, 2014 and January 14, 2015 you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 15, 2015 , when DoD begins accepting proposals for this solicitation.

However, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS (15.1 Q&A) during the solicitation period for questions and answers, and other significant information, relevant to the SBIR 15.1 topic under which they are proposing.

If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at (866) 724-7457 or webmail link.