|Acquisition Program: || Objective: ||Advance the security, effectiveness, and automation of the malicious code and information leakage detection process for physical media entering or leaving classified or controlled facilities.
|| Description: ||Description: Daily operations within DoD research laboratories requires particular care to be taken when introducing new software packages or data into a controlled environment. Typically media entering or leaving a research facility is expected to be scanned for viruses and other malicious content as well as be properly inventoried for reference and control purposes. This process does not take into account inspection for data leakage, deep file inspection for malware, or the potential exploitation of the scanning host by malicious code on the target media. Although network based guards have effectively developed a process to safely perform analysis of files traversing security domains not all organizations or facilities have access to these devices. Additionally, analysis techniques used by existing network guard solutions cannot be employed in a research environment where file types, format, and data are as dynamic as the research at hand. Advanced techniques are being employed by adversaries to avoid malware detection using traditional software including obfuscation, packing, and multi-tiered encoding techniques. These key factors are driving the need for the ability to perform a more in depth file analysis for malicious code and data leakage. The focus of this effort is to develop a mechanism to detect potential malicious code or hidden data in unknown or complex files and data types entering or leaving controlled research facilities. These mechanisms will be expected to operate in controlled and classified environments processing unknown data types autonomously with no access to external resources, administrative control channels, or a human in the loop review process.
|| ||PHASE I: 1) Investigate and propose a mechanism capable of autonomously performing deep file inspection, virus scanning, malware detection, and content analysis on unknown data types. 2) Provide architecture and design documents of a prototype that demonstrates the feasibility of the concept. 3) Provide a minimal software prototype demonstrating the feasibility of the concept.
|| ||PHASE II: Based on the results from Phase 1, refine and extend the prototype system to a fully functioning inspection system. 2) Provide an analysis demonstrating the effectiveness of malicious code and hidden data detection. 3) Provide an analysis demonstrating the robustness of the system to withstand an attack via malicious code. 4) Provide Risk/Impact analysis of false positive results inbound or outbound.
|| ||PHASE III -- DUAL-USE COMMERCIALIZATION: Government and commercial entities are required to ensure absolute security of research facilities from malicious code and data leakage. Therefore, an effective, secure means to provide controlled inbound and outbound data inspection would be marketable to both organizations.
|| References: ||ONE
|Keywords: ||malicious code, data leakage, malware detection, deep file inspection, malicious content inspection , hidden data detection|