|Acquisition Program: || Objective: ||Research and development of real-time, automatic identification and mitigation techniques to detect and stop unauthorized information leaking as well as unwanted and malicious traffic emanating from a computer at all time and locations. New techniques and implementations are needed to monitor applications and user activities on a computer to detect and stop outgoing data and traffic that is not intended or authorized by the user or security policies.
|| Description: ||Malicious software on compromised computers, e.g., spyware, botnets, Remote Administration Trojans, key loggers, peer-to-peer file sharing, remote monitoring and control software constitute serious threats to DoD systems because they run inside DoD networks collecting information, and then surreptitiously send information out. Network security appliances (such as a network intrusion detection system) that focus on traffic analysis provide limited help to detect and stop information leaking and malicious traffic from compromised computers. Distinguishing human- vs. malware- generated data from a network traffic analysis perspective is extremely challenging. Current anti-spyware and anti-virus systems have a large capability gap in finding and stopping spyware and other malicious software running on computers, especially when malware can get into the operating system kernel and disable these on-host security systems. Robust, accurate, and efficient monitoring of applications and user activities on a computer, particularly actions that relate to outgoing data and traffic, is a promising approach to ensure that data and traffic leaving a computer is indeed authorized by security policies. The general task of identifying and stopping unintended and unauthorized traffic is challenging for several reasons. First, for the monitoring system to be effective and practical, it must be robust and efficient, cannot be disabled by malware, and with no/low noticeable performance overhead. Second, current virtual machine technologies are “heavyweight” thus a light weight approach is desired. Third, precisely identifying applications and user events related to outgoing data and traffic and ensuring that the observations are not forgeable require accurate understanding of application semantics, memory analysis, and handling of hardware events in a very efficient manner. To address these challenges, new architecture that can combine the benefits of both out-of-VM and in-VM monitoring approaches, systems that comes with lightweight, transparent hypervisor, and techniques that can precisely and securely identify user actions and application activities and data are highly desired.
|| ||PHASE I: 1) Research and develop an architecture that can combine the benefits of both out-of-VM and in-VM monitoring approaches and new techniques for accurate and efficient understanding of application semantics, memory analysis, and handling of hardware events. 2) Demonstrate the proposed architecture and techniques with a typical computer (e.g., Intel/AMD hardware) and software configurations (e.g., commodity operating systems and applications).
|| ||PHASE II: 1) Develop a working system that can in real-time automatically stop unintended or unauthorized outgoing data and traffic, while producing no false alarms, when tested live with a user/computer. 2) Carry out comprehensive benchmarking experiments using representative usage scenarios of varying application programs and malicious software and demonstrate the advantages of this approach by comparing against existing tools and techniques.
|| ||PHASE III/|| ||DUAL USE COMMERCIALIZATION: Effective (host) computer security, in particular, information leaking mitigation is a critical capability for both the military and commercial sectors. The developed technology will secure both military and civilian computers. The new monitoring system should be marketed as a standalone product or can be licensed to a third party.
|| References: |