This SBIR Phase II project has the objective of implementing a commercially-competitive, host-based, malware detection and prevention system. During Phase I, a host-based malware detection system that demonstrated the practicality of detecting a malicious process by dynamically monitoring its system events was developed. The prototype called SAFE (Secure Activity Filtering Engine) filters system events using a stateful policy engine whose policies specify malicious behavior and the appropriate response. Because the technology does not rely upon the detection of "signatures" (i.e. patterns of bytes), it can detect previously unseen malware. During Phase II a number of significant enhancements to the policy engine including a checkpoint/rollback capability will be developed. The proposed functionality removes file system and registry changes associated with a process when a policy violation is detected. The ability to delay detection of malicious behavior until detailed system events are observed provides a just-in-time detection capability that increases the accuracy of the detection process while reducing false positives.
The SAFE technology has the potential to demonstrate an effective approach to combating at least two of the dominant trends in the threat landscape. One such trend is the crafting of blended threats which use multiple infections vectors like email readers, web browsers, and messaging software to infect a host computer. Another trend is the popularity of "malware toolkits" which can be used by malware writers to quickly generate multiple variants of the same virus. The rapid proliferation of obfuscated variants is a potent threat to traditional signature-based solutions on two fronts: the rate of malware infection may overwhelm efforts to produce signatures to detect these variants and the logarithmic increase in the size of signatures databases reduces the performance of signature scanning. The SAFE technology addresses both of these trends. The stateful policy engine can correlate non simultaneous events across multiple sub systems and processes and thus detect and block blended threats. If successful, the architecture of the proposed system will have the potential to address a myriad of security threats and make a commercially-significant impact.
As computers and Internet become an indispensable part of our life, millions of computer users are affected annually by malicious software (malware) such as viruses, worms, and Trojans that causes havoc ranging from stolen personal information to damaged computers. With the support of National Science Foundation (NSF)'s Small Business Innovation Research (SBIR) program, NovaShield Inc. was able to make significant progress in developing and improving a novel anti-malware technology that is capable of preventing malware from infecting users' computer and hence providing enhanced security to users. NovaShield Inc.'s patent-pending behavior-based anti-malware technology tracks real-time activities of every running process on a user's computer and uses this knowledge to identify suspicious activities that may come from malware. As a result, NovaShield Inc.'s behavior technology fundamentally differs from existing signature-based anti-malware technology which relies on using signature patterns that can only detect known malware. As a result, NovaShield Inc.'s anti-malware engine is capable of detecting and stopping both known malware and new malware that cannot be detected or stopped by existing anti-malware products. This has a broad impact on millions of computer users because our technology can guard users against new security threats that might be missed by other anti-malware products. To this end, NovaShield Inc. has made following significant progress towards our goal: NovaShield Anti-Malware Product: NovaShield Inc. has successfully developed and released NovaShield Anti-Malware 3.0 to the pulic in July 2010. The Best In Dynamic Malware Detection: Tests done by a third-party independent testing agency have shown that NovaShield Inc.'s behavior-based malware detection technology is among the best in terms of detecting and stopping new malware from the wild. Successful Commercialization Effort: NovaShield Inc. was not only able to develop the new anti-malware technology but also was able to successfully commercialize the technology. Shortly after the release of NovaShield Anti-Malware Product, NovaShield Inc. signed its first major licensing agreement with another anti-malware provider that wanted to integrate NovaShield's behavior-based malware detection technology.
