The Department of Homeland Security is publicizing eight new cyber security technologies developed under federal grants that are looking for private businesses to turn them into commercial products.
In its fourth “Cyber Security Division Transition to Practice Technology Guide”, DHS outlines the eight technologies that range from malware analysis tools to behavior analysis platforms to randomization software that protects Windows applications.
+More on Network World: IRS: Tax deadline looms, scammers get more frantic+
The DHS’s Transition to Practice program identifies cybersecurity research that is ready for pilot testing or for development into commercial products. In the four years of the program, four of 24 technologies have been licensed by commercial entities and one has been open-sourced.
The TTP program attempts to put unclassified cyber research into practical use. “The federal government spends more than $1 billon on un-classified cybersecurity research every year,” the report says. “However, very little of that research is ever integrated into the marketplace.”
Here is a description of the eight new technologies in this year’s report:
This software runs malware within a virtual machine and records what it does so it can be played back and analyzed in detail. The idea is to give researchers the chance to view malware at their leisure so they can understand in detail what it does and how.
It lets researchers avoid manual reverse engineering.
The key technology advance is the Johns Hopkins Applied Physics Laboratory’s virtual machine record and replay. With it researchers can use analysis tools on the malware while it is running, and the malware’s anti-analysis technology is unable to detect it. “For example,’ the report says, “if a malicious code sample outputs encrypted data on the network, an analyst can use REnigma to backtrack to the plaintext data in memory or recover the encryption key used for exfiltration.”
This software platform automatically seeks patterns in data sets, and can tease out those that represent cyber threats. It tries to provide both analysis and computer science capabilities, a pairing that human analysts often lack.
The platform can perform unsupervised analysis of data – seeking patterns that may reveal future outcomes. Socrates has been used to study travel patterns of large groups to discover unknown associates of persons of interest, for example.
This is a software database system that captures packets to analyze network traffic by first organizing packet traffic into flows.
Its creators liken its function to that of the black box flight recorders on airplanes. “Pcap allows reconstruction of malware transfers, downloads, command and control messages, and exfiltrated data,” they say.
The platform optimizes the data captured so it can be stored on less disk space and accessed more quickly for analysis. By stripping away unnecessary features, PcaDBcan store months of traffic data on commodity Serial Attached SCSI (SAS) disks, a plus when investigating intrusions. “The longest history possible is key when investigating a cyber incident,” its creators write.
This is a software analysis tool to reveal relationships between malware samples and to develop signatures that can be used to identify threats.
The software performs static analysis on malware samples to identify similar code sections that link the samples to previously analyzed malware groups. This enables rapid inferences about who wrote the new malware and what its technical characteristics might be.
Unlike some commercial tools that compare two malware samples at a time, REDUCE can compare multiple samples simultaneously. When it discovers similarities in code patterns it displays them along with existing knowledge about those patterns.
The tool is designed for use by security practitioners who don’t have a lot of reverse engineering background.
Dynamic Flow Isolation
DFI leverages software defined networking to apply security policies on-demand based on current operational state or business needs.
This is done by enabling, disabling or rate limiting communications between individual users and network services. This can be done either automatically or manually.
The software gains awareness of the network’s operational state by integrating with devices such as authentication servers and intrusion detection systems. It also integrates with SDN controllers to change allowable network connections in response to changing network state. This enables quarantining of individual machines or groups and blocking active attacks from reaching critical assets.
The software includes a policy enforcement kernel implemented within SDN controllers to update access rules for switches in the network. It works with existing SDN hardware and is portable across SDN controllers.
Timely Randomization Applied to Commodity Executables at Runtime (TRACER) is a means to alter the internal layout and data of closed-source Windows applications such as Adobe Reader, Internet Explorer, Java and Flash.
Because these applications are closed and have static data and internal layout, adversaries can craft attacks that can be effective on a large scale.
By randomizing the sensitive internal data and layout every time there is an output from the application, attackers can’t prepare effective attacks against them. Even if information about the data and layout leak during one output, the arrangement will be different the next time.
In this way TRACER can thwart control-hijacking attacks against these Windows applications. It is installed on each machine and doesn’t interfere with normal operation. The downside is it increases execution time by 12% on average.
Other randomization schemes such as Address Space Layout Randomization, compiler-based code randomization and instruction set randomization perform one-time randomization. Patient attackers can wait for data leakage from the applications to create effective attacks.
Network FLOW AnalyzER inspects IP packet headers to gather data about bi-directional flows that can be used to identify baseline traffic and abnormal flows as a way to spot potential breaches and insider threats.
The data, collected via small appliances throughout the network and at its perimeter, can also be used as a resource for forensic investigations into incidents.
FLOWER has been deployed in more than 100 government and business networks since 2010. It has detected and mitigated coordinated attacks and used to create attack signatures.
This platform analyzes network behaviors to identify likely malicious behavior to stop attacks including zero-days for which there are no signatures.
Network events are fed to its analysis engine from existing sensors. The engine incudes knowledge nodes, analysis segments tuned to certain types of network behaviors such as failed or successful SMTP attempts or failed Internet connections. Based on historical behavior, each new event is characterized as normal or abnormal.
These characterizations are fed to hypothesis nodes that conclude whether observed behavior indicates malicious activity. If malicious activity is spotted SilentAlarm can send an alert or intervene.