Existing security technologies fail or have a significant capability gap in detecting and stopping malicious traffic. Based on the new insight that traffic by malware is not directly initiated by user activities on a computer, Security Axioms has developed a new solution called Gyrus. Based on virtual machine monitoring techniques, Gyrus uses hardware events combined with memory analysis to authorize outgoing application traffic only if it was intended by the user. The Phase I project studied and demonstrated the feasibility of Gyrus with a demo system where Gyrus ensures that a CAC card can only be used by the user to connect to the intended web sites. The main objective of Phase II is to develop a prototype host-based security product. Security Axioms will tackle several technical challenges. First, to make Gyrus more useful, we will add and improve support for email, web browsing, and messaging applications, and develop techniques to facilitate the addition of support for new applications. Second, to make Gyrus more usable, we will develop a dynamic virtualization architecture where the degree of virtualization is adjusted based on the current need of security monitoring, so that performance overhead is incurred according to the level of security provided.
Keywords: Data Exfiltration, Malicious Traffic, Virtual Machine Introspection, Secure-In-Vm Monitoring, Semantic Gap,