Leviathan Security Group (LSG) has previously created a system called Major Myer, under the DARPA CINDER program, which is capable of detecting exploitation attempts in images of application memory using emulation. It has focused on crashdumps, but is theoretically not limited to this purpose. LSG has since commercialized the technology developed under that project into a product called Lotan, which is currently offered for sale as a detector for exploit code in crashdumps collected through existing error reporting facilities. However, the solution is fundamentally reactive in nature, since it can only detect exploits after they have reached the target system. LSG now proposes to extend this methodology to filter files, at the point of network ingress and any other point designated by network administrators, in order to apply this technology in a proactive manner and shift the asymmetry further in favour of the defender. Like Major Myer and Lotan, the technology will rely on behavioural heuristics and inactive emulation, rather than the traditional technique of explicit signatures and sandboxes. Research work on the project will include generalization of the Lotan technology, construction of exploitation context required for detection, result presentation, and domain-specific security hardening.
Benefits: The chief benefit of this project will be the ability to detect malicious files per se, without a need for signatures, at the point of network ingress. For example, email attachments and file downloads could be filtered. Later stages of the project will improve the filtering speed and harden the security of the filter. The method used is capable of detecting previously unknown (0-day) remote code execution exploits, provided they use at least some known technique. As a modular addition to a commercial project, the commercialization potential of the results of this project are clear and strong; products with similar use cases have been successful in the marketplace and file scanners in general are viewed as a critical component in network defense.
Keywords: signatureless,behavioral,malicious files,emulation,0day
