SBIR-STTR Award

CLAIM: Corpus- and Logic-based Automated Identification of Malware
Award last edited on: 1/17/2018

Sponsored Program
SBIR
Awarding Agency
DOD : DARPA
Total Award Amount
$1,300,374
Award Phase
2
Solicitation Topic Code
SB161-004
Principal Investigator
Eric Smith

Company Information

Kestrel Technology LLC (AKA: Kestrel Development Corporation~KTS~KT)

3260 Hillview Avenue
Palo Alto, CA 94304
   (650) 320-8474
   info@kestreltechnology.com
   www.kestreltechnology.com
Location: Single
Congr. District: 16
County: Santa Clara

Phase I

Contract Number: N/A
Start Date: 00/00/00    Completed: 00/00/00
Phase I year
2015
Phase I Amount
$100,000
No abstract available.

Phase II

Contract Number: D16PC00178
Start Date: 00/00/00    Completed: 00/00/00
Phase II year
2016
Phase II Amount
$1,200,374
Kestrel Technology will develop CLAIM: Corpus- and Logic-based Automated Identification of Malware, which will pioneer a novel approach to malware detection and identification using a Big Code corpus of known malicious programs. CLAIM will work by performing a logical match (based on semantics and functionality, not signatures) between unknown, possibly malicious programs and known malicious programs from the corpus. The match will be performed by applying our technique of lifting-into-logic to both programs (x86 binaries), using a model of the x86 instruction semantics, and then applying our equivalence checking techniques to detect equivalent malicious functionality. When malice is detected, CLAIM will produce a certificate of malicious behavior, showing in detail how the new program's functionality corresponds to known malicious code in the corpus. All of this is enabled by the Big Code corpus of known malware. The corpus allows the difficult problem of malware detection to be reduced to the more tractable problem of equivalence checking. In turn, this equivalence checking problem is made tractable by our advanced techniques, including lifting into logic and the strategies used in the Axe Equivalence Checker (suitably adapted to handle x86 malware).