8 cyber security technologies DHS is trying to commercialize

Agency hopes to put $1 billion investment to practical use

The Department of Homeland Security is publicizing eight new cyber security technologies developed under federal grants that are looking for private businesses to turn them into commercial products.

In its fourth “Cyber Security Division Transition to Practice Technology Guide”, DHS outlines the eight technologies that range from malware analysis tools to behavior analysis platforms to randomization software that protects Windows applications.

+More on Network World: IRS: Tax deadline looms, scammers get more frantic+

The DHS’s Transition to Practice program identifies cybersecurity research that is ready for pilot testing or for development into commercial products. In the four years of the program, four of 24 technologies have been licensed by commercial entities and one has been open-sourced.

The TTP program attempts to put unclassified cyber research into practical use. “The federal government spends more than $1 billon on un-classified cybersecurity research every year,” the report says. “However, very little of that research is ever integrated into the marketplace.”

Here is a description of the eight new technologies in this year’s report:

REnigma

This software runs malware within a virtual machine and records what it does so it can be played back and analyzed in detail. The idea is to give researchers the chance to view malware at their leisure so they can understand in detail what it does and how.

It lets researchers avoid manual reverse engineering.

The key technology advance is the Johns Hopkins Applied Physics Laboratory’s virtual machine record and replay. With it researchers can use analysis tools on the malware while it is running, and the malware’s anti-analysis technology is unable to detect it. “For example,’ the report says, “if a malicious code sample outputs encrypted data on the network, an analyst can use REnigma to backtrack to the plaintext data in memory or recover the encryption key used for exfiltration.”

Socrates

This software platform automatically seeks patterns in data sets, and can tease out those that represent cyber threats. It tries to provide both analysis and computer science capabilities, a pairing that human analysts often lack.

The platform can perform unsupervised analysis of data – seeking patterns that may reveal future outcomes. Socrates has been used to study travel patterns of large groups to discover unknown associates of persons of interest, for example.

PcapDB

This is a software database system that captures packets to analyze network traffic by first organizing packet traffic into flows.

Its creators liken its function to that of the black box flight recorders on airplanes. “Pcap allows reconstruction of malware transfers, downloads, command and control messages, and exfiltrated data,” they say.

The platform optimizes the data captured so it can be stored on less disk space and accessed more quickly for analysis. By stripping away unnecessary features, PcaDBcan store months of traffic data on commodity Serial Attached SCSI (SAS) disks, a plus when investigating intrusions. “The longest history possible is key when investigating a cyber incident,” its creators write.

REDUCE

This is a software analysis tool to reveal relationships between malware samples and to develop signatures that can be used to identify threats.

The software performs static analysis on malware samples to identify similar code sections that link the samples to previously analyzed malware groups. This enables rapid inferences about who wrote the new malware and what its technical characteristics might be.

Unlike some commercial tools that compare two malware samples at a time, REDUCE can compare multiple samples simultaneously. When it discovers similarities in code patterns it displays them along with existing knowledge about those patterns.

The tool is designed for use by security practitioners who don’t have a lot of reverse engineering background.

Dynamic Flow Isolation

DFI leverages software defined networking to apply security policies on-demand based on current operational state or business needs.

This is done by enabling, disabling or rate limiting communications between individual users and network services. This can be done either automatically or manually.

The software gains awareness of the network’s operational state by integrating with devices such as authentication servers and intrusion detection systems. It also integrates with SDN controllers to change allowable network connections in response to changing network state. This enables quarantining of individual machines or groups and blocking active attacks from reaching critical assets.

The software includes a policy enforcement kernel implemented within SDN controllers to update access rules for switches in the network. It works with existing SDN hardware and is portable across SDN controllers.

TRACER

Timely Randomization Applied to Commodity Executables at Runtime (TRACER) is a means to alter the internal layout and data of closed-source Windows applications such as Adobe Reader, Internet Explorer, Java and Flash.

Because these applications are closed and have static data and internal layout, adversaries can craft attacks that can be effective on a large scale.

By randomizing the sensitive internal data and layout every time there is an output from the application, attackers can’t prepare effective attacks against them. Even if information about the data and layout leak during one output, the arrangement will be different the next time.

In this way TRACER can thwart control-hijacking attacks against these Windows applications. It is installed on each machine and doesn’t interfere with normal operation. The downside is it increases execution time by 12% on average.

Other randomization schemes such as Address Space Layout Randomization, compiler-based code randomization and instruction set randomization perform one-time randomization. Patient attackers can wait for data leakage from the applications to create effective attacks.

FLOWER

Network FLOW AnalyzER inspects IP packet headers to gather data about bi-directional flows that can be used to identify baseline traffic and abnormal flows as a way to spot potential breaches and insider threats.

The data, collected via small appliances throughout the network and at its perimeter, can also be used as a resource for forensic investigations into incidents.

FLOWER has been deployed in more than 100 government and business networks since 2010. It has detected and mitigated coordinated attacks and used to create attack signatures.

SilentAlarm

This platform analyzes network behaviors to identify likely malicious behavior to stop attacks including zero-days for which there are no signatures.

Network events are fed to its analysis engine from existing sensors. The engine incudes knowledge nodes, analysis segments tuned to certain types of network behaviors such as failed or successful SMTP attempts or failed Internet connections. Based on historical behavior, each new event is characterized as normal or abnormal.

These characterizations are fed to hypothesis nodes that conclude whether observed behavior indicates malicious activity. If malicious activity is spotted SilentAlarm can send an alert or intervene.


Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Join the CSO newsletter!

Error: Please check your email address.

More about DFIIRSSASTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place