Approved by the federal government , Department of homeland security (DHS) Open up the latest development of 8 It's a kind of network security technology , And ready to invest in 10 Billion dollar , Get help from the private sector , To turn it into a practical commercial product .
stay DHS The fourth release 《 The network security department turns into a practical technical guidance scheme 》(http://t.im/13f40) in , Homeland Security listed Malware Analysis 、 behavior analysis 、 Protect Windows Application randomization software, etc 8 Technology .
From homeland security “ Into practical technology ” The program mainly publishes technologies that have been able to participate in pilot testing or commercial development . During the four years of the project , released 24 In this technology 4 The project has been authorized by a commercial organization , There's another open source .
The purpose of this scheme is to explore the practical application of unclassified network security research project . The report says ：“ The federal government invests more than 10 Billion dollars , However, these technologies rarely enter the market .”
Here's what's in the report 8 A brief introduction to this new technology ：
The function of the software is to run malware in a virtual machine , Observe their behavior , For later analysis . It makes it easier for security researchers to analyze malware , And a detailed understanding of its behavior and principle , Instead of reverse engineering yourself .
The key advance is the virtual machine video and playback technology developed by Johns Hopkins University's Applied Physics Laboratory . Through this technology , Researchers can use analysis tools for malware as it runs , At the same time, the anti analysis technology of malware remains invisible .
Mentioned in the report ：“ For example , If the malware code sample outputs a string of encrypted data to the network , Analysts can use REnigma Trace back to plaintext in memory , And recover the encryption key used in data leakage .”
The software platform looks for patterns in the dataset , And can lure out those who may be security threats . It can provide both analytical and computer science capabilities , And this combination of capabilities is often missing in humans .
stay 200 Detect abnormal activity in 10000 linked networks
The platform can analyze the data unsupervised , Look for patterns that can lead to output .Socreates It has been used to learn the travel patterns of a large number of people , To find individuals who are connected to the target person .
3、 ... and 、PcapDB
This is a software database system , By organizing packet data into data streams , Capture and analyze network traffic .
The developers of this technology compare its function to the black box on the plane ：“Pcap You can reconstruct the transmission of malware 、 download 、 command 、 Control information , And extract the data .”
The platform can optimize the captured data , Reduce its storage space , Speed up reading during analysis . By reducing unnecessary functions ,PcapPB Can store common serial SCSI (Serial Attached SCSI, SAS) Traffic data generated by hard disk in a few months , This will provide a powerful boost to the investigation of the invasion . The developer wrote ：“ When investigating cyber security incidents , The most important indicator is the farthest date that can be traced back .”
This is a software analysis tool , Be able to discover the connection between malware samples , And create a signature that can be used to identify threats .
The software does static analysis on malware samples , Look for paragraphs that use the same code between them and historical samples . This allows researchers to quickly infer the author of the new malware , Determine its technical characteristics .
REDUCE It is different from some commercial software which can only compare two kinds of malware at the same time , It can compare multiple samples at the same time . When it finds similarities between code segments , It will also be compared with all the records in history .
This technology is suitable for network security personnel with less strong reverse engineering background .
5、 ... and 、 Dynamic flow isolation (Dynamic Flow Isolation)
Dynamic flow isolation (DFI) Using software to define networks , Based on the required running state of the enterprise , Deploy security policies on demand .
Whether the process is manual or automatic , By enabling 、 Disable or limit the frequency of communication between individual users and network services , Can realize its function .
With the authentication server 、 Intrusion detection system integration , The software can generate situational awareness of the running state of the network . If the state of the network changes . It will also integrate with software defined network controllers , Change the current allowed network connection . This allows isolation of specific devices or groups , It is possible to intercept attackers who try to access key assets .
The software includes a policy enforcement kernel , It's deployed with a software defined network controller , You can update the access rules of switches in the network . This process can be integrated with the existing software defined network hardware equipment of the enterprise , It's also easy to move between multiple software defined network controllers .
6、 ... and 、TRACER
TRACER yes “ Apply real-time randomization to common executables during runtime ” (Timely Randomization Applied to Commodity Executables at Runtime) For short , It can change Adobe Reader、IE、Java、Flash Isoclosed source Windows The internal layout and data of the application .
Because this kind of application belongs to closed source , Its data and internal layout are static , Threat sources will have a huge impact on their attacks .
If every time the application outputs data , Randomize its sensitive internal data and layout , The threat source will not be able to launch an effective attack on it . Even if the data and layout information is leaked during the output process , Its structure will be completely different when applying the next output .
therefore ,TRACER Be able to frustrate against these Windows Application control hijacking attack (control-hijacking attack) . The software will be installed on all devices , Will not interfere with its daily operation . The drawback is that it will increase on average 12% Run time of .
Address space layout randomization (Address Space Layout Randomization) 、 Compiler based code randomization 、 Other randomization schemes such as intrusion set randomization are all one-time . A patient attacker can wait longer , Attack after obtaining more information leaked by the application .
7、 ... and 、FLOWER
Network flow analyzer (Network FLOW AnalyzER, FLOWER) Can be analyzed IP baotou , Two way collection of data flow information , And use information to distinguish normal and abnormal data flow , Further look for potential data leaks and insider threats .
The data is collected by small devices deployed across the network and along its boundaries , They can also be used as resources for event diagnostic investigations .
since 2010 From the year onwards ,FLOWER Has been deployed to more than 100 In a network of governments and businesses . In actual combat , It can detect and eliminate cooperative attacks , And create its attack signature .
8、 ... and 、SilentAlarm
The platform analyzes network behavior , Identify possible malicious acts , Stop the threat of Zero Day attack without signature .
Sensors send network event information to their analysis engine . The engine contains knowledge nodes 、 For success or failure SMTP Analysis module for different types of network behavior adjustment, such as attempted and failed Internet connections . Based on historical behavior , Every new event is marked as normal or abnormal .
These feature information will be transmitted to the hypothetical node , It determines whether the observed behavior means malicious activity . If malicious activity is detected ,SilentAlarm You can alert or intervene directly .
At the end of this report , It also introduces and lists 2013 To 2015 year 3 New network security technologies for the next fiscal year .