The Department of Homeland Security is publicizsng eight new cyber security technologies developed under federal grants that are looking for private businesses to turn them into commercial products.
In its fourth “Cyber Security Division Transition to Practice Technology Guide”, DHS outlines the eight technologies that range from malware analysis tools to behavior analysis platforms to randomization software that protects Windows applications.
The DHS’s Transition to Practice program identifies cybersecurity research that is ready for pilot testing or for development into commercial products. In the four years of the program, four of 24 technologies have been licensed by commercial entities and one has been open-sourced.
The TTP program attempts to put unclassified cyber research into practical use. “The federal government spends more than $1 billon on un-classified cybersecurity research every year,” the report says. “However, very little of that research is ever integrated into the marketplace.”
Here is a description of the eight new technologies in this year’s report:
This software runs malware within a virtual machine and records what it does so it can be played back and analyzed in detail. The idea is to give researchers the chance to view malware at their leisure so they can understand in detail what it does and how.
It lets researchers avoid manual reverse engineering.
The key technology advance is the Johns Hopkins Applied Physics Laboratory’s virtual machine record and replay. With it researchers can use analysis tools on the malware while it is running, and the malware’s anti-analysis technology is unable to detect it. “For example,’ the report says, “if a malicious code sample outputs encrypted data on the network, an analyst can use REnigma to backtrack to the plaintext data in memory or recover the encryption key used for exfiltration.”
This software platform automatically seeks patterns in data sets, and can tease out those that represent cyber threats. It tries to provide both analysis and computer science capabilities, a pairing that human analysts often lack.
The platform can perform unsupervised analysis of data – seeking patterns that may reveal future outcomes. Socrates has been used to study travel patterns of large groups to discover unknown associates of persons of interest, for example.
This is a software database system that captures packets to analyze network traffic by first organizing packet traffic into flows.
Its creators liken its function to that of the black box flight recorders on airplanes. “Pcap allows reconstruction of malware transfers, downloads, command and control messages, and exfiltrated data,” they say.
The platform optimizes the data captured so it can be stored on less disk space and accessed more quickly for analysis. By stripping away unnecessary features, PcaDBcan store months of traffic data on commodity Serial Attached SCSI (SAS) disks, a plus when investigating intrusions. “The longest history possible is key when investigating a cyber incident,” its creators write.
Sign up for Computerworld eNewsletters.