This is a software analysis tool to reveal relationships between malware samples and to develop signatures that can be used to identify threats.
The software performs static analysis on malware samples to identify similar code sections that link the samples to previously analyzed malware groups. This enables rapid inferences about who wrote the new malware and what its technical characteristics might be.
Unlike some commercial tools that compare two malware samples at a time, REDUCE can compare multiple samples simultaneously. When it discovers similarities in code patterns it displays them along with existing knowledge about those patterns.
The tool is designed for use by security practitioners who don’t have a lot of reverse engineering background.
Dynamic Flow Isolation
DFI leverages software defined networking to apply security policies on-demand based on current operational state or business needs.
This is done by enabling, disabling or rate limiting communications between individual users and network services. This can be done either automatically or manually.
The software gains awareness of the network’s operational state by integrating with devices such as authentication servers and intrusion detection systems. It also integrates with SDN controllers to change allowable network connections in response to changing network state. This enables quarantining of individual machines or groups and blocking active attacks from reaching critical assets.
The software includes a policy enforcement kernel implemented within SDN controllers to update access rules for switches in the network. It works with existing SDN hardware and is portable across SDN controllers.
Timely Randomization Applied to Commodity Executables at Runtime (TRACER) is a means to alter the internal layout and data of closed-source Windows applications such as Adobe Reader, Internet Explorer, Java and Flash.
Because these applications are closed and have static data and internal layout, adversaries can craft attacks that can be effective on a large scale.
By randomizing the sensitive internal data and layout every time there is an output from the application, attackers can’t prepare effective attacks against them. Even if information about the data and layout leak during one output, the arrangement will be different the next time.
In this way TRACER can thwart control-hijacking attacks against these Windows applications. It is installed on each machine and doesn’t interfere with normal operation. The downside is it increases execution time by 12% on average.
Other randomization schemes such as Address Space Layout Randomization, compiler-based code randomization and instruction set randomization perform one-time randomization. Patient attackers can wait for data leakage from the applications to create effective attacks.
Network FLOW AnalyzER inspects IP packet headers to gather data about bi-directional flows that can be used to identify baseline traffic and abnormal flows as a way to spot potential breaches and insider threats.
Sign up for Computerworld eNewsletters.