Needle in a Haystack: Finding MalwareU.S. Military Funds Research on New Ways to Fight APTs
Researchers at the Georgia Institute of Technology are attempting to develop new processes and technologies to more easily detect malware hiding in the millions of lines of code found in software.
The four-year project, funded by a $4.2 million grant from the Defense Advanced Research Projects Agency and Air Force Research Laboratory, will focus on how data moves as it's routed around computers and networks.
The primary investigator on the project, Georgia Tech College of Computing Professor Wenke Lee, explains in an interview with Information Security Media Group that state-of-the-art information flow tracking generally applies only to a single layer, such as the program level. But the approach Georgia Tech researchers hope to create would track three layers: user interaction with a program, program processing of data input and program and network interactions with an operating system.
Tracking all three levels would be critical in detecting advanced persistent threats. "Our ultimate goal is to provide complete transparency, or full visibility, into host events and data so that APT activities cannot evade detection," Lee says. He characterizes the project as representing "what could be a significant advance over state-of-the-art approaches, which typically are forced to make arbitrary trade-offs between verifying accuracy and maintaining total computational efficiency."
In the interview, Lee:
- Describes how recording and replaying nearly every instruction made in the computer could lead to the detection of malware;
- Describes the challenges involved in detecting malware in systems containing hundreds of millions of lines of code; and
- Explains how tracking and analyzing keystrokes or mouse movements could identify changes to text in email messages or website links made by hackers employing malware.
Lee is co-director of Georgia Tech's Institute for Information Security and Privacy and has conducted cybersecurity research since 2001. His research interests include systems and network security, applied cryptography and data mining. Most recently, he has focused on botnet detection and malware analysis, security of mobile systems and apps and detection and mitigation of information manipulation on the Internet. He's co-founder of Damballa, a spin-off from his lab that focuses on botnet detection and mitigation.