Preview of PDF document darpa.pdf

Page 1 2 3 45643

Text preview

Section  II.    Summary  of  Proposal    
II.A   Innovative  Claims  for  the  Proposed  Research  
Our HBGary Federal Team comprises some of the most capable companies and research organizations in the
field of malware analysis and visualization. Together, we offer a revolutionary approach to addressing
Technical Area Three, Cyber Physiology that builds on our depth and breadth of experience. From research to
product to operations, we are all documented leaders in our fields, with demonstrated capabilities to provide
cyber defense and investigatory technologies in support of defense, law enforcement, intelligence, and counter

Our approach is to combine the inherent strengths of dynamic and static analyses into one integrated
framework, while overcoming their weaknesses with new technologies. The framework combines runtime
analysis, physical memory reconstruction and dataflow tracing to collect low-level binary and contextual data,
which provides the raw data to generate a universal set of rule-based trait and pattern libraries that describe
malware genomes. For each binary under test the framework automatically develops a physiology profile that
mathematically, visually, and descriptively represents the binary’s aggregate functions, behaviors, and intent.
Physiology profile reports are generated through the analysis and visualization interface to show a variety of
graphical representations of the specimen for the human analyst’s interaction and understanding. Once mature
data sets exist a reasoning engine will process the low-level data outputs and behavioral genomes to make
probability decisions on functions and behaviors, even for previously undefined traits and patterns. Since the
framework relies on executing binaries to collect low level runtime and memory-based data, some binaries will
require preprocessing and runtime environment setup to ensure proper and more complete execution. We will
demonstrate the success of our framework with prototypes and trait and genome libraries.
Using this capability tens of thousands of malware samples can be analyzed in a day, versus maybe 40 per week
by a good analyst using existing technologies. Using this capability you do not need reverse engineering or
malware analysis skills to analyze malware for behaviors, functions, and intent. Using our approach your
ability to react to new malware events decreases from days to minutes.

HBGary Federal, LLC. Proprietary
Use or disclosure of data contained on this sheet is subject to the
restriction on the title page of this proposal.

Volume 1, Technical and Management Volume
Page – 4