NSF-funded Anti-Malware Vendor Launches

By Matthew Hines  |  Posted 2008-11-12 Print this article Print

I don't tend to cover much vendor activity here in the blog, but an interesting new anti-malware applications provider officially brought its initial product to market this week, and it does seem worthy of a mention.

NovaShield, which is pitching a new brand of behavioral analysis technology to help solve issues with today's cutting-edge malware attacks, launched its first commercial solution this week.

The Madison, Wisconsin-based company -- which was cooked up in the labs of the University of Wisconsin by Dr. Somesh Jha, an associate professor at the school and the company's co-founder and chief scientist -- was the winner of a Small Business Innovation Research (SBIR) grant from the National Science Foundation earlier this year, and has been distributing beta versions of its tools for the last six months.

Dubbed NovaShield Anti-Malware version 2.5 and aimed primarily at consumers and SMBs, the product promises to "detect, block, and remove sophisticated and rapidly morphing malware," including drive-by-downloads, Trojans, keyloggers and rootkits, as well as traditional threats such as viruses and worms.

Unlike traditional signature-based AV systems, NovaShield attempts to focus on identifying malware behaviors -- without generating all the false positives typically produced by existing behavior-based tools.

Using a technique invented at UW and labeled as "specification-based monitoring," the technology utilizes fewer than a dozen generalized policies to attempt to identify malicious programs in real-time. Earlier behavior-based solutions have leveraged many layers of such policies, making them complex to tune and leading to many of the false positives that they have become infamous for producing.

The technology is specifically being pitched as an ideal compliment to signature-based AV.

"Specification-based monitoring leverages a tiered architecture to simplify the malware identification process by a factor of ten while maintaining a better rate of detection and fewer false positives than current commercially available anomaly-based approaches to behavior-based detection," the company claims in its literature.

In an interview in March, Jha told me that the key to the NovaShield technology's higher levels of efficacy in identifying attacks is found in its ability to examine behavior playing out between applications processes and a computer's operating system.

By looking at an applications' behavior in real-time and any events that a program generates for the OS, at the kernel layer, the technology can look at certain sequences and identify anything unusual, he said.

"The actual interface between a program and the Windows OS is very noisy, you may open a file and see a lot of things that correspond with events at a Windows level and miss attacks because of this," said Jha. "We have a reverse mapping layer that recreates high-level semantics of this activity, such as why was the registry altered; we only look only at high-level events; that allows us to defeat the detection rates of other products using very few policies, usually less than a dozen."

Why is the company worth mentioning?

Well, for one thing it has a unique new approach to stopping malware that could prove helpful and will likely be bought or copied by its larger rivals, many of whom are struggling to find new ways to offset the issue that their traditional sig-based AV products can't prevent many of today's most aggressive attack methods.

For another thing, I just happen to think that it's really cool when technologies invented by college students and their professors can inject some new thinking into a space that's dominated by large corporations, and Jha struck me as a very smart and well-intentioned individual when I spoke to him.

So, there you have it, a blog about a consumer technology here in our enterprise security forum.

Just don't be surprised when one of the big guys moves to buy NovaShield, or at the least license its technology, and then it ends up inside of your business; because, as we know, that's how the security industry usually works.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel