Security Watch | Matt Hines » Start-up wins NSF grant, pitches new AV

March 03, 2008 | Comments: (0)

Start-up wins NSF grant, pitches new AV

TAGS: Security

NovaShield, a new anti-virus startup that is pitching its own brand of behavioral analysis as a stronger salve against cutting-edge malware attacks, has won a significant grant from the National Science Foundation.

The Madison, Wisconsin-based company -- which was cooked up in the labs of the University of Wisconsin by Dr. Somesh Jha, an associate professor at the school and the company's co-founder and chief scientist -- won out over other competitors for a Small Business Innovation Research (SBIR) grant from the NSF.

The Phase II grant arms the nine-person company with $500,000 in additional funding, adding to the $150,000 Phase I SBIR grant awarded to NovaShield in January 2007 by NSF. According to the firm's marketeers, fewer than five percent of applicants are awarded the Phase II SBIR grant each year and NovaShield won out for its unique approach to malware detection.

Company officials said that the influx of funding will help NovaShield create a commercial product positioned for sale to consumers sometime before the end of the first half of 2008. Once that product is finished, the firm may begin work on a version of its technology aimed specifically at business users if it appears there is a market for such a product, company officials said.

NovaShield's technology -- which claims to outdo existing AV programs in finding and blocking more intelligent types of malware including botnets, Trojans, keyloggers and rootkits -- is based on a technique it has labeled as "specification-based monitoring," developed at UW.

The tools claim to "extend" behavior-based malware detection by using "policy specification."

"Specification-based monitoring leverages a tiered architecture to simplify the malware identification process by a factor of ten while maintaining a better rate of detection and fewer false positives than current commercially available anomaly-based approaches to behavior-based detection," the company claims in its literature.

In an interview, Jha told me that the key to the NovaShield technology's higher levels of efficacy in identifying attacks is found in its ability to examine behavior playing out between applications processes and a computer's operating system. (The first version of the product will be aimed at Windows users, of course.)

By looking at an applications' behavior in real-time and any events that a program generates for the OS, at the kernel layer, the technology can look at certain sequences and identify anything unusual, he said.

"The actual interface between a program and the Windows OS is very noisy, you may open a file and see a lot of things that correspond with events at a Windows level and miss attacks because of this," said Jha. "We have a reverse mapping layer that recreates high-level semantics of this activity, such as why was the registry altered; we only look only at high-level events; that allows us to defeat the detection rates of other products using very few policies, usually less than a dozen."

Many other behavioral monitoring technologies fail at similar efforts because they take too many policies to work and then create too many false positives as a result, the inventor maintains.

However, along with its technology, users will also want to continue to use traditional signature-based AV to catch anything that doesn't fall into its range of coverage, Jha said.

NovaShield leaders understand that the road is long for security companies that attempt to tackle one aspect of AV on their own, but they point to the continued success of anti-spyware specialist Webroot as proof that they can survive on high-end anti-malware alone (in terms of going after the truly gnarly stuff).

Of course, maybe they'll just get bought out by Symantec someday.

In the meantime, NovaShield has impressed at least one academic beyond the NSF grant givers.

John Mitchell, a professor of computer science at Stanford University and co-director of Stanford Computer Security lab who has also signed-on to NoveShield's board of technical advisors, endorsed the technology in a quote offered in the company's grant announcement:

"Current technologies are slow to adapt, making it hard to catch newer threats and malware variants," he said. "NovaShield's advanced and powerful specification framework, and the founding team's experience with developing efficient algorithms for building effective specifications give the company a competitive advantage at a time when computer users need first-rate protection."

Posted by Matt Hines on March 3, 2008 10:01 AM

RATE THIS ARTICLE: