Cyber Physiology Analysis Framework Concept II.F Summary Slides Vision: Create an operational framework for automated identification of malware behavior, function, and intent, even those with previously unseen capabilities. Innovative Claims: A malware trait library that describes the discrete functions and behaviors of malware through mathematical representations, rule sets, and descriptions. A library that codifies complex patterns within malware that indicates aggregate functions and behaviors. This is the heart of what is missing today. Runtime behavior tracing, physical memory reconstruction and dataflow tracing for automated, and more efficient code execution and analysis. Visual representations of malware that allow for easy interaction and understanding of the malware behaviors, functions, and intent. Through analyst views and the Cyber Physiology Profile Reasoning models that automatically identify unknown traits and patterns and can determine malwares behavior, function, and intent of previously unseen specimens. Advanced and automated static analysis techniques to normalize binary logic extracted from various sources that will enable trigger and logic dependency analyses to drive a new form of statically-informed dynamic path exploration. Sources include packed binaries, memory dumps, or embedded within data content

Cyber Physiology Analysis Framework Contract/Proposal Specifics Intellectual Property – No proprietary claim on proposed deliverables Data Rights Summary – Unlimited government data rights. Deliverables: Specimen Collection Harvesters for Windows and Linux Malware Traits Library for Windows and Linux Malware Genomes Library for Windows and Linux Prototype Static Memory and Runtime Tracer for Data Flow analysis and increased code branch execution Prototype Belief Engine for automated analysis of malware (even of unknown types)

Cyber Physiology Analysis Framework Schedule/Cost Phase 1 Period 1a (base) $2,601,202M Period 1b (Option 1) $2,659,929M Total Phase 1 $5,261,131M Phase 2 Period 2a (Option 2) $2,251,993M Period 2b (Option 3) $1,806,061M Total Phase 2 $4,058,054M Program Totals $9,319,185M Proposed Contract Type: Cost Plus Fixed Fee

Cyber Physiology Analysis Framework Complete Automated Malware Enumeration Malware analysis is very Manual, Difficult, and Slow Main Achievement: Automatically Determine Malware Behavior, Function, and Intent through: -Traits Library – mathematical representations of function and behavior -Genomes Library – Complex patterns of traits that connote aggregate behavior and functions -Data Flow Resolution – through integrating static memory and runtime tracing -Probability Models – Define new traits and patterns automatically based on data models How it Works: Combination of static memory and runtime tracing captures malware low-level data, compared against traits and patterns libraries, automated over time using maturing data-sets and probability reasoning Assumptions and Limitations: Highly modular malware limits analysis Analysis systems could be corrupted Malware analysis of 40 per week by a good analyst to 10,000+ per day Discern intent in minutes rather than days. Malware understanding requires no skill in reverse engineering or malware analysis STATUS QUO QUANTITATIVE IMPACT Need mathematical representations Of behavior and function Traits Library – mathematical Representations of code function Genomes Library – patterns of traits that connote complex behavior and Function Automated Analysis using probability Models Data Flow Resolution Malware Physiology Profiles NEW INSIGHTS Complex patterns can represent behavior END-OF-PHASE GOAL Malware analysis not just about code but data flow Automation likely requires probability Net Defense and Mission Assurance are not achievable without a scalable and insightful malware analysis capability