A new form of malware detection software that analyzes computer code to predict malicious behavior — but without actually running it — has been exclusively licensed to a Virginia startup from the Oak Ridge National Laboratory under a Department of Homeland Security program that helps get federally developed technology to the marketplace.
Hyperion, as the software is called, was one of the first technologies selected for DHS’s Transition to Practice, or TTP, program — back in 2012 when it was launched. It was licensed to Manassas, Virginia-based Lenvio this month after the company was spun off from R&K Cyber last year. Hyperion had previously been non-exclusively licensed to R&K.
“Obtaining an exclusive technology license … helps us secure a more competitive position to commercialize Hyperion as we grow our company,” said B.K. Gogia, Lenvio’s chief executive officer, in a statement.
Conventional malware consists of a file that a user is tricked into downloading and running on their computer. Such files are called “executables” because they run like regular programs, but with malicious intent.
Traditional methods of malware detection rely on so-called software signatures — sections of code that are identical from one version of the malware to another. But signature-based detection can be defeated by tiny changes to the code — tweaks that can even be made automatically as each copy of the malware executable is compiled for download by the unwary victim.
“Current methods are increasingly overwhelmed by the sophistication of attacks often precipitated by stealthy zero-day or sleeper code vulnerabilities,” added Gogia. He said Hyperion offers “a new class of cyber protection.”
Instead of signatures, Hyperion uses algorithms to analyze executable code and identify potentially malicious software behavior, according to Oak Ridge’s Chief Cybersecurity Research Scientist, Stacy Prowell. “These behaviors can be automatically checked for known malicious operations,” Prowell said. “Hyperion helps detect vulnerabilities and can uncover malicious content before it has a chance to execute.”
“The commercialization of Hyperion builds on TTP’s previous successes in transitioning technologies to the marketplace and shows that the TTP program is making a direct impact on improving cybersecurity in the public and private sectors,” said DHS acting Undersecretary for Science and Technology Robert Griffin.
TTP is one of a handful of programs run by the Cyber Security Division, part of the Homeland Security Advanced Research Projects Agency in DHS’ Science and Technology Directorate.
Each year, TTP conducts “tech foraging” at federally funded institutions — like the national labs, Department of Defense labs, Federally Funded Research and Development Centers and universities — and selects about eight mature cybersecurity technologies a year for the 36-month program, according to its website. The selection focuses on gaps that DHS sees in the commercial marketplace. TTP is designed to help technologies get across the so-called “valley of death” between development and commercial adoption via the marketplace.
The program includes training for the technology’s inventors, marketing, testing and evaluation, pilot deployment, and outreach. The technologies are “introduced to potential partners, investors, and integrators,” at a nationwide series of demonstration days, according to the website. It supports several different paths to the marketplace “including open source, licensing, startups, adoption by cyber operators, and government use.”
TTP Program Manager Nadia Carlsten urged technology investors to “take note of the success of Hyperion” because it showed that federally developed technologies could be commercially viable. “The TTP process is critical in bridging the gap between the lab and market for mature technologies,” she said in a statement.
TTP currently has a total of 40 technologies in its program portfolio, and showcased a dozen of them at RSA. Eight TTP technologies — Quantum Secured Communications, Hyperion, Hone, NeMS, PathScan, PACRAT, LOCKMA and ZeroPoint — have successfully transitioned to the marketplace.