Thursday, April 30, 2015
The University of Georgia’s computer network has a new “friend” to help guard against malicious software attacks in an anti-malware program developed by University researchers.
Roberto Perdisci, an assistant professor of computer science at UGA, and his students developed AMICO, which stands for Accurate Malware Identification by Classification of live network traffic Observations. The name also means “friend” in Italian and is a subtle nod to Perdisci’s Italian roots.
Traditional anti-malware software works by scanning files for signatures in the code that match with a list of known malware. AMICO is behavior-based, and detects potential malware downloads based on their origin features. This makes it more effective in catching “zero-day threats,” malicious software that traditional anti-malware companies have not developed signatures for yet.
“Specifically, AMICO automatically learns how to detect malware downloads by observing the ‘download behavior’ of the machines in the monitored network,” said Perdisci. “It collects aggregate statistics about what machine is downloading what files and from where. It then leverages these statistics to detect future malware downloads in real time.”
AMICO does not store any personal information about individual users, instead creating an anonymous tag for machines that download potential malware.
The software is also open-source, Perdisci said, and anyone can contribute to its improvement by visiting the source code at https://github.com/perdisci/amico.
The University’s Office of Information Security helped Perdisci and his students when they were developing the software by allowing them to user real-time anonymous traffic to tune the system. Now, the office is using AMICO along with other commercially available malware programs to help keep the campus network – which includes about 100,000 devices -- more secure.
“We have seen it catch things that other malware detection tools we use have not found,” said Christopher Workman, associate director of information security. “Since there is no silver bullet that can catch everything, we use a ‘defense in depth’ approach that employs multiple layers – each one a different technology that uses different methods to detect malware.”
AMICO assigns every download on the campus network a “maliciousness score,” Perdisci said, which indicates whether the software is suspected to be malicious or benign.
Logs of the scores, as well as download reports, are sent to a Security Information and Event Management System run by the Office of Information Security. The system keeps track of all the logs it receives and sends out alerts for high-risk detections to network liaisons. If a single system receives three high-risk alerts, that system is blocked from the network until the malware is removed.
Workman said anti-malware software is important to the campus network in order to protect sensitive data and critical systems. “Once a machine inside our network is compromised, it may be able to be used as a pivot-point and allow unauthorized users access to those sensitive or critical systems,” he said.
Users of on the campus computer network can guard against malware on their own devices by regularly running scans with anti-malware software, such as Malwarebytes. For more information on how to stay secure while on the university’s network, visit infosec.uga.edu.
The AMICO project has been funded by the National Science Foundation and was a collaborative effort between Perdisci, Kang Li, a professor of computer science and their doctoral students, Phani Vadrevu and Babak Rahbarinia. The project also received funding from the U.S. Department of Homeland Security to transition the system to market.
“Our hope is that one day AMICO will be widely deployed in many university campuses and enterprise networks around the U.S. and beyond,” Perdisci said.