Sites Inria

Version française


Jean-Michel Prima - 30/11/2017

Inria and Cisco Team Up in Malware Research

Cubes du jeu Datagramme : données et malware © Inria / Photo G. Scagnelli

A security research team based at Inria center, in Rennes, Brittany, France, Tamis recently partnered with American networking hardware giant Cisco Systems in a move meant to design an innovative method for uncovering malware at code execution.

To this day, checking a file for viruses boils down to ploughing through the code and looking for signatures that are indicative of the presence of a malevolant program. So in essence, we are talking here about pattern matching. For doing so, all antiviruses rely on signature databases. However, if the virus has been slightly rewritten, if it has mutated, if it has gone through a virtualization or an obfuscation process, then the usual signature is gone and the maleware is likely to remain undetected. The research that we are in the process of starting together with Cisco Systems aims precisely at grappling with this enduring problem, ” sums up Axel Legay , head of the Tamis research team at Inria.
The partnership was put on track two years ago when Cisco representatives came to Inria's headquarters in Paris in view of meeting several of the Institute's teams specializing in the field of security. Among those, Tamis was the one the company eventually decided to work with. “Two reasons prevailed. First of all, our team specifically focuses its research on malware analysis. Secondly, we are part of the PEC, the cyber excellence cluster launched by the French DoD and the Regional Council of Brittany. And indeed, Cisco was interested in joining this ecosystem as well.

Advanced Malware Protection

Our company's strategy for the acceleration of the digital transformation is a long-term commitment with governments, industries and universities , says Cisco's spokewoman Laetitia Raphalen . It aims at stepping up the pace of this digital transformation nationwide through a set of investments in education, innovative startups, national infrastructures, smart cities and cybersecurity. In this context, Cisco is committed to invest $200M in France in order to foster the emergence of new innovative companies and support their growth.
Financed by the company to the tune of €700,000 for the next three years, the new research will explore an innovative method for sniffing out well-concealed malware. “In contrast with classic strategies, our approach relies on semantic analysis during file execution, Legay points out. Instead of solely scrutinizing the program code, we execute the software in a sandbox in view of extracting as much information as possible and ultimately forcing the maleware to unveil itself. For instance, we could pick up suspicious system calls that wouldn't have been detected otherwise. Our machine learning algorithms will spot such telltale signatures and enrich our database.
All of this actually occurs during a preliminary offline step which, incidentally, calls for a hefty cluster infrastructure both in terms of computing power and storage. Then comes phase two. “When users start running a software on their computers, our algorithms check the execution and match it against the signature database that we have built. At this juncture, velocity is paramount. Avoiding false positives is another concern.
Inria scientists will collaborate with several research units of Cisco throughout the US. “One of them is Talos, the company's Washington-based threat intelligence organization. Others are located in Atlanta, San Francisco, etc.”
At scientific level, this cooperation will actually work both ways. “We will bring them our theoretical contributions in the field of symbolic execution. In return, we will benefit from their thorough experience. Being in the router business, Cisco has encountered and listed a large number of real-world malware over the years. They know the way those work inside out. This hands-on expertise enables them to pronounce whether or not one given file symbolic execution is truly indicative of a malware. In this particular field, we are very complementary indeed.

Keywords: CISCO Malware INRIA Rennes - Bretagne Atlantique TAMIS Cybersécurité