1 / 40

Symantec Research Labs

Symantec Research Labs. Investing in Symantec’s Future. Stephen Trilling, VP Research Carey Nachenberg, Symantec Fellow. Agenda. Innovation across Symantec SRL Overview Research Projects and Processes Government Research Advanced Concepts Detail on Past Transfers Demo Introduction.

love
Télécharger la présentation

Symantec Research Labs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Symantec Research Labs Investing in Symantec’s Future Stephen Trilling, VP ResearchCarey Nachenberg, Symantec Fellow

  2. Agenda • Innovation across Symantec • SRL Overview • Research Projects and Processes • Government Research • Advanced Concepts • Detail on Past Transfers • Demo Introduction

  3. Innovation Across Symantec • Over 3700 engineers at over 30 engineering sites across the world: • Mountain View, CA • Santa Monica, CA • Roseville, MN • Waltham, MA • Reading, UK • Warsaw, Poland • Or-Yehuda, Israel • Beijing, China • Pune, India • Sydney, Australia • Tokyo, Japan • Etc.

  4. Innovation Across Symantec: Patents • Over the past three years, Symantec has drastically increased its filing of patents to the US Patent Office • Addressing innovative technologies from all of Symantec’s businesses • Addressing emerging technologies in key strategic areas • Symantec currently has over 200 granted US patents, with nearly a thousand more in the pipeline

  5. Symantec Research Labs Mission “Our mission is to ensure Symantec’s long-term leadership by fostering innovation, generating new ideas, and developing next-generation technologies across all of our businesses.”

  6. Symantec Research Labs Organization • Internal Research • Short, medium, and long-term applied research and tech transfer to product groups • Longer-term basic research in key strategic areas • Government Research • Longer-term, speculative government funded cyber-security research • University Research • Create a pipeline of advanced degree employees and interns • Coordinate university research to support Symantec’s needs • Collaborate on government research proposals • Advanced Concepts • “Startup-type” group develops lightweight products in emerging technology areas and ships to small set of pilot customers • Goal is to transfer releases into product group for full commercialization

  7. Past Transfers from Symantec Research Labs Include… • Host and Network Security • Generic exploit blocking • Behavior blocking • SCADA security • Antispam • Symantec’s first antispam technology • New “header-only” spam detection • Advanced Algorithms Research • Antivirus engine performance speedup of 30% • High-speed, data-driven malware unpacking system • Bandwidth • Novel incremental updating algorithms to reduce download size by 50% • Bandwidth reduction tools • Backup • Technology to improve backup throughput • Clustering • Disaster recovery workflow system • Management • Security correlation engine improvements • Sales and Public Relations • Graphical worm simulator

  8. Internal Research Processes/Projects • Technology Transfer • Current Pipeline • Research Metrics

  9. Formalizing Technology Transfer Achieving a high rate of technology transfer is arguably one of the most difficult tasks in research. We have reviewed our own technology transfer efforts and spoken with others in the research community to help define a formalized tech transfer process. We have developed a formal technology transfer process to facilitate commercialization of our research efforts.

  10. Technology Transfer Categories • Small-scale Inventions are incremental innovations that can be integrated by an existing product team. • Large-scale Inventions are major newproducts or high-impact components which may require deployment of an entirely new product team and possibly new SKUs. We have divided new technologies into two categories:

  11. The Technology Transfer Lifecycle VALIDATIONSRL validates research ideas through meetings with representatives from target product team. IN-RESEARCHFormal research phase; continued validation with target organization. DELIVERYSRL provides research deliverables to target organization and resolves open issues. APPRAISALTarget organization does final ROI and technical due diligence. ROADMAPNew technology formally added to roadmap by target team.

  12. Current Areas of Investigation Include… • Application Security • Database protection • VoIP protection • Availability • Application failover and recovery • Virtualization • Market-based resource allocation • Backup • Automating the disaster recovery process • Malicious Code Protection • Anti-spyware • Detecting day-zero worms • Network Security • Network intrusion prevention • Storage • Distributed modular storage systems • Wireless Security • Securing wireless devices

  13. JavaThreats StarFS Day Zero SFT Esperanto DataUnpak Evasion HypnoToad NPI Logo Vanderpool SPACE VRM Trans Obj vNUMA RawScan SCADA Drona WAAV Home Networking AssetID Machete HoneyB AutoMap SpyCat Cookie Crawl VOIP SDAS Longhorn SpyMatrix ClusterStore Technology Transfer Pipeline Security Storage, Backup and Availability Emerging Validation In-research Delivery Appraisal Roadmap

  14. Internal Research Metrics Company-wide Technology Initiatives Metric: Support for cross-company initiatives, presentations, business due diligence, etc. External Visibility Metric: # of conference talks, publications, external high-profile meetings, PR, etc. Team Patents Metric: Patents from SRL accepted by the Symantec Patent Committee Technology Transfer Metric: Transfer of large-scale and small-scale innovations to product teams

  15. Government Research

  16. Government Research Goals • Create Disruptive Technology from Long-term, High-risk Research • Create “proof-of-concept” prototypes to redefine the space of the possible • …by Leveraging National (and International) Scale Investments • DARPA, DHS, AFRL, NSF, etc. • Government sponsors have higher research-investment risk-tolerance than share holders • While increasing visibility of Symantec across the US Government • Create new technology focused on needs of the government • Thought leadership in government circles

  17. Government Research Efforts • Current USResearch Sponsors include: • Department of Homeland Security • National Science Foundation • Also negotiating new research sponsorships with other government orgs inside and outside the US • Areas of Focus Include: • Antiphishing • Intrusion Prevention • Behavior Blocking • Software Assurance • Wireless Security and Availability

  18. W I T H Advanced Concepts Advanced Concepts

  19. The New Product Conundrum All companies face the challenge of maintaining a predictable near-term revenue stream while not losing sight of the next big idea. The Conundrum: How does a company balance resources between the near-term sure thing and the next billion dollar product? Question: Why do startups seem to produce new products so rapidly, yet large corporations with much greater resources can’t keep pace?

  20. The Problem • Shipping on multiple hardware and software platforms • Support for multiple languages • Complex user interface • Complex management integration and support • Extensive documentation • Marketing • Sales training • Etc. Shipping a new product in a large company often requires: It can be difficult to justify the financial risk on these expenses on a new product that has no history in the marketplace.

  21. Advanced Concepts Product Groups Product Groups Product Groups Symantec Research Labs Symantec Research Labs Symantec Research Labs The “New Product Chasm” • 1st generation products • Seeding of new • markets • Full product releases • Incremental improvements • Full product releases • Incremental improvements • Full product releases • Incremental improvements • Research • Prototyping • Research • Prototyping • Research • Prototyping Acquisitions Pilot Customers Addressing the Issue: Advanced Concepts Tech All Customers All Customers Transfer

  22. Advanced Concepts Parameters of Operation • High level of customer involvement • Tight Advanced Concepts interaction with pilot customers • AC provides regular builds to customer for testing/feedback throughout delivery cycle • Limited-scope releases • English-only, localizable, limited platform releases, primary focus on North America • Simple user interfaces, with limited central management • Limited reliance on outside teams • Documentation, customer installs, product support done by Advanced Concepts • No formal marketing support, no formal reliance on technical support • Post-ship support • Field support from Advanced Concepts and SE organization • Enhancements/bug fixes provided by Advanced Concepts

  23. Details on Selected Research Projects • Past Transfers/in-transfer • Generic Exploit Blocking (NVIS) • Antivirus performance improvements • Logo Detection for Antiphishing • Network Connection Manager • Disaster Recovery System • Today’s Demos

  24. Stopping the Bullet Question:How do you stop a bullet that has already been fired?

  25. Program Viruses Macro Viruses E-mail Worms Network Worms Pre- automation Post- automation Flash Worms Contagion Period Signature Response Period Stopping the Bullet • We’ve reached an inflection point where the latest threats now spread orders of magnitude faster than our ability to respond • If we’re going to win this battle, we’ve got to change our strategy months days Signature Response Period Contagion Period hrs mins secs 1990 Time 2005

  26. Entirely new worms can be blocked immediately, without specific fingerprints. An Analogy Idea:Just as only properly shaped keys can open a lock, only properly “shaped” worms can exploit a vulnerability. Step 1: Characterize the “shape” of a new vulnerability Step 2: Use this shape as a signature, scan network traffic and block anything that matches it

  27. Microsoft announces a new vulnerability in all versions of Windows XP. Microsoft announces a new vulnerability in all versions of Windows XP. Security vendors create fingerprints and tools to clean up the mess. Microsoft ships a patch to fix the vulnerability. Most customers delay widespread deployment because of cost. Virus writer creates a new worm (e.g. Blaster) that takes advantage of the vulnerability and infects millions. Customers remove infections and may deploy patches to critical systems, but the damage is already done. Old Paradigm …

  28. Microsoft announces a new vulnerability in all versions of Windows XP. Microsoft announces a new vulnerability in all versions of Windows XP. Response creates a new vulnerability signatureto plug the hole and distributes to customers via LiveUpdate. Virus writer creates a new worm (e.g. Blaster) that takes advantage of the vulnerability. Customers deploy this signature, just like virus definitions, to all desktops, servers and SGS devices. A New Paradigm Customers can deploy patches at their leisure, without having to worry about the next big threat. No clean up. No panic. No patching in the middle of the night. … But every time the worm attempts to pass through a Symantec IPS product, it is blocked immediately.

  29. Generic Exploit Blocking Implementation: NVIS • The Network Vulnerability Interception System (NVIS) is a new network scanning engine from SRL • Benefits • Enables Generic Exploit Blocking (powerful signature language) • Multi-gigabit operation • Data-driven for fast updates • Common engine across all platforms • NVIS is already shipping in: • Symantec Network Security • ManHunt • Symantec Client Security • Norton Internet Security • Norton Antivirus • This technology will soon be shipping in: • Symantec Gateway Security • This approach can generically stop threats such as: • Blaster, Slammer, Code Red, Sasser, Zotob, etc.

  30. Antivirus Speedup • Classic signature scanning is a key part of malware detection • Nearly half our AV engine’s scan time is spent in our coresignature scanning engine • Our AV products scan for tens of thousands of signatures with this technology • We have leveraged our NVIS research to drastically improve the performance of our AV signature scanning • 50% improvement to the signature scanning component • 30% increase in overall engine performance • The antivirus engine team has shipped this improvement to all of Symantec’s AV customers

  31. Logo Identification (AntiPhishing) • Background: Phishing emails often contain a company logo to add credibility • Goal: Develop an effective algorithm for recognizing logo images embedded in emails and web pages • Challenges: • Logo image scaling • Logo image salting (i.e. modification of isolated pixels) • Embedding the logo within a larger bitmap • Target teams: • Brightmail Antispam team • Client security teams

  32. Logo Detection Example

  33. Logo Defs Proposed Logo Identification Algorithm • Phase #1: Training with desired logo(s) • Normalize logo bitmap to remove dithering • Compute run-length-encoding information for each row of the image • Identify foreground and background sections of each RLE sequence • Add the RLE information to a definition file • Phase #2: Scanning for the desired logo(s) • Normalize the suspect bitmap • Compute RLE sequences across the entire bitmap, row-by-row • Compare each RLE against the trained RLE, accounting for possible scaling of foreground regions 40 R, 3 W, 8 B, 120 W, 8B 40 R, 3 ?, 8 B, 120 ?, 8B ? ? ? 6 R, 8 W, 8 R, 9 W, 5 R, … ? 20 R, 1 W, 4 B, 60 W, 4B X2 X3 X2 X2 X2

  34. Test Logos • Logos of the most phished institutions were used for testing • Logos were obtained from company home pages • Each logo was scaled to factors ranging from 10% to 200% to test scanner effectiveness • Also tested with salted images • Selected both Positive and Negative samples

  35. Cumulative Results: ROC • By combining our logo detection algorithms with Bayesian networks, we can substantially improve our detection and false positive rates • We are currently working with product teams to improve and transfer this technology

  36. Network Connection Manager • Network loss/misconfiguration is quite common, impacting backup efficiency • Major percentage of NetBackup support calls are network related • NCM identifies and diagnoses such conditions, enabling peak performance: • Concept is based on analyzing patterns of packet timing (sonar for network) • Can detect bad cabling, duplex mismatches, and congestion while jobs are running • Negligible impact on the network (not a saturation test) • Benefits • Enables users to quickly determine the root-cause of backup problems • Helps improve backup performance • Reduces support calls • Now shipping as part of our NetBackup product

  37. Disaster Recovery • Today, disaster recovery is a manual process where IT employees literally use printed DR play-books • The goal of the this project was to provide a user-friendly framework for complete Disaster Operations Management. • Features include: • Automated DR workflow system that guides IT administrators through the recovery process • Solution is customizable since each organization has its own DR policies • Focused on simplifying failover to shared standby systems • Platform is capable of integrating with a variety of Symantec and 3rd party products. • This project is now in-transfer to the clustering team

  38. Today’s Demos • Symantec Database Audit and Security (SDAS) • Audit and secure critical databases from hacking and insider attacks • Software Fault Tolerance (SFT) • Real-time “to-the-dot” application failover and recovery • StarFS • Distributed modular storage system, using inexpensive off-the-shelf components • Symantec Threat Simulator • Highly-customizable simulation program shows how today’s ultra-fast computer worms spread across the Internet

  39. Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Symantec Research Labs Investing in Symantec’s Future

  40. Thank You!

More Related