Eunomia

Eunomia^[1] is an innovative application of machine learning and statistical analysis approaches into a unified vulnerability and malware verification process. Eunomia’s capabilities will be founded in a novel combination of static analysis, “Big Code” (i.e. machine learning and statistical analysis of source code/binaries), and dynamic symbolic analysis. Our goal for this work is to develop an identification and verification framework that simplifies complex mining techniques for rapid collection, processing, and understanding of large data stores.

Prototyped as a software-as-a-service (SaaS) tool, Eunomia enables code developers to rapidly analyze source or binary code for the presence of vulnerabilities and/or malware. The SaaS architectural model supports deployment of the Eunomia concept in public cloud environments (for commercialization), private cloud environments (for sensitive and classified requirements), and device-specific environments (for commercialization as a standalone product).

Future enhancements to Eunomia include the implementation of a two-phase process developed during the SBIR Phase I project to 1) identify vulnerable code patterns through Big Data techniques, and 2) verify the vulnerabilities through functional equivalence analysis. As part of the prototype, Static and Dynamic techniques may be combined for the purpose of further reducing false positive rates. An operator of the Eunomia SaaS prototype will be able to selectively use one or both analysis approaches and in any chosen order. This flexibility ensures that the code developer/operator can balance the speed of analysis with higher accuracy according to their needs.

First, the Identification phase applies a classifier generated through machine learning to locate any exploitable code segments within the software.  In this phase, Eunomia identifies semantic vulnerability and malware patterns in the MUSE software corpus through the application of machine learning. The outputs of this process are software objects that include a malfeasance detector deployed as a classifier.

The Verification phase adapts a novel technique of static and dynamic functional equivalence comparison to confirm results of the classifier and/or identify exploitable code segments. In this phase, Eunomia analyzes the functional equivalence of the targeted software against a vulnerability exemplar. This means an analyst can use Eunomia to test a source or binary program and identify either malware or a potential vulnerability class. The analyst can use integrated dynamic analysis capabilities to test if a value or values can trigger that vulnerability. Since the vulnerabilities and malware along with the associated malfeasance detectors were classified in the Identification phase, organizations can leverage Eunomia to identify threat patterns in their software with subsequent remediation guidance. In addition, Eunomia will afford a capability to verify remediation soundness once patches are implemented, verifying that the patch repaired the vulnerability without injecting new vulnerabilities.

[1] Eunomia is a minor Greek goddess whose name can be translated as “good order”, “governance according to good laws”, as well as the spring-time goddess of green pastures