Symantec Research Labs

1
Symantec Research Labs
Investing in Symantecs Future
Stephen Trilling, VP ResearchCarey Nachenberg,
Symantec Fellow
2
Agenda

• Innovation across Symantec
• SRL Overview
• Research Projects and Processes
• Government Research
• Advanced Concepts
• Detail on Past Transfers
• Demo Introduction

3
Innovation Across Symantec

• Over 3700 engineers at over 30 engineering sites
  across the world
• Mountain View, CA
• Santa Monica, CA
• Roseville, MN
• Waltham, MA
• Reading, UK
• Warsaw, Poland
• Or-Yehuda, Israel
• Beijing, China
• Pune, India
• Sydney, Australia
• Tokyo, Japan
• Etc.

4
Innovation Across Symantec Patents

• Over the past three years, Symantec has
  drastically increased its filing of patents to
  the US Patent Office
• Addressing innovative technologies from all of
  Symantecs businesses
• Addressing emerging technologies in key strategic
  areas
• Symantec currently has over 200 granted US
  patents, with nearly a thousand more in the
  pipeline

5
Symantec Research Labs Mission

Our mission is to ensure Symantecs long-term
leadership by fostering innovation, generating
new ideas, and developing next-generation
technologies across all of our businesses.
6
Symantec Research Labs Organization

• Internal Research
• Short, medium, and long-term applied research and
  tech transfer to product groups
• Longer-term basic research in key strategic areas
• Government Research
• Longer-term, speculative government funded
  cyber-security research
• University Research
• Create a pipeline of advanced degree employees
  and interns
• Coordinate university research to support
  Symantecs needs
• Collaborate on government research proposals
• Advanced Concepts
• Startup-type group develops lightweight
  products in emerging technology areas and ships
  to small set of pilot customers
• Goal is to transfer releases into product group
  for full commercialization

7
Past Transfers from Symantec Research Labs
Include

• Host and Network Security
• Generic exploit blocking
• Behavior blocking
• SCADA security
• Antispam
• Symantecs first antispam technology
• New header-only spam detection
• Advanced Algorithms Research
• Antivirus engine performance speedup of 30
• High-speed, data-driven malware unpacking system
• Bandwidth
• Novel incremental updating algorithms to reduce
  download size by 50
• Bandwidth reduction tools
• Backup
• Technology to improve backup throughput
• Clustering
• Disaster recovery workflow system
• Management
• Security correlation engine improvements

8
Internal Research Processes/Projects

• Technology Transfer
• Current Pipeline
• Research Metrics

9
Formalizing Technology Transfer
Achieving a high rate of technology transfer is
arguably one of the most difficult tasks in
research.
We have reviewed our own technology transfer
efforts and spoken with others in the research
community to help define a formalized tech
transfer process.
We have developed a formal technology transfer
process to facilitate commercialization of our
research efforts.
10
Technology Transfer Categories
We have divided new technologies into two
categories

• Small-scale Inventions are incremental
  innovations that can be integrated by an
  existing product team.
• Large-scale Inventions are major newproducts or
  high-impact components which may require
  deployment of an entirely new product team and
  possibly new SKUs.

11
The Technology Transfer Lifecycle
VALIDATIONSRL validates research ideas through
meetings with representatives from target product
team.
IN-RESEARCHFormal research phase continued
validation with target organization.
DELIVERYSRL provides research deliverables to
target organization and resolves open issues.
APPRAISALTarget organization does final ROI and
technical due diligence.
ROADMAPNew technology formally added to roadmap
by target team.
12
Current Areas of Investigation Include

• Application Security
• Database protection
• VoIP protection
• Availability
• Application failover and recovery
• Virtualization
• Market-based resource allocation
• Backup
• Automating the disaster recovery process
• Malicious Code Protection
• Anti-spyware
• Detecting day-zero worms
• Network Security
• Network intrusion prevention
• Storage
• Distributed modular storage systems
• Wireless Security
• Securing wireless devices

13
Technology Transfer Pipeline


Security
Storage, Backup and Availability
Emerging
Validation
In-research
Delivery
Appraisal
Roadmap
14
Internal Research Metrics
Company-wide Technology Initiatives Metric
Support for cross-company initiatives,
presentations, business due diligence, etc.
External Visibility Metric of conference
talks, publications, external high-profile
meetings, PR, etc.
Team Patents Metric Patents from SRL accepted
by the Symantec Patent Committee
Technology Transfer Metric Transfer of
large-scale and small-scale innovations to
product teams
15
Government Research
16
Government Research Goals

• Create Disruptive Technology from Long-term,
  High-risk Research
• Create proof-of-concept prototypes to redefine
  the space of the possible
• by Leveraging National (and International) Scale
  Investments
• DARPA, DHS, AFRL, NSF, etc.
• Government sponsors have higher
  research-investment risk-tolerance than share
  holders
• While increasing visibility of Symantec across
  the US Government
• Create new technology focused on needs of the
  government
• Thought leadership in government circles

17
Government Research Efforts

• Current US Research Sponsors include
• Department of Homeland Security
• National Science Foundation
• Also negotiating new research sponsorships with
  other government orgs inside and outside the US
• Areas of Focus Include
• Antiphishing
• Intrusion Prevention
• Behavior Blocking
• Software Assurance
• Wireless Security and Availability

18
Advanced Concepts
19
The New Product Conundrum
All companies face the challenge of maintaining a
predictable near-term revenue stream while not
losing sight of the next big idea.
The Conundrum How does a company balance
resources between the near-term sure thing and
the next billion dollar product?
Question Why do startups seem to produce new
products so rapidly, yet large corporations with
much greater resources cant keep pace?
20
The Problem
Shipping a new product in a large company often
requires

• Shipping on multiple hardware and software
  platforms
• Support for multiple languages
• Complex user interface
• Complex management integration and support
• Extensive documentation
• Marketing
• Sales training
• Etc.

It can be difficult to justify the financial risk
on these expenses on a new product that has no
history in the marketplace.
21
Addressing the Issue Advanced Concepts
Tech
All Customers
All Customers
Transfer
22
Advanced Concepts Parameters of Operation

• High level of customer involvement
• Tight Advanced Concepts interaction with pilot
  customers
• AC provides regular builds to customer for
  testing/feedback throughout delivery cycle
• Limited-scope releases
• English-only, localizable, limited platform
  releases, primary focus on North America
• Simple user interfaces, with limited central
  management
• Limited reliance on outside teams
• Documentation, customer installs, product support
  done by Advanced Concepts
• No formal marketing support, no formal reliance
  on technical support
• Post-ship support
• Field support from Advanced Concepts and SE
  organization
• Enhancements/bug fixes provided by Advanced
  Concepts

23
Details on Selected Research Projects

• Past Transfers/in-transfer
• Generic Exploit Blocking (NVIS)
• Antivirus performance improvements
• Logo Detection for Antiphishing
• Network Connection Manager
• Disaster Recovery System
• Todays Demos

24
Stopping the Bullet

• QuestionHow do you stop a bullet that has
  already been fired?

25
Stopping the Bullet

• Weve reached an inflection point where the
  latest threats now spread orders of magnitude
  faster than our ability to respond
• If were going to win this battle, weve got to
  change our strategy

months
days
Signature Response Period
Contagion Period
hrs
mins
secs
1990
Time
2005
26
An Analogy

• IdeaJust as only properly shaped keys can open
  a lock, only properly shaped worms can exploit
  a vulnerability.

Step 1 Characterize the shape of a new
vulnerability
Step 2 Use this shape as a signature, scan
network traffic and block anything that matches it
27
Old Paradigm

28
A New Paradigm
Customers can deploy patches at their leisure,
without having to worry about the next big
threat. No clean up. No panic. No patching in
the middle of the night.

But every time the worm attempts to pass through
a Symantec IPS product, it is blocked immediately.
29
Generic Exploit Blocking Implementation NVIS

• The Network Vulnerability Interception System
  (NVIS) is a new network scanning engine from SRL
• Benefits
• Enables Generic Exploit Blocking (powerful
  signature language)
• Multi-gigabit operation
• Data-driven for fast updates
• Common engine across all platforms
• NVIS is already shipping in
• Symantec Network Security
• ManHunt
• Symantec Client Security
• Norton Internet Security
• Norton Antivirus
• This technology will soon be shipping in
• Symantec Gateway Security
• This approach can generically stop threats such
  as
• Blaster, Slammer, Code Red, Sasser, Zotob, etc.

30
Antivirus Speedup

• Classic signature scanning is a key part of
  malware detection
• Nearly half our AV engines scan time is spent in
  our coresignature scanning engine
• Our AV products scan for tens of thousands of
  signatures with this technology
• We have leveraged our NVIS research to
  drastically improve the performance of our AV
  signature scanning
• 50 improvement to the signature scanning
  component
• 30 increase in overall engine performance
• The antivirus engine team has shipped this
  improvement to all of Symantecs AV customers

31
Logo Identification (AntiPhishing)

• Background Phishing emails often contain a
  company logo to add credibility
• Goal Develop an effective algorithm for
  recognizing logo images embedded in emails and
  web pages
• Challenges
• Logo image scaling
• Logo image salting (i.e. modification of isolated
  pixels)
• Embedding the logo within a larger bitmap
• Target teams
• Brightmail Antispam team
• Client security teams

32
Logo Detection Example
33
Proposed Logo Identification Algorithm

• Phase 1 Training with desired logo(s)
• Normalize logo bitmap to remove dithering
• Compute run-length-encoding information for each
  row of the image
• Identify foreground and background sections of
  each RLE sequence
• Add the RLE information to a definition file
• Phase 2 Scanning for the desired logo(s)
• Normalize the suspect bitmap
• Compute RLE sequences across the entire bitmap,
  row-by-row
• Compare each RLE against the trained RLE,
  accounting for possible scaling of foreground
  regions

40 R, 3 W, 8 B, 120 W, 8B
40 R, 3 ?, 8 B, 120 ?, 8B
?
?
6 R, 8 W, 8 R, 9 W, 5 R,
?
?
20 R, 1 W, 4 B, 60 W, 4B
X2 X3 X2 X2 X2
34
Test Logos

• Logos of the most phished institutions were used
  for testing
• Logos were obtained from company home pages
• Each logo was scaled to factors ranging from 10
  to 200 to test scanner effectiveness
• Also tested with salted images
• Selected both Positive and Negative samples

35
Cumulative Results ROC

• By combining our logo detection algorithms with
  Bayesian networks, we can substantially improve
  our detection and false positive rates
• We are currently working with product teams to
  improve and transfer this technology

36
Network Connection Manager

• Network loss/misconfiguration is quite common,
  impacting backup efficiency
• Major percentage of NetBackup support calls are
  network related
• NCM identifies and diagnoses such conditions,
  enabling peak performance
• Concept is based on analyzing patterns of packet
  timing (sonar for network)
• Can detect bad cabling, duplex mismatches, and
  congestion while jobs are running
• Negligible impact on the network (not a
  saturation test)
• Benefits
• Enables users to quickly determine the root-cause
  of backup problems
• Helps improve backup performance
• Reduces support calls
• Now shipping as part of our NetBackup product

37
Disaster Recovery

• Today, disaster recovery is a manual process
  where IT employees literally use printed DR
  play-books
• The goal of the this project was to provide a
  user-friendly framework for complete Disaster
  Operations Management.
• Features include
• Automated DR workflow system that guides IT
  administrators through the recovery process
• Solution is customizable since each organization
  has its own DR policies
• Focused on simplifying failover to shared standby
  systems
• Platform is capable of integrating with a variety
  of Symantec and 3rd party products.
• This project is now in-transfer to the clustering
  team

38
Todays Demos

• Symantec Database Audit and Security (SDAS)
• Audit and secure critical databases from hacking
  and insider attacks
• Software Fault Tolerance (SFT)
• Real-time to-the-dot application failover and
  recovery
• StarFS
• Distributed modular storage system, using
  inexpensive off-the-shelf components
• Symantec Threat Simulator
• Highly-customizable simulation program shows how
  todays ultra-fast computer worms spread across
  the Internet

39
Investing in Symantecs Future
40
Thank You!