Hariri-incubated Project Leads to Virus Detection Patent

“Virus writers and virus software creators are in a continually escalating arms race, and the bad guys are winning.” This is how Mark Reynolds, research scientist and former Hariri Institute Fellow, describes the environment that security experts encounter while trying to protect our computers and data.

DSC03686
Mark Reynolds, former Hariri Fellow and Research Scientist

The reason? It’s incredibly easy to take an existing virus that someone else has written and change it just enough to bypass existing anti-virus software. In short, a small amount of work translates into tremendous benefit for bad actors. This is because existing commercial software programs, such as McAffeeTM and NortonTM, function by creating a database of known “bad” patterns, which are updated daily, sometimes even more than once a day. This software then scans for malware and rejects anything that matches its library of “bad” patterns. The problem with this approach is that these software products only detect known viruses; they have no ability to identify undiscovered, “zero-day,” viruses.

Reynolds and fellow BU researchers, Assaf Kfoury, professor of computer science, and Azer Bestavros, professor of computer science and founding director of the University’s Hariri Institute for Computing, have taken a different approach in their work to design virus detection software. Instead of scanning against known “bad” patterns, they have created a set of rules that “good” software always follows. Their product then scans to see if any of the rules that make for “good” software have been violated. The result has been a success. In tests over a two-year period, Reynolds’ product has been able to find numerous zero-day viruses days, months, even years earlier than they were detected by standard software. The team has found that the rules that make for “good” software are rarely changed, so they don’t have to rely on the same pattern matching and machine learning techniques that current commercial products use. Reynolds’ results have been so remarkable that the product technology successfully received a patent in November, 2016.

In addition to its track record with zero-day viruses, this new technology is more user-friendly as well. Most computer users are accustomed to the weekly, sometimes daily, anti-virus software updates. This is because those packages are constantly pulling in new patterns to analyze and potentially include in scanning. Similarly, when users finally relent and perform a full virus scan on their machines, their computer is unusable for hours at a time. An added benefit of Reynolds’ technology is that it doesn’t scan on the user’s computer, or the “endpoint” location. It does all its scanning on the cloud, so there is no noticeable effect on the machine.

DSC03676The roots of this research lie in Reynolds’ doctoral thesis at BU and postdoctoral fellowship at the Hariri Institute for Computing. Reynolds completed a master’s degree in mathematics at MIT and then spent many years in industry before coming to BU to complete a PhD in computer science. At BU, he met Assaf Kfoury, who was teaching a section of “Formal Methods for High-Assurance Computing System Design and Analysis.” The course focuses on using foundational principles for validation and certification, as opposed to relying on trial and error. Reynolds’ thesis was drawn out of this philosophy of working on problem definition and applying a principled approach to programming languages.

After completing his thesis, Reynolds was appointed a Hariri Institute Postdoctoral Fellow, and received additional funding through the Ignition Award Program, which funds early-stage projects with clear commercial potential.  Reynolds was then able to leverage his seed-funding from BU Research and the Hariri Institute for Computing to secure additional support from Draper Laboratory, which funded his work for two additional years and allowed him to continue work on the virus detection tool.

While the recently acquired patent reflects nearly three years of work, Reynolds has continued to develop the product. The number of things the tool can analyze continues to grow, and the team plans to work on follow-on patents that extend the tool’s ability to handle software written in multiple languages, work on a variety of machine types – including embedded devices, provide security for the IoT, and scan enterprise software. Additionally, Reynolds has been exploring other areas that may have use for the technology, such as medical device security.

For inquiries about Mark Reynolds’ research, please contact him via email at markreyn@bu.edu.

For more information about Hariri Institute for Computing research projects and opportunities, please contact Azer Bestavros, Founding Director, at best@bu.edu; for administrative inquiries about the Institute, please contact hicadmin@bu.edu.