Invincea Browser Protection: Using the power of virtualization to combat malware

Invincea is a small Virginia company that may have found a solution that protects computers from web-borne threats, and it's transparent to the user. That's a win-win situation.

Invincea is a small Virginia company that may have found a solution that protects computers from web-borne threats, and it's transparent to the user. That's a win-win situation.


Invincea's research team is led by founder Dr. Anup Ghosh, a highly-respected Internet security analyst. Their goal is to stop web browsers from being malware conduits -- something we really need.

Browser Protection is their answer. It protects the host computer by isolating the web browser. If I understand correctly, the web browser uses a different operating system. That, along with additional innovations by the Invincea development team allows Browser Protection to deliver:

  • Effective protection: When Browser Protection detects a malware threat, the user is informed and the virtual environment is shut down. A new virtual environment is started within seconds, removing the threat and minimizing user interruption.
  • Signature-free detection: Malware-definition signatures are not required. Neither is user input. Browser Protection spots malware based on unusual behavior in the virtual environment.
  • No impact to users: The virtual web browser looks identical to the standard package.
  • Forensic database: The data collected during a malware attack is sent to Invincea data servers where it is analyzed and used to enhance the collective intelligence of Browser Protection clients.

I tend to gravitate to outside-the-box thinking and, on the surface, Browser Protection has a lot of that going on. It's also why I have many questions. Is the browser in an intelligent sandbox? How are they able to sense malware without using signature files?

Fortunately, the people at Invincea were more than willing to answer every one of my questions. Here is what they had to say:

TechRepublic: It appears that Invincea emanated from two prestigious institutions, DARPA and George Mason University Center for Secure Information Systems. Could you give a brief history of how Invincea came into being? Invincea: Invincea, Inc. (formerly known as Secure Command, Inc.) was started in 2006 by Dr. Anup Ghosh after completing a 4-year Program Manager appointment at DARPA. At that time, Dr. Ghosh also took a faculty position within GMU's Center for Secure Information Systems. One of his research areas dealt with using virtualization technology to prevent un-trusted content from gaining access to users' desktops.

To Dr. Ghosh's credit, DARPA funded an early prototype of this idea. After getting traction and interest from potential customers, Invincea raised venture capital to develop a commercial product based on the original prototype. In April 2010, Invincea launched its enterprise-grade product, Browser Protection.

TechRepublic: While watching the Invincea online demonstration I read the quote, "Browsers are the shortest route to money for cybercriminals today." Could you explain why that is? Invincea: This is marketing speak for saying two things: First, web browsers are the primary-infection vector for most malware today. Second, most malware writers and distributors spread adware, spam bots, tracking malware, and banking crimeware for purely financial reasons.

Users get infected by these agents when they go online with their browsers. One approach is to use web sites containing drive-by download exploits that specifically target web-browser vulnerabilities. More often, software will auto-download when visiting a site, and the user will mistakenly give it permission to install and run.

Depending on its design, the installed malware can do many things: relay spam, present advertising, track users' online behavior, capture online credentials, and even schedule financial transactions. So if you are in the business of stealing money, you have the scalability of the Internet rather than targeting a victim in a parking lot, and an extremely low likelihood of getting caught. In other words, this is an ideal situation for criminal enterprise.

TechRepublic: A virtual web browser is an interesting concept. Could you please explain what that means? Invincea: Web browsers are very complex pieces of software (over 1 million lines of source code) with open interfaces for ever-expanding application extensions (via third party software components such as plug-ins). Additionally, web browsers operate in a dynamic and interactive mode, constantly delivering new content.

From a security perspective, it is difficult to lock down web browsers against attacks from malicious-online content without limiting user access and functionality. The idea behind virtualizing the browser is to run the browser with all of its add-ons in a locked down virtual environment.

This way, when the web browser gets exploited by a drive-by download attack, or the user gets tricked into installing malicious software, the only thing corrupted is a disposable virtual appliance.

TechRepublic: How is Invincea's virtual web browser different from locating the web browser in a sandboxed environment, for instance isolating Firefox with Sandboxie? Invincea: There are two differences between Invincea and normal sandboxing technology. First, Invincea uses true-hardware virtualization to run the web browser non-natively in a virtual appliance.

In sandboxing solutions, the web browser runs natively in the operating system. A monitor attempts to determine if the web browser is making a valid file-system call (for example to a system file or registry key). At that point; the sandbox either allows a file-system write to happen, re-directs the file system call to a "virtual" registry, or asks the user what action to take. It's often the latter. While a sandbox is incrementally better than no sandbox, it will not protect against many types of attacks and it requires users to make security decisions.

A second key Invincea differentiator is that we are able to automatically detect malicious actions and behaviors without prior knowledge of the malware. With malware strains growing exponentially, it is critical to identify the presence of malware and take actions to move the computer back to a pristine state while protecting the user's applications, documents, and data.

TechRepublic: I read in the application's white paper that Invincea Browser Protection "detects malware without requiring signatures." Is that accomplished by using heuristics or behavioral-pattern recognition? Better yet, could you explain how the detection process works? Invincea: Indeed, Invincea detects malware focused on web browsers by utilizing proprietary sensors. A unique aspect of our approach is that the virtual-browser appliance always starts in a pristine state. After which, we monitor for changes from that pristine condition.

We are performing real-time behavioral analysis of the events in the operating system and can tell from these observations when our environment has been corrupted. This allows us to detect attacks, even zero-day malware without signatures libraries. Once it's determined that the virtual environment is corrupted, we restore it back to a pristine state, offering maximum protection to end users while they are browsing the Internet.

TechRepublic: Uploading malware analysis to your servers sounds similar to Panda's Cloud Antivirus. Does the uploaded information get pushed out to subscribers? That also seems similar in that the more subscribers, the more accurate and up-to-date the database is. Is that correct? Invincea: To protect users, cloud-based anti-virus solutions rely on Internet-based shared lists of "known bad" files, sites, or heuristics. Identification of new malware comes from vendor research or end-user actions. Both of which are random, undeterministic, and require human interaction. Our approach is different. We collect forensic data on all non-benign changes to the system and send it to a threat-analyst database for our enterprise customers who use this information to better understand their adversary and to harden security devices they have in their network (firewalls, web gateways, etc). For instance, we collect information about:
  • Malware source locations
  • How it attacked a specific user
  • What actions the malware undertook
  • Location of Internet command and control servers

By design, Invincea inherently detects malware without signatures and therefore we do not need to push this information out to our customers to protect them. In other words, Invincea enables IT departments to utilize our malware data to proactively secure other parts of the enterprise.

TechRepublic: I understand that your product only works with Internet Explorer currently. Is there a timeline for releasing versions for the other major browsers? Invincea: Today we support Internet Explorer v6, v7 and v8. Invincea will offer Firefox support soon and plans to expand that list as customer demand dictates. TechRepublic: I also understand that Browser Protection is not being released to the general public yet. When do you think it will become available? Invincea: The consumer market opens up a potential great opportunity for Invincea to expand dramatically. Right now, we're evaluating our market-entry strategy, but have not finalized our timing as to when we'll proceed.

Final thoughts

There are two aspects of Browser Protection that I find enticing. Users are not overly impacted and malware detection does not require after-the-fact signature files. Add to that, the automatic rebuilding of infected web-browser environments and it sounds like we are getting somewhere.

I would like to thank Dr. Anup Ghosh, Founder and Chief Scientist and Jim Geary, President and CEO of Invincea for their help in answering my questions.