Security loopholes call for change in methods

by Abhinna Shreshtha    Apr 30, 2010

When McAfee made its blooper last week, it exposed an inherent loophole in today’s malware defense system, namely the reliance on signature-based defenses. The situation today with this method of malware defense is waiting for a malware strain to be observed before identifying the signature and then coming out with a ‘vaccine’.

Though, it has worked well till now, the enormous number of new strains being observed are forcing security vendors to rethink their strategy. "Knowing that Symantec produces up to 20,000 new malicious code signature each day, and that other security vendors face similar circumstances, it becomes easier to understand, while not making it any more acceptable, a situation like McAfee faced last week," said security firm Symantec in a press statement.

According to Symantec’s Internet Security Threat Report XV, the company created 2,895,802 new malicious code signatures last year alone, representing a 71% increase over 2008. Furthermore, Symantec identified more than 240 million distinct new malicious programs, a 100% increase over 2008. Says Shantanu Ghosh, VP (India operations center) for Symantec, who heads their R&D in India, "Last year, we released more virus signatures than the past 15 years combined."

This means that no matter how quickly security firms identify new strains and come out with updates, they will always remain behind malware writers.

Symantec seems to have found a way to overcome this shortcoming with an approach called reputation-based security. The company has been working on the project since the past three years and in fact released its first protection suite using the methodology this year with Norton Internet Security 2010 and Norton Antivirus 2010, its consumer solution. An enterprise-level solution is also expected to be out soon, though Ghosh would not divulge an exact date.

How it works is something like how Google ranks pages - by taking into account the number of pages that link back to a particular page as well as the ‘clout’ or popularity of these pages. The reputation engine classifies files downloaded, installed, or run on a computer as good or bad and assigns a confidence rating to them This is done by a pre-defined series of attributes which the reputation engine uses for its classification. Explained Ghosh, "We use attributes like: how it (the file) arrived on the machine, the publisher name, and the program’s name and path, to assign probabilities to files. An advantage of this method is that you can never have false positives as in the case with McAfee."

Once a file has generated enough negative votes or clout, the anti-virus system on the computer automatically blocks the user from running the file and deletes it. This process is automated though a user can modify the settings. Another advantage is that it removes the need to scan each and every file on the computer. Symantec is depending on a vast network of user volunteers to provide the necessary data. According to the company, each day its back-end servers import gigabytes of reputation telemetry data from tens of millions of customers and use this data to compute file reputations.

Though some other antivirus firms are also using the community feedback approach, Symantec sees it as the future. The company is being very tight-lipped about revealing details about the reputation engine and how exactly it works, terming it as a ‘competitive advantage’ over rivals. Ghosh however did say that in the week after Norton Antivirus 2010 was released, the company used it to identify nearly 50,000 new malware variants.

Is reputation-based security set to topple signature identification as the primary means of defense? Knowing the agility and resourcefulness of malware writers, Symantec will have its work cut out. Practical usage in the real world is yet to be observed by independent parties and its dependence on volunteers from the user community will be termed unreliable by some. Still, using crowd wisdom has worked in other scenarios and as of now it seems to be a pretty intriguing concept.