Cloud computing, social network to help software security
are so many threats today that an analyst cannot analyze them all, so we are using data-mining techniques to find the needles in the haystack,” Friedrichs says. “We consider our user base to be a very large sensor network.”
Current antivirus software has trouble detecting the latest threats. Last week, antivirus firm Panda Security released a report showing that 52 percent of malicious software is not seen for more than 24 hours, because the cybercriminals who are responsible for spreading the software compress and rearrange the binary code in a different way every day, a technique known as packing. The ability to rearrange code has put traditional antivirus companies at a disadvantage. In a research paper published last year, computer scientists at the University of Michigan found that even the best antivirus programs could only detect three-quarters of newly packed malicious code. It took three months for the best antivirus engine to detect 90 percent of the dangerous software.
“There is no easy solution to the problem, unfortunately,” says Jon Oberheide, a Ph.D. student at the University of Michigan and the lead author of the paper. “The battle is quite asymmetric, with the scales being tipped heavily in the attacker’s favor. We need to focus our efforts and resources on approaches that will significantly reduce this asymmetry, instead of continuing the endless game of reactive catch-up, which the vendors are obviously losing.”
To process and analyze viruses faster, several companies have moved to a cloud model, where — rather than putting an intelligent analysis engine on every user’s computer — the scanner is a “dumb” program that converts each new file into a list of attributes that are then sent to the software provider’s servers. Those servers analyze the file attributes and determine whether it is malicious.
Other antivirus firms have already started to rebuild their antivirus software incorporating the cloud-computing model. McAfee, Panda, and Prevx already provide some level of automated analysis as an online service for users.
Pedro Bustamante, senior research adviser with Panda Security, argues that community data can help antivirus firms prioritize their analysis efforts. Panda sees nearly 50,000 files a day, of which some 37,000 are samples of malicious code. “I have not seen a product yet that is using community as a factor in detection,” he says. “I think it could be a nice complement to detection technology but not a stand-alone solution.”
Immunet’s approach, however, puts the company at the very early stages of a cloud antivirus solution, Bustamante adds. “It takes a long time to develop these technologies in the cloud.”
Friedrichs underscores that Immunet’s service is not complete — it is still in development. The company is working on adding generic detections and heuristics for flagging large categories of threats, which should make them easier to identify. In addition, the company is currently considering ways of handling potentially harmful files when the user’s computer is not connected to the Internet.
