Rebuilding testing for the future

Igor Muttik and James Vignoles McAfee

This presentation discusses several aspects related to testing the ability of security products to detect malware. The complexity of malware and of the security solutions go up really quickly and we present arguments as to why we believe that comprehensive QA is no longer viable and why a switch to a more statistical approach is in order.

We look into the problem of compiling a representative 'next-generation' sample test set:

balancing the test speed with the breadth and depth of testing
ranking threats and removal or downgrading the rank of legacy threats (e.g. DOS and Word6 viruses)
removal of short-lived and inactive threats (e.g. spammed downloaders where the site was shut down)
tracking the history and relationship of malware samples (downloader of what? where from? is the URL still alive? gaming password stealer for WoW or for Zhengtu?)
excluding most HTMLs (are encrypted URLs malicious code or are they just obfuscated data?)
downgrade or exclude downloaders for the sake of what they download?
ranking clean data and false alarms (just like malware clean programs are very much not equal)
better separation of the malware samples and spam (encrypted URLs could be tricky to classify)
fair representation of local threats (e.g. could there be too many Brazilian password stealers vs oriental trojans related to gaming?)

We present a topological and percolation model of malware distribution and present arguments as to why the user profile should be part of the test.

We discuss potential solutions to QA problems:

running different tests for different user profiles
organizing collections in 'attack sample groups' rather than individual samples
collecting telemetry data via 'testing/reporting' plug-ins to security products
using live telemetry to collect malware execution data (frequencies, geo-location information, etc.)
using telemetry to rank malware attacks
standardizing the format of telemetry data and sharing it within the industry
testing complete security products (e.g. AV bundled with anti-spam, rather than pure AV)

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘VB is the best technical conference I have ever attended.’

Quick Links

Poll

When do you install software updates?
Leave a comment
View 12 comments

virusbtn: RT @emailsecmatters: The typical spam message has sources as diverse as the spam lunch meat: http://ht.ly/2yucd
2 hours ago

virusbtn: Can anyone write a rap about our RAP tests (http://bit.ly/255ySQ) and submit it to the Symantec competition http://bit.ly/bOJg8r
5 hours ago

VB2010

VB2010 will take place 29 September - 1 October 2009 at the Westin Bayshore, Vancouver, BC, Canada.

Virus Bulletin currently has 208,224 registered users.

Fighting malware and spam