Towards integrated malware defence
Morton Swimmer John Jay College of Criminal Justice/CUNY
Technical stream: Wednesday 1 October 2008, 11:40 - 12:20.
For many reasons, our systems still contain vulnerabilities and are likely always to do so until the economics of system
design and implementation change dramatically. Our best defence against the exploitation of these vulnerabilities is to
use reactive technology such as anti-virus, anti-spyware, intrusion detection and prevention systems (IDS and IPS),
firewalls, etc. They are reactive in that they mostly use a priori knowledge designed by a central authority to detect
the attack. The time required to get the sample to the vendor, then through analysis, and finally distributed to the
clients is still much longer than it potentially takes for the malware itself to spread. It would be an advantage to have
a more systematic and immediate way of creating these signatures and then deploy them to where they are needed most as
quickly as possible. The cure must spread faster than the disease (as we used to say when working on the IBM Digital
Immune System).
In this paper, we see how the convergence of various security technologies can help us achieve this goal. This is
achieved by utilizing the strengths of various sensors and generating semantically relevant signals from these. The
signals can only be used for alerting and automatic reaction when two or more can be combined (costimulation). However,
combination is only possible if the signals are ontologically orthogonal to each other, giving us a meaningful combination
of information instead of the currently more common correlation of ontologically parallel signals. While the former
leads to a true confirmation, the latter may merely compound an already faulty diagnosis. From this framework, a useful
architecture for dealing automatically with threats can evolve.
