Fighting malware and spam

Using the wisdom of crowds to address the malware long tail

Carey Nachenberg Symantec
Vijay Seshadri Symantec
Zulfikar Ramzan Symantec

The signature-based anti-virus approach which has served us for the past 20 years was never designed to handle the unprecedented long-tail malware phenomenon we are observing today. Most of today's malware variants are morphed and distributed 'on-demand', targeting just a handful of users; this means that many threats will never be discovered or fingerprinted by security vendors.

While heuristic and behavioural technologies can help stem the problem, we argue that these technologies are still susceptible to the classic attacks: obfuscation techniques such as packing, encryption, polymorphism and metamorphism. Furthermore, these approaches take a myopic view of malware defence; namely, they base their entire evaluation on locally observable attributes of the malware, in isolation from the rest of the world.

Three years ago, Symantec embarked on an ambitious plan to reinvent anti-virus; we have developed an entirely new, reputation-based approach that accurately classifies files based on their distribution (or lack thereof) across our huge user base. Such an approach is not only effective against popular malware, but can also identify even the most arcane threats - even those affecting just a handful of users across the entire Internet. Our system has tens of millions of opt-in users, and more are joining every day, giving Symantec literally the world's largest security sensor network.

Our approach is fully orthogonal to traditional anti-virus techniques and our research has shown that it can be used to drastically improve protection over classic detection techniques. Moreover, it also enables the construction of highly accurate whitelists that can be used for both lockdown and false positive mitigation. This talk will describe our research and examine a possible light at the end of the tunnel for the malware problem.