Panel Introduction: Life After Antivirus – What Does the Future Hold?

Martin Fréchette

Sr. Principal Engineer

Symantec Research Labs – Advanced Concepts

2

The Evolving Threat Landscape

• Attackers have shifted away – from mass distribution of a small number of threats – to micro distribution of millions of distinct threats

• How? Their servers generate a new malware strain every few minutes/hours

– Each victim potentially gets attacked by a different strain!

– Called “server-side polymorphism”• How big is the problem?

– We now know of over 1.8M distinct malware strains– We’re collecting 10,000s of new strains per day

• Further, our sensor data shows us that we’ve passed an inflection point…

– The amount of malware released now exceeds the amount of goodware!

– From Nov 7th to Nov 14th, roughly 54,600 new EXEs were downloaded by (participating) consumer users

– Of these, roughly 65% of all files were malicious!

time

# ofapps good apps

malware

Coping with the Malware Flood

• The current blacklist model is decreasingly effective at coping with millions of distinct threats

– Vendors are generating up to 20,000+ new fingerprints per day! – Furthermore, many strains of older malware may also go permanently undetected!

• Why? Because if only 3 people in the world have a threat, there’s little chance a security vendor has discovered it and written a signature for it

– A few years ago, a single classic signature could protect 10,000s of users– Today a single classic signature typically protects < 20 users

• The result is that the industry – is flooding its customers with 100s of thousands of signatures every month, – yet our efficacy was arguably better a decade ago with 1/100th the signatures!

Conclusion: The classic fingerprinting approach needs to be augmented/replaced.

4

A New Approach

• Symantec’s top security architects believe

– a hybrid whitelisting and reputation-based antivirus approach

– will become the only effective means of

– securing enterprise & consumer endpoints

• In the long-run, these schemes will largely replace traditional blacklist AV technologies

– Traditional fingerprinting AV will become a part of the supporting cast

The New Approach to Antivirus

Software applications have a “long-tail” distribution.P

reva

lenc

e

1 user

100M users

Most popular

file

Least popular

file

e.g., the 10th most popular app is used by 1M users

e.g., the 4,999,125th most popular app is used by 2 users

Legitimate apps span the spectrum, with the most popular apps occupying the head of the curve.

On the other hand, most malicious software occupies the long tail…

Traditional blacklisting works best for mass-distributed malware where a single sig covers thousands of users.

xx

xxx

However the advent of personalized malware has made it difficult for AV vendors to discover and protect against the

majority of today’s threats.

xx

xx

Legendx Traditional Blacklisting

Symantec proposes using a whitelist to identify the most popular legitimate applications. Over time we can expand the whitelist to cover lower-prevalence software as well.

wwwwwwwww

w Whitelisting

So how can whitelisting and reputation-based detection help?

But how about the long tail of good and malicious apps?We propose using a novel new reputation system (like systems used by amazon.com) to automatically derive the reputation of long-tail apps based on the wisdom of our 100M strong crowd of users.

r Reputation system

rrr rr r r rr r rr r r r r r r r r rr r r rr r r r r r r r r r r

The IdeaRather than just blocking

software found on the blacklist, we will shift to a hybrid model employing whitelisting, reputation,

and blacklisting.

Reputation WhitelistingBlacklisting

The New Approach to Antivirus

• Here’s another way of thinking about the problem:

Prevalentmalware

Prevalentgoodware

The long tail