panel introduction life after antivirus what does the future hold n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Panel Introduction: Life After Antivirus – What Does the Future Hold? PowerPoint Presentation
Download Presentation
Panel Introduction: Life After Antivirus – What Does the Future Hold?

Loading in 2 Seconds...

play fullscreen
1 / 6

Panel Introduction: Life After Antivirus – What Does the Future Hold? - PowerPoint PPT Presentation


  • 103 Views
  • Uploaded on

Panel Introduction: Life After Antivirus – What Does the Future Hold? . Martin Fr échette Sr. Principal Engineer Symantec Research Labs – Advanced Concepts. The Evolving Threat Landscape. Attackers have shifted away from mass distribution of a small number of threats

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Panel Introduction: Life After Antivirus – What Does the Future Hold?' - rhys


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
panel introduction life after antivirus what does the future hold

Panel Introduction: Life After Antivirus – What Does the Future Hold?

Martin Fréchette

Sr. Principal Engineer

Symantec Research Labs – Advanced Concepts

the evolving threat landscape
The Evolving Threat Landscape

Attackers have shifted away

from mass distribution of a small number of threats

to micro distribution of millions of distinct threats

How? Their servers generate a new malware strain every few minutes/hours

Each victim potentially gets attacked by a different strain!

Called “server-side polymorphism”

How big is the problem?

We now know of over 1.8M distinct malware strains

We’re collecting 10,000s of new strains per day

Further, our sensor data shows us that we’ve passed an inflection point…

The amount of malware released now exceeds the amount of goodware!

From Nov 7th to Nov 14th, roughly 54,600 new EXEs were downloaded by (participating) consumer users

Of these, roughly 65% of all files were malicious!

# of

apps

malware

good apps

time

2

coping with the malware flood
Coping with the Malware Flood
  • The current blacklist model is decreasingly effective at coping with millions of distinct threats
    • Vendors are generating up to 20,000+ new fingerprints per day!
    • Furthermore, many strains of older malware may also go permanently undetected!
      • Why? Because if only 3 people in the world have a threat, there’s little chance a security vendor has discovered it and written a signature for it
    • A few years ago, a single classic signature could protect 10,000s of users
    • Today a single classic signature typically protects < 20 users
  • The result is that the industry
    • is flooding its customers with 100s of thousands of signatures every month,
    • yet our efficacy was arguably better a decade ago with 1/100th the signatures!

Conclusion: The classic fingerprinting approach needs to be augmented/replaced.

a new approach
A New Approach
  • Symantec’s top security architects believe
    • a hybrid whitelisting and reputation-based antivirus approach
    • will become the only effective means of
    • securing enterprise & consumer endpoints
  • In the long-run, these schemes will largely replace traditional blacklist AV technologies
    • Traditional fingerprinting AV will become a part of the supporting cast
the new approach to antivirus

e.g., the 10th most popular app is used by 1M users

e.g., the 4,999,125th most popular app is used by 2 users

r

r

r

r

r

r

r

r

r

r

r

r

r

r

r

r

r

r

r

r

r

r

r

The New Approach to Antivirus

Software applications have a “long-tail” distribution.

Symantec proposes using a whitelist to identify the most popular legitimate applications. Over time we can expand the whitelist to cover lower-prevalence software as well.

However the advent of personalized malware has made it difficult for AV vendors to discover and protect against the majority of today’s threats.

Legitimate apps span the spectrum, with the most popular apps occupying the head of the curve.

On the other hand, most malicious software occupies the long tail…

So how can whitelisting and reputation-based detection help?

We propose using a novel new reputation system (like systems used by amazon.com) to automatically derive the reputation of long-tail apps based on the wisdom of our 100M strong crowd of users.

Traditional blacklisting works best for mass-distributed malware where a single sig covers thousands of users.

But how about the long tail of good and malicious apps?

w

100M users

w

w

Legendx Traditional Blacklisting

w

w

The Idea

Rather than just blocking software found on the blacklist, we will shift to a hybrid model employing whitelisting, reputation, and blacklisting.

w

w Whitelisting

w

w

r Reputation system

w

Prevalence

x

x

r

r

r

r

x

x

x

r

r

r

r

x

r

r

r

x

r

r

1 user

x

x

Most popular file

Least popular file

the new approach to antivirus1

Whitelisting

Blacklisting

Reputation

The New Approach to Antivirus
  • Here’s another way of thinking about the problem:

Prevalent

goodware

Prevalent

malware

The long tail