Transcript BeyondAntiVirusx

Beyond Anti-Virus
by Dan Keller
1987- Fred Cohen- Computer Scientist
“there is no algorithm that can perfectly detect all possible
computer viruses”
What is Anti-Virus (AV) Software?
• Anti-virus software is used to prevent, detect, and remove malicious software
• Some examples of malicious software detected by modern AV:
•
•
•
•
•
•
•
•
•
•
BHO’s (Browser Helper Objects)
Browser hijackers
Ransomware
Keyloggers
Backdoors
Rootkits
Trojan Horses
Worms
Adware
Spyware
Statistics
AV-TEST- The Independent IT-Security Institute
1994 - 28,613 unique malware samples in their database
1999 - 98,428
2005 - 333,425
2007 - 5,490,960 new unique malware samples only for that year!
2015 – approx. 144,000,000 new malware variants
Lastline Labs Study (May ‘13- May ’14)
Hundreds of thousands of malware samples VS. 47 AV vendors
• Results…
• Day 0 – only 51% of AV scanners detected new malware samples
• 2 weeks – Detection rates bumped up to 61%
• 1 Year – 10% of AV scanners still did not detect some malware
• The 1- percentile of malware least likely to be detected was undetected by the majority
of AV scanners for months, and in some cases…never detected
___________________________________________________________
**Its estimated that AV only catches around 45% of cyber attacks (Semantec VP- Brian
Dye). He said antivirus “is dead” (May 2014).
Now that you’re depressed…where do we go from here?
• Anti-Virus methods of detection
• Signature-based detection: When identifying viruses and other malware, the antivirus
engine compares the contents of a file to its database of known malware signatures.
• Heuristic-based detection: This is generally used together with signature-based
detection. It detects malware based on characteristics typically used in known malware
code
• Behavioural-based detection: Instead of characteristics hardcoded in the malware
code itself, it is based on the behavioral fingerprint of the malware at run-time. This
technique is able to detect malware only after they have starting doing their malicious
actions.
…Cont’d
• Sandbox detection: It’s a behavioral-based detection technique and instead
of detecting the behavioral fingerprint at run time, it executes the programs
in a virtual environment, logging what actions the program performs.
Depending on the actions logged, the antivirus engine can determine if the
program is malicious. If not, the program is executed in the real
environment. This technique has shown to be very effective, but given its
heaviness and slowness, it is rarely used in end-user antivirus solutions.
…Cont’d
• Data mining techniques: The latest approach applied in malware detection.
Data mining and machine learning algorithms are used to try to classify the
behavior of a file as either malicious or benign, given a series of file features,
that are extracted from the file itself
Other approaches
• Unified Threat Management- Firewalls, gateway AV, content filtering, load
balancing, data leak prevention all rolled up into one system
• Push your info to the cloud and let them deal with it
• Go back to paper
• Go off grid and live in the mountains
Drawbacks
• Lots of False positives creating ‘the boy who cried wolf.’
• Also the false positives can end up deleting or paralyzing existing files that are clean
• Some more advances systems (Sandboxing) can slow down performance
• Tough to get out of contracts with existing vendors
Conclusion
• Anti-virus is not dead. Its just a standard from which we build upon.
• Anti-virus software is now being bundled up with other security software to
form a more comprehensive system. And it’s essentially getting outsourced
to other companies to help monitor your system is real-time.