Different types of virus detection?
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Different types of virus detection?

  1. #1
    Senior Member
    Join Date
    Nov 2005
    Posts
    115

    Different types of virus detection?

    I have been thinking more and more that the industry is going about Malware detection the wrong way...

    Who wants to make sure they have the latest virus definitions and other security 'updates' to help keep the peace? Its ugly and the programmer in me keeps thinking there has to be a better way, cos this model sucks...

    The end-user generally doesn't understand the nature of these definitions and will often forget to update. This would all be null if they just implemented some basic security measures in the first place (prevention not cure)... but thats for a different discussion...

    I have heard on the wind about a different 'style' of malware-detection software. It can have Zero-day malware detection because its based on the nature of the 'software' rather than some predefined rule-set that needs to be updated. [like semantic not syntactic]

    Can anyone shed some light on this?

  2. #2
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    Bleh, if this is for malware -- there's a forum (outside of A/V) for that. But anyways... It's always important on the type of software that is being used and I believe that the industry need's to focus on this as it grows to be an important issue. As for your first question though, I do. I like knowing that my software is up to date and that the definitions for the latest malware/viruses are complete.

    Daresay helps keep me happy and safe?
    Space For Rent.. =]

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Posts
    10

    Re: Different types of virus detection?

    I have heard on the wind about a different 'style' of malware-detection software. It can have Zero-day malware detection because its based on the nature of the 'software' rather than some predefined rule-set that needs to be updated. [like semantic not syntactic]
    By this do you imply that this software uses some form of ' intelligent pattern recognition' to classify a progam as malware, rather than just matching signatures? Now if some software has this functionality, Then I belive it'll have a solid grounding in heuristic approaches or may be some sort of sand box testing....
    But do you think it'll be sucessful? AFAIK, malware doesn't conduct any "signature" activity that gives its true identity away and this implies that heurisitcs are not an attractive alternative either. Sand box testing may work out but it could take ages to put every third party add-on that you have in the "box" and check if it is malware or not.

    With the current picture, I don't think things will change for sometime... maybe an year or so later, software will get 'smart' to nail 'smarter' malware
    /* darkcod3r */

  4. #4
    Senior Member
    Join Date
    Nov 2005
    Posts
    115

    Re: Re: Different types of virus detection?

    Originally posted here by darkcod3r
    By this do you imply that this software uses some form of ' intelligent pattern recognition' to classify a progam as malware, rather than just matching signatures?
    I'm not sure... I'm sure there are ways of doing this and I wasn't sure whether methods already existed.

    afaik, heuristic analysis still need rules... and virus creators would most definately find these out and write around them!!

    Is there nothing else?

    I know a linux distribution called "CHAOS" (which has very limited uses...) does hash checking on its kernel and other files every n seconds to ensure integrity (it would restarts OS and/or notify user of event if didn't match) I'm not suggesting we can do this exactly in other OS's... but its a more proactive approach than downloading definitions... Or would this just get written around as well?

  5. #5
    Junior Member
    Join Date
    Nov 2004
    Posts
    11

    Lightbulb Flu shot

    There's actually an article about giving computers some sort of a "flu shot" in the New Order website.

    The idea or the model is great but as always, the implementation suffers. I think that a new computer programming model must be formulated to fit such system models.

    Heuristics existed years ago.. But virus prevalence have not died down. They still rule cyberspace. We could be missing something...

  6. #6
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    I agree, signature-based detection sucks: it's always behind and is reactionary rather than proactive.

    Behavior analysis is another way of monitoring software. It doesnt use signatures but does still have rules of course. It's essentially a way to identify allowed (kinda whitelist) behaviors of your system and it's applications.

    More and more AV vendors are starting to build this into their apps and other vendors have what are essentially HIPS (Host Intrusion Prevention Systems) (ie.; Cisco Security Agent, McAfee's v8.0i). CSA has established rules of what certain software CAN do and learns. McAfee has added buffer overflow protection, network port monitoring (keep your machine from sending emails,etc), and other features. NOTE: I dont work or suggest these products, just examples.

    The anti-spyware vendors are building in AV and HIPS qualities in their software. Eventually AV and anti-spyware vendors/products will merge.

    While there's still a ton of work to do (years) I believe behavior analysis/monitoring will replace the currently signature-based tools -- IMO.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    [quote]Bleh, if this is for malware -- there's a forum (outside of A/V) for that[quote]

    Malware and the like is very close to traditional viruses. More recently, all threats that are not good for your machine are lumped into the generic category of 'malware'. This includes worms, viruses, and such. There is so much sludge on the internet, you can't possible name each sub section in a discussion. That said, this post is appropriate for the area he posted.

    I have been thinking more and more that the industry is going about Malware detection the wrong way...
    Many folks believe this including me. Here's why.

    A decade ago, using signature based solutions was ok. This is because there were not many threats out there (relative to today's staggering figures) and the speed, capabilities and frequency of malware (see generic classification description above) was much less mature.

    Fast forward 10 years. Today's malware is developed for completely different purposes. Back in the day, it was AV companies vs. those horrible hax0r kids. The goal then was to simply gain status and cause general chaos. Not anymore. Theft and profit are the main reasons for the malware of today. This changes everything, including the ways needed to defend against the problem. The last I checked, statistics showed that more malware is released in a single day than the entire year of 1996. Absolutely amazing.

    So what's the cure. That is a complicated issue but I can tell you from front line experience that using a finite signature file to deal with an infinite number of threats has become almost useless in large environments.

    Hueristics are not new and have been a part of AV engines for years. However, development efforts weren't really directed at them because people weren't using the engines. That has changed significantly. I know of one AV vendor who already has a nice hueristics engine that can catch polymorphic threats.

    Going further, I believe that the maturation of hueristics won't come without speedbumps. The problem with hueristics is that all people use computers differently so once you get past the hueristic basics that all people do, it means that users and admins have to be bright enough to tune (present day) hueristic solutions. If this pans out anything like the way people deal with personal firewalls, I weep for the future.

    Behavior analysis is another way of monitoring software. It doesnt use signatures but does still have rules of course. It's essentially a way to identify allowed (kinda whitelist) behaviors of your system and it's applications.
    This is how the human immune system works. Allow what is known to be good and can everything else. I have great faith in this approach and currently have experiments running this type of approach. Thus far, great success.

    AFAIK, malware doesn't conduct any "signature" activity that gives its true identity away and this implies that heurisitcs are not an attractive alternative either.
    This is half true. While malware doesn't perform a 'single' signature identifiable action, all malware has to communicate. Behavior in the methods, frequency, payloads and protocols are part of the analysis. One more factor is that behavioral analysis acts much like your credit card company. It looks for any change in what it knows is normal behavior for you learned over time (This by the way is how I believe hueristic solutions will get marketed to the masses) and then alerts you if something seems out of place. If you normally spend $30 a year on your credit card and then suddenly there are 15 charges in 3 days, a whistle will sound. You get the idea.

    afaik, heuristic analysis still need rules... and virus creators would most definately find these out and write around them!!
    Again, half true. Some engines require rules (hybrid) while others are pure hueristic. See Bayesian Rules for more on rule based analysis. For those who want to know how this works:

    Posterior = prior * (prob (new data | theory A is true) / prob (new data)

    Where Posterior is the revised probability of some theory A after absorbing some new data, Prior is its probability before revision, * and / are multiplication and division symbols, and the vertical bar marks a conditional probability.



    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Posterior = prior * (prob (new data | theory A is true) / prob (new data)

    Where Posterior is the revised probability of some theory A after absorbing some new data, Prior is its probability before revision, * and / are multiplication and division symbols, and the vertical bar marks a conditional probability.
    Damn Hoss.... I never knew you were that smart....

    Unfortunately, it still fails initially unless the probability is so "tight" that it makes the computer unusable.... because you are going to have to place some constant in there to adjust the sensitivity of the system. For your average home user the constant would have to be sufficiently slack to allow them to use their system the way they want to.... at which point security goes right back out of the door again.

    Until we come up with an OS that doesn't allow outside executable code to run except in an environment where it is isolated from data then there will always be malware..... and we will always have jobs.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I am really sorry. Apologies to thehorse13.

    Just got home after a 16 hour night ( second in a row). I read your formula many times before reading your explanation. Although I still can't quite figure it out at this point, when I first read
    Posterior = prior * (prob (new data | theory A is true) / prob (new data)
    I thought it meant

    current condition of your a$$ = prior condition * ( probing * (new probe size, if any))/new probe shape

    where shape=1 if it is perfectly smooth, less then one the more it deviates from perfectly smooth.




    Ok, back to the subject.
    How about this idea:

    1) An anti-malware program that uses the hash function described above to check the OS

    2) All systems come with two hard drives

    3) Only OS and anti-maleware software can be loaded on the first hard drive ( didn't some of us use to do this? )

    4) the right functions on first hard drive are physically limited by a key switch ( actual interrupt of the wires which control writes. This allows, when necessary, to update the OS, etc. without too much difficulty, when absolutely necessary. Could also apply to bios changes: I liked the old jumpers )

    5) all write functions are written to a swap file on the second drive

    6) periodically the anti-malware program checks the hash of the OS and itself ( which is reloaded each time executed ) that is in memory with what is on the first hard drive

    7) the anti-malware program also checks hash functions of any executables on the second hard drive, which it stores in a separate swap file only writable by the anti-malware program

    8) if the hash doesn't match the OS or anti-malware program, or if it detects a unwanted signature, the first swap file is deleted, the administrator and user notified.

    9) all permanent writes to the second hard drive are individually requested of the user.


    I'm sure someone could find a way around this, but at this stage that is what I thought of when I read this thread.

    Bedtime for me.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    For your average home user the constant would have to be sufficiently slack to allow them to use their system the way they want to.... at which point security goes right back out of the door again.
    Yeah, there is no easy solution to this, which is why you don't have wide spread adoption today. I'm thinking that the only road home on this is to somehow integate it into the OS design. Again, no small or easy task.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides