New security technology from Symantec that harnesses the “wisdom of crowds” could fundamentally alter the war against malware.
Called Ubiquity, this reputation-based technology was designed specifically to fight today’s rapidly mutating malware. Based on the collective intelligence of more than 100 million computer systems in 200 countries, Ubiquity is the first security technology to identify risks by context rather than content. Ubiquity uses a file’s age, frequency, location, and other attributes to generate a real-time, dynamic safety rating.
Continue reading to learn how this technology could change the rules of the malware game, shifting the odds in favor of users.
Seismic changes in the threat landscape over the last few years have dramatically altered the typical distribution profile for new malware. Today, instead of a single malware strain infecting millions of machines, it’s much more common to see many millions of malware strains, each targeting only a handful of machines. In 2009 alone, Symantec discovered 240 million unique threat samples, each of which on average affected fewer than 20 computers.1
Not surprisingly, such an environment places a severe burden on traditional approaches to malware detection. After all, traditional protection requires security vendors to capture and analyze specific strains of malware before they can protect against them.
Ubiquity takes a fundamentally different approach. Ubiquity, which is a set of technologies that Symantec will deploy throughout its security product line, takes malware creators’ greatest strength—their ability to generate millions of unique threats—and turns it against them.
Think about it: Hackers keep mutating their threats to avoid “fingerprints.” This is now done by automated computer systems that can generate countless new threats, each distinct from the last. This works well against fingerprint-based systems since the old fingerprints can’t catch the new variants.
But by the same reasoning, every piece of mutated malware has a low prevalence and a short lifetime. And these are precisely the attributes that yield a low reputation score. In contrast, established applications have many users and longevity, giving them a good reputation. Based on advanced data mining techniques, Ubiquity can’t be fooled by mutating code or changing encryption, so threats are detected as they’re created. Ubiquity is based on a database of over 1.5 billion files that have been scanned and evaluated by Symantec’s products. Each file has been assigned a risk rating based on both the results of the initial scan and on age, prevalence, and other metrics uncovered by Symantec’s data mining algorithms.
The power to examine and track the context of so many files requires a massive network. Built on contributions from over 100 million systems and a Global Intelligence Network that spans 240,000 sensors, Ubiquity provides the context for understanding the risk of almost every file users will encounter. Ubiquity’s reputation database now contains safety ratings on more than 1.5 billion executable files, and it adds to this total at the rate of 22 million new files each week.
That kind of scale is necessary to answer such questions as:
- How many copies of this file exist globally?
- Is this file associated with infections or infectious behavior?
- How new is this file?
- Is the source of the file associated with infections?
Since its initial deployment in 2008, Ubiquity has recorded some impressive results:
- Directly blocked over 8.7 million attacks
- Assisted in blocking over 31 million attacks
- Tracked more than 1.5 billion files
- Served 1.5 billion Ubiquity ratings each day
Also, in tests conducted earlier this year by Dennis Labs, Symantec antivirus software with Ubiquity was the only solution to detect 100% of Internet threats.2 Separately, Symantec’s reputation-based technology was the winner of a Wall Street Journal 2010 Technology Innovation Award in the Network Security category. 3
Many vendors claim to be working on reputation-based security, but on closer examination their claims don’t carry much weight. For example, while Symantec tracks more than 1.5 billion files, most other vendors simply place signatures for known malicious files on Internet servers or rate files based on the reputation of the host website. Signatures in the cloud and URL ratings are certainly worthwhile technologies, but they don’t amount to reputation-based security. Nor are they able to target and kill mutating malware by identifying how new or unique a file may be.
Another key benefit of Ubiquity is its ability to significantly enhance security software performance by eliminating up to 90% of antivirus scanning. That’s because a reputation-based system doesn’t just track bad files; it has ratings for all files, both good and bad. This data can then be used to identify extremely high-reputation good files on protected computers. Once these high-reputation files have been identified, they can be excluded from further antivirus scanning and behavior profiling. In contrast, traditional antivirus products typically scan (or behaviorally monitor) every program every time virus definitions are updated.
By the same token, because Ubiquity has ratings for virtually every legitimate application on the Internet, it is arguably the world’s largest and most accurate white list of trusted software. Symantec security products, in turn, can use this data to make more informed decisions about which files to block, significantly reducing the likelihood of generating false positives.
Further, Ubiquity enables policy-based protection for today’s enterprises. IT administrators can use the data provided by Ubiquity to control what software enters their users’ environment based on file policies that factor in file safety ratings, prevalence data, and discovery dates.
Following its initial deployment in the Norton 2010 consumer security products and in Symantec Hosted Endpoint Protection, Ubiquity will be rolled out across a range of enterprise security products over the next year, starting with Symantec Web Gateway, according to company officials.
Symantec Ubiquity is the first security technology that puts files in context by using their age, frequency, location, and other attributes to expose threats otherwise missed. Built on contributions from over 100 million systems in over 200 countries, Ubiquity has the power to examine and track the context of files. Ubiquity then uses that context to focus on the most important advantage of cybercriminals—their ability to generate millions of unique threats—and turn it against them.
Bottom line: Ubiquity detects threats as they’re created—threats that would otherwise completely evade traditional security solutions.
1 Symantec Internet Security Threat Report XIV, April 2010
2 “PC Anti-Virus Protection 2011,” Dennis Labs, March 2010
3 “2010 Technology Innovation Awards,” The Wall Street Journal, September 27, 2010