Video Screencast Help
Reality Check

How Reputation-Based Security Transforms the War on Malware

Created: 04 Jan 2010 • Updated: 03 Jun 2014 • 2 comments
Ctrox's picture
-1 1 Vote
Login to vote

New technology from Symantec that harnesses the “wisdom of crowds” is fundamentally changing how spyware, viruses, and worms are detected.This reputation-based technology leverages the anonymous software usage patterns of millions of Symantec users to automatically identify new threats.

Continue reading to learn how this technology could change the rules of the malware game, shifting the odds in favor of users.

Coming to terms with a new threat landscape

Seismic changes in the threat landscape over the last few years have dramatically altered the typical distribution profile for new malware. Today, instead of a single malware strain infecting millions of machines, it’s much more common to see many millions of malware strains, each targeting only a handful of machines. In 2008, Symantec discovered more than 120 million distinct malware variants. In such an environment, it’s necessary to move beyond traditional security approaches to stay ahead of new malware.

Traditional antivirus software relies on virus signatures to “blacklist” those pieces of malware that should be blocked from a user’s machine. Ten years ago, Symantec published an average of five new virus signatures each day. Today, in spite of the fact that each signature can detect many different malware strains, security vendors regularly publish thousands of signatures or more per day.

Reputation-based technology leverages Symantec’s huge opt-in user base—currently around 35 million users—to anonymously collect application usage data. The system uses this data to derive highly accurate application reputation ratings. All this happens behind the scenes; users are never prompted to submit information or provide input, and participation is voluntary, requiring an initial opt-in when the software is installed.

An entirely new approach

Stephen Trilling, Senior Vice President of Security Technology and Response at Symantec, explains what makes reputation-based technology different:

“Reputation-based technology maintains ratings for every file executed or downloaded on every participating customer’s machine, not just on the subset of malware sent to Symantec for analysis,” Trilling says. “Armed with this information base, reputation-based technology tries to predict if a file is good or bad without using traditional virus signatures, heuristics, or behavioral detection. In essence, it moves from a model that just points out malicious files to a model that provides actionable information about all files.”

Specifically, the data that Symantec collects is continually fed into a reputation engine, where dozens of attributes for each file (such as file age, file download source, digital signature, and file prevalence) are combined using a statistical reputation algorithm to determine a file’s safety reputation. This allows Symantec to produce a security reputation rating for every software file encountered by every participating Symantec user, without having to scan the file itself.

In short, reputation-based technology, which is integrated in Norton Internet Security 2010 and Norton AntiVirus 2010, is able to predict the likelihood of a brand new, never-before-seen file being either good or bad simply by looking at its attributes. This greatly increases the speed at which its calculations can be made and makes it a much more robust, long-term solution given today’s micro-distribution of malware.

This new approach to detecting threats provides immediate benefits:

  • Delivers information on all executable files. Traditionally, security companies primarily have protection for the malware actually sent to them by users or exchanged with other security researchers. In contrast, reputation-based technology holds reputation ratings on every executable file used by every participating Symantec user across the globe. 
  • Integrates with Symantec’s new Download Insight. The most visible way to see reputation-based technology in action in Norton Internet Security 2010 and Norton AntiVirus 2010 is to download a new executable file from the Internet. The new Download Insight feature uses reputation information to help determine each downloaded file’s safety – the user is then informed of the file’s reputation, and bad-reputation files are automatically blocked. 
  • Reduces dependence on traditional signatures. Reputation-based technology defeats an attacker’s ability to mutate malware to evade traditional signature-based detection. In fact, with reputation-based technology, the more an attacker modifies a threat, the more obvious it will be that the file is suspicious. 

To learn more about Symantec’s reputation-based technology, click here.

Comments 2 CommentsJump to latest comment

Chinchilla's picture

I'm not so certain this greatly differs from Signature based methods. In the end you're still playing catch-up by being forced to monitor and catalogue processes and files in order to come up with rulesets that can catch malware.

-2
Login to vote