Norton Internet Security logo

Reputation-Based Protection

May 6, 2012

The newest addition to the suite of protection technologies developed by STAR, reputation-based security, addresses the latest development in the threat landscape, that of micro-distributed malware. Using the combined wisdom of over 130 million contributing users, our reputation system learns which applications are good and bad based on the anonymous adoption patterns of our users. It then uses this intelligence to automatically classify virtually every software file on the planet. This reputation data is utilized by all of Symantec's products to automatically block new malware and, conversely, to identify and allow new legitimate applications.

The Problem: A Changing Threat Landscape

In prior years, relatively small numbers of threats were distributed to millions of machines. Each one could easily be stopped with a single antivirus signature deployed to each protected system. Realizing this, malware authors have shifted techniques and today use a variety of obfuscation techniques to rapidly change the appearance of the threats they produce. It is has become commonplace to see attackers generate a new threat variant in real-time for each victim, or a handful of victims, resulting in hundreds of millions of distinct new variants every year.

These threats are then distributed via web-based or social engineering attacks to targeted computers. Our data shows that most threats today end up on less than 20 machines across the globe making it nearly impossible for security companies to learn about most of these threats, capture a specimen, analyze it and write a traditional reactive signature. With over 600,000 new variants being created per day (Symantec received 240 million unique threat hashes last year from protected customer machines), it is infeasible to create, test, and distribute the volume of traditional signatures necessary to address the problem.

The Solution: Reputation-Based Protection

Traditional fingerprinting of a virus requires the security vendor to obtain a specimen of each threat before they can provide protection. Symantec's reputation-based security takes a totally different approach. It doesn't just focus on bad files, but attempts to accurately classify all software files, both good and bad, based on countless anonymous telemetry "pings" sent to Symantec every second of every day from around the world. These near real-time pings tell Symantec about:
  • The applications being deployed on our customer's machines (each application is uniquely identified by its SHA2 hash).
  • Where applications came from on the web.
  • Whether or not the applications are digitally signed.
  • How old the applications are.
  • A host of other attributes.

Symantec add to this data from our Global Intelligence Network, our Security Response organization, and legitimate software vendors who provide application instances to Symantec.

This data is incorporated into a large-scale model, not unlike Facebook's social network, and is composed of links between applications and anonymous users rather than just user-to-user connections. This encodes the relationships between all of these files and our millions of anonymous users. Symantec then analyze this application-user network in order to derive safety ratings on every single application — identifying each as either good, bad, or somewhere in between. Currently this system is tracking more than 1.98 billion good and bad files and is discovering new files at the rate of more than 20 million per week.


Symantec client, server and gateway products use Reputation data to help improve their protection in the following four ways:

  1. Superior Protection
    The reputation system computes highly accurate reputation ratings on every single file, both good and bad. This is not only effective against popular malware, but can also identify even the most arcane threats — even those affecting just a handful of users across the entire Internet. This increases detection rates across all categories of malware.

    The most visible aspect of the increased protection provided by reputation can be seen in the Download Insight (DI) feature in Norton products and our Download Advisor (DA) feature of our Symantec Endpoint Protection product. DI/DA intercepts every new executable file at the time of download from the Internet. Then it queries the Symantec reputation cloud for a rating. Based on ratings received from the cloud, DI/DA takes one of three different actions:
    • If the file has developed a bad reputation, it is blocked outright.
    • If the file has developed a good reputation, the file is allowed to run.
    • If a file is still developing its reputation and its safety is unknown, the user is warned that the file is unproven. The user can then decide, based on their tolerance for risk, whether or not they want to use the file. Alternatively, in corporate deployments, the administrator can specify different block/allow thresholds for different departments based on each department's unique tolerance for risk.

  2. Prevents False Positives
    Two separate aspects of the technology contribute to further lowering Symantec's already markedly low false-positive rates on legitimate software:
    1. Firstly, because reputation-based technology derives its file ratings based on the social adoption graph rather than on the contents of each file (like traditional antivirus scanning technology) it provides a second opinion to augment our traditional detection technologies such as antivirus heuristics or behavior blocking. If both opinions point to a file being 'malicious' the likelihood of a wrong conviction becomes infinitesimally small.

    2. Secondly, because the system maintains prevalence information on all executable content, this information can also be included into the decision to convict or not. For example an ambiguous conviction on a file that is on only two systems across the globe would be far less damaging than a comparable conviction of a file that is on millions of machines. Factoring this information into every decision means better informed decisions to better protect our users.

  3. Improved Performance
    A typical user's machine has many thousands of files that never change, and, with very few exceptions, all of these files are good. However, because traditional antivirus focuses on looking for bad files based on a list of known malicious threats, it has to scan every file on a user's system to compare it against the list of known threats. As new threats are discovered, each file on a user's system must be rescanned with the new signatures to see if the file matches any of the newly discovered threats.

    This becomes a very inefficient process when you consider that security vendors publish thousands of new virus signatures each day. Reputation-based security, however, has accurate safety ratings on all files — both good and bad, by design. This enables products with reputation technology to scan a user's system and definitively mark known good files as good and set them aside so they are not scanned again — that is unless their contents change. This has a dramatic impact on performance, reducing the resource need of a traditional scan and real-time protection by up to as much as 90 percent — providing a much improved user experience.

  4. Policy-Based Lockdown
    Traditional security solutions have focused on blocking known malware in a binary way — anything that is definitively identified as bad is removed from a user's machine and everything else is left alone (whether or not it's actually bad). Many opportunities in the real world where malware can still gain a foothold on a user's system are left unaddressed. Consider a brand new piece of malware that has just been created by a cybercriminal, it is highly likely that existing antivirus signatures will not be able to detect such a threat since the vendor has never had a chance to analyze it first. Unless the new threat exploits a known vulnerability or exhibits a predetermined pattern of suspicious behaviors, it may go undetected by existing security techniques. Reputation-based security helps users and IT administrators address this situation by making better, more informed decisions about the executable content that they allow onto their machines.

    In addition to managing information on whether a file is good or bad, Symantec's reputation-based system maintains additional attributes like each file's prevalence and age. These attributes can be used to implement policies in our upcoming enterprise products to enable administrators to control what can be installed on a user's system. For example, in the case of a new threat, even if it is not yet flagged as malicious, its age will be very young and

    Users and IT administrators can use reputation information to implement policies about what they allow on to their machines. For example, the IT administrator might choose to restrict employees in the Finance department to downloading only those applications with at least 1000 certified users and at least two weeks of availability on the Internet, whereas staff on the IT help desk might be allowed to download files of any age with at least 100 other users and a moderate reputation score. These policies enable administrators to tailor their protection based on each department's unique tolerance for risk. Our studies show that this is a very effective way to mitigate the risk exposure to new malware within an enterprise.

0 comments: (+add yours?)

Post a Comment

Note: Only a member of this blog may post a comment.