Antivirus Protection Gets Social
Can cloud computing and social networking improve security software?
People often rely on their circle of friends for support. Now one start-up company hopes to harness those social connections to create and deliver security software that will protect users from computer viruses and other digital threats.
On Wednesday, start-up Immunet announced its first product, Immunet Protect, a program that checks downloaded files against a directory of malicious software, such as viruses and Trojan horses. The company joins a handful of others in turning much of its detection capabilities into a service offered over the Internet, or the “cloud.” Yet, the real difference, say its founders, is the software’s ability to protect digital communities–those users connected together via social networks such as instant messaging, Facebook or Twitter.
Because malicious software travels quickly through messages sent to friends via e-mail, instant messaging and other social technologies, Immunet plans to use the same pathways to send the needed information to protect users, says Oliver Friedrichs, CEO and founder of the four-person firm.
“We are seeing an increase in the number of threats propagated through social networks, as well as attacks on social-networking sites in general,” Friedrichs says. “Your social network is becoming a larger attack vector than it has been in the past. Our approach is to protect that social network.”
Immunet users will be able to see who in their social network is a current user of the service. For example, Facebook users could see which of their friends has also installed Immunet Protect. The service will also allow users to see whether their friends have seen a greater proportion of threats than the population of Immunet Protect users as a whole.
The idea is to treat malicious programs less as an analysis problem–where a file is scrutinized to determine whether it poses a threat–and more of a data-mining problem, Friedrichs says. When a new file is downloaded to a user’s computer, information on more than 100 attributes is sent to Immunet’s servers. If a threat is recognized, the service will respond in a fifth of a second; otherwise, the file is allowed to run while the company attempts to analyze the file’s attributes.
“There are so many threats today that an analyst cannot analyze them all, so we are using data-mining techniques to find the needles in the haystack,” Friedrichs says. “We consider our user base to be a very large sensor network.”
It’s no secret that current antivirus software has trouble detecting the latest threats. Last week, antivirus firm Panda Security released a report showing that 52 percent of malicious software is not seen for more than 24 hours, because the cybercriminals who are responsible for spreading the software compress and rearrange the binary code in a different way every day, a technique known as packing. The ability to rearrange code has put traditional antivirus companies at a disadvantage. In a research paper published last year, computer scientists at the University of Michigan found that even the best antivirus programs could only detect three-quarters of newly packed malicious code. It took three months for the best antivirus engine to detect 90 percent of the dangerous software.
“There is no easy solution to the problem, unfortunately,” says Jon Oberheide, a PhD student at the University of Michigan and the lead author of the paper. “The battle is quite asymmetric, with the scales being tipped heavily in the attacker’s favor. We need to focus our efforts and resources on approaches that will significantly reduce this asymmetry, instead of continuing the endless game of reactive catch-up, which the vendors are obviously losing.”
To process and analyze viruses faster, several companies have moved to a cloud model, where–rather than putting an intelligent analysis engine on every user’s computer–the scanner is a “dumb” program that converts each new file into a list of attributes that are then sent to the software provider’s servers. Those servers analyze the file attributes and determine whether it is malicious.
Other antivirus firms have already started to rebuild their antivirus software incorporating the cloud-computing model. McAfee, Panda and Prevx already provide some level of automated analysis as an online service for users.
Pedro Bustamante, senior research advisor with Panda Security, argues that community data can help antivirus firms prioritize their analysis efforts. Panda sees nearly 50,000 files a day, of which some 37,000 are samples of malicious code.
“I have not seen a product yet that is using community as a factor in detection,” he says. “I think it could be a nice complement to detection technology but not a stand-alone solution.”
However, Immunet’s approach puts the company at the very early stages of a cloud antivirus solution, Bustamante adds. “It takes a long time to develop these technologies in the cloud.”
Friedrichs underscores that Immunet’s service is not complete–it’s still in development. The company is working on adding generic detections and heuristics for flagging large categories of threats, which should make them easier to identify. In addition, the company is currently considering ways of handling potentially harmful files when the user’s computer is not connected to the Internet.