Towards integrated malware defence

Morton Swimmer John Jay College of Criminal Justice/CUNY

For many reasons, our systems still contain vulnerabilities and are likely always to do so until the economics of system design and implementation change dramatically. Our best defence against the exploitation of these vulnerabilities is to use reactive technology such as anti-virus, anti-spyware, intrusion detection and prevention systems (IDS and IPS), firewalls, etc. They are reactive in that they mostly use a priori knowledge designed by a central authority to detect the attack. The time required to get the sample to the vendor, then through analysis, and finally distributed to the clients is still much longer than it potentially takes for the malware itself to spread. It would be an advantage to have a more systematic and immediate way of creating these signatures and then deploy them to where they are needed most as quickly as possible. The cure must spread faster than the disease (as we used to say when working on the IBM Digital Immune System).

In this paper, we see how the convergence of various security technologies can help us achieve this goal. This is achieved by utilizing the strengths of various sensors and generating semantically relevant signals from these. The signals can only be used for alerting and automatic reaction when two or more can be combined (costimulation). However, combination is only possible if the signals are ontologically orthogonal to each other, giving us a meaningful combination of information instead of the currently more common correlation of ontologically parallel signals. While the former leads to a true confirmation, the latter may merely compound an already faulty diagnosis. From this framework, a useful architecture for dealing automatically with threats can evolve.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The conference was very well organised, talks kept to a strict schedule, the speakers were very professional and the technical content was very good.’

Poll

How are your spam levels compared to two months ago?

Leave a comment
View 3 comments

VB100 certification

The final VB100 of the year sees a double whammy of potential pitfalls for our comparative participants - the Vista operating system, which still seems shiny and new as well as a little scary (to both developers and users), as well as the x64 architecture, whose ostensible compatibility with standard 32-bit software belies oddities and intricacies that developers ignore at their peril. The announcement of the test brought a few surprises, as several regulars opted to skip this one, but the majority of veteran competitors took part as usual, along with several newer faces, many of whom look set to join the ranks of our regulars.
See full results.

Virus Bulletin currently has 148,023 registered users.

Fighting malware and spam