Adam J. O'Donnell, Vipul Ved Prakash Cloudmark Inc.
One of the most effective techniques available for combating spam is the widespread application of collaborative filtering, where members of a community submit votes as to whether or not a piece of content is spam. The success of such a system is contingent upon the assumption that individual users can, with high accuracy, determine the difference between a piece of spam and a piece of legitimate mail. It is non-obvious that this assumption will also hold true for email-borne malware threats, whose sole indicator is often the presence of an attachment on a seemingly legitimate email.
In this paper we present data and analysis of our successes in applying a collaborative filter originally designed for anti-spam to the anti-virus problem. Our results from specific case studies will be discussed, including the CME-24 outbreak of early 2006. We show that not only is a collaborative filter effective for filtering viruses, the large number of participants allow the filter to begin acting on the virus within minutes of its initial sighting with an extremely low false positive rate.