Towards integrated malware defence

Morton Swimmer John Jay College of Criminal Justice/CUNY

  download slides (PDF)

For many reasons, our systems still contain vulnerabilities and are likely always to do so until the economics of system design and implementation change dramatically. Our best defence against the exploitation of these vulnerabilities is to use reactive technology such as anti-virus, anti-spyware, intrusion detection and prevention systems (IDS and IPS), firewalls, etc. They are reactive in that they mostly use a priori knowledge designed by a central authority to detect the attack. The time required to get the sample to the vendor, then through analysis, and finally distributed to the clients is still much longer than it potentially takes for the malware itself to spread. It would be an advantage to have a more systematic and immediate way of creating these signatures and then deploy them to where they are needed most as quickly as possible. The cure must spread faster than the disease (as we used to say when working on the IBM Digital Immune System).

In this paper, we see how the convergence of various security technologies can help us achieve this goal. This is achieved by utilizing the strengths of various sensors and generating semantically relevant signals from these. The signals can only be used for alerting and automatic reaction when two or more can be combined (costimulation). However, combination is only possible if the signals are ontologically orthogonal to each other, giving us a meaningful combination of information instead of the currently more common correlation of ontologically parallel signals. While the former leads to a true confirmation, the latter may merely compound an already faulty diagnosis. From this framework, a useful architecture for dealing automatically with threats can evolve.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.