Last-minute presentation: Connecting the AV industry

Igor Muttik McAfee

   download slides (PDF)

This year several security companies have combined their efforts to organize the Industry Connections Security Group (ICSG). This group is hosted under the umbrella of the IEEE. The mission of the ICSG ( is to resolve the following problem:

"It was recognized that the bad actors have been able to leverage the underground economy to gain economies of scale as well as access to specialist tools and services, whereas the security industry was generally responding to threats as individual entities."

We shall tell you which companies organized ICSG and which events led to its creation. We shall briefly discuss the relationship of ICSG to other industry groups such as AMTSO, EICAR, CARO, and APWG and why we believe there should be no conflicts.

ICSG's first project was to develop a standard to share security information among AV companies. For that purpose ICSG created a dedicated team. The Malware Working Group effort was initially focused on increasing the efficiency of sample sharing, but very soon we broadened the approach to cover many other security details (such as URLs, domains, IPv4/IPv6, ASNs, entities, and clean files). Other security vendors (even outside of the traditional AV circle) have joined this working group and actively participate in the discussions. As a result, the sharing standard has become a truly collaborative effort and it is able to cover many kinds of security data - not just information about malware samples.

We shall look in detail at the XML metadata standard proposal that the Malware Working Group finalized in June 2009. We shall start by listing common use cases:

  • Prioritizing samples in analysis queues
  • Covering nonstatic, parasitic, polymorphic and server-side polymorphic malware
  • Relating malware strains to malicious domains and malware-writing groups
  • Reacting to media events

Then we shall describe in detail the structure of the XML metadata and its elements (using screenshots):

  • Object
  • Field data
  • Relationships

This XML schema is already routinely produced by four companies (and two more will release their implementations soon) as part of a pilot program that ran from June to September 2009. We shall share our experiences of how this pilot worked and what the participants learned from producing the output and consuming the inputs.

ICSG is an open group. We hope and expect that other security companies will join us and contribute to the common good. Only together do security companies stand the best chance of effectively protecting computer users. In the long term, the efforts of the ICSG and XML-metadata sharing are necessary steps to ensure such protection. If you agree, come and learn about the details of this effort. If you disagree, come and join the debate!


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.