The Future of Malware Defense?

You're probably aware that Microsoft is working on branding its antivirus and antispyware solutions. The company has already released an antispyware solution into public beta testing and has acquired well-established GeCAD Software and Sybari Software antivirus products.

Some industry analysts think that the most logical way to address spyware is to evolve antivirus solutions to incorporate that ability to prevent spyware from infecting systems in the first place. That's a reasonable approach, even though it's another step towards a single point of failure, which many security administrators try to avoid.

I read some interesting comments at CNET.com, which published an interview with Bill Gates. The article implied that eventually antivirus solutions and possibly antispyware solutions will become integral parts of Windows. There's more to the story, which isn't covered in the CNET.com article.

I mentioned in an earlier column that Microsoft has published a research paper on root kits and has developed a detection tool that it hasn't made available to the public. The company released another interesting research paper several months ago that offers further insight into what other kinds of security-related technology the company might offer in the future.

The second paper, "Can We Contain Internet Worms?," was published in August 2004. In it, Microsoft researchers discuss how worms might become more readily containable as computers collaborate in a more automated manner. The concept, which the researchers have dubbed "Vigilante," proposes "a new host centric approach for automatic worm containment."

The summary states that the technology "relies on collaborative worm detection at end hosts in the Internet but does not require hosts to trust each other. Hosts detect worms by analysing attempts to infect applications and broadcast self-certifying alerts (SCAs) when they detect a worm. SCAs are automatically generated machine-verifiable proofs of vulnerability; they can be independently and inexpensively verified by any host. Hosts can use SCAs to generate filters or patches that prevent infection." You might think of this technology as sort of like a much smarter version of Snort or other intrusion detection and prevention systems.

In essence, the proposal discusses a means of having hosts monitor their own activity and automatically contain misbehaving processes. When a host detects a worm, it can generate an alert that's broadcast to other hosts. The general idea is to decentralize detection systems so that worms can't evade detection by evading a particular network point. A key to the idea is that an SCA could verify worm detection by reproducing its effects. So hosts attain a level of trust by doing their own verification, instead of depending on third parties to provide signatures to endpoint detection systems.

Although the paper doesn't mention this specifically, the implications are huge. The same principles could be applied to viruses, Trojan horses, spyware, and just about any kind of application or network behavior. Such a system would become vulnerability-centric; instead of having to develop signatures for each variation of malware, the system would instead identify the vulnerability and be able to act to defend the system against it. For example, it could shut down an application, reconfigure a firewall, or generate some sort of patch. There is much more to learn about the concept in the paper, which you can download in PDF format at the Microsoft Web site.

ftp://ftp.research.microsoft.com/pub/tr/TR-2004-83.pdf

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish