21 Haziran 2013 Cuma

Signatureless Malware Detection

RSA ECAT Signatureless Malware Detection

Traditional antivirus companies are using known virus signatures to identify malware. Although this technique worked well in the past when a few thousand viruses were found in the wild each year, it has been overwhelmed by the growth of malware families. Just one AV vendor alone created more than 500,000 new signatures in 2010 and this flood doesn’t show any sign of stopping. Creating signatures requires dedicated highly skilled personnel that can’t keep up with the pace. They will be inevitably reactive, not proactive in identifying threats. They must focus on the most widely distributed malware and put aside those with low distribution rates, a category into which APT falls. As soon as a signature is deployed to block a known malware, the malware author starts the process of bypassing it by doing minor modifications to its code and testing it against the low-cost (usually free for 30 days) and publicly available products that detects it.

Instead of spending precious time analyzing malware samples to create signatures, our team works on automating the detection of anomalies within the computer’s applications and memory. In a typical enterprise environment, there are only a few thousands executables that typically get loaded in memory among which only a few generate anomalies. Legitimate anomalies are mostly created by security products and sandboxing technologies built in to browsers and file viewers. These products are limited in number, easy to obtain and analyze so we have incorporated them in a “known anomalies database”. Anomalies outside these are automatically flagged and reported to the ECAT console operator who can then use the collected intelligence to respond quickly.

Kaynakça : http://www.rsa.com

Hiç yorum yok:

Yorum Gönder