2013-06-03
Abstract
There is often a disconnect between academic security research and anti-malware industry research – in both directions. Dr John Aycock, Associate Professor at the Department of Computer Science, University of Calgary, embarks on a new regular feature in which each month he will pick some of the work going on in academic circles and summarize the key points. This month: Content-Agnostic Malware Protection.
Copyright © 2013 Virus Bulletin
There is often a disconnect between academic security research and anti-malware industry research – in both directions. This month, Dr John Aycock, Associate Professor at the Department of Computer Science, University of Calgary, embarks on a new regular feature in which each month he will pick some of the work going on in academic circles and summarize the key points. Ed.
One of the things that has repeatedly struck me, in the decade that I’ve been involved with the AV community, is the huge rift that exists between industry and academia. On the one hand, I’ve seen industry presentations that overlook work done – sometimes years before – by academic researchers. On the other hand, I’ve seen academic papers in reputable publications that make naïve statements about how AV products work, or that completely ignore previous industry work.
What I want to do with this regular feature is to help with one side of the equation. Each month, I’ll highlight some recent academic work that bears relevance to the AV community.
It seems fair to start with the paper I was looking at when the idea came to me.
‘CAMP: Content-Agnostic Malware Protection’ [1] was presented at NDSS, the Network and Distributed System Security Symposium [2], in February 2013, and published by the organizer of the event, the Internet Society. The five authors (although perhaps ‘campers’ would be a better term) are all affiliated with Google.
As a glimpse into academic publishing, NDSS itself is a well-established venue: this year was the 20th time the Symposium had been run, and it has a consistently low acceptance rate for papers – just under 19% this year. Full papers are submitted for review, so when referees read and rank the papers they are essentially judging the finished product.
In summary, what CAMP does is extend Google’s Chrome browser. When a user downloads a binary when using Chrome+CAMP, the browser decides if the binary is naughty or nice by applying three checks. First, it uses a blacklist, where the binary’s URL is compared against a list of known malicious URLs. Second, a whitelist comes into play; domains and code signers that have refrained from pumping out malware for three months are whitelisted. The first two checks are performed locally and, arguably, the underlying basis of these lists is one of reputation. Finally, if no definitive decision can be made based on the first two checks, attributes of the binary and its location are launched into the cloud for a reputation assessment with a more global view.
Academic papers should always give enough detail for the work to be repeated, in theory, and the CAMP paper doesn’t disappoint; there are many goodies to be mined from the paper both about CAMP’s implementation and about its extremely high accuracy.
The paper rang a bell for me when I read it, because it reminded me of a very interesting talk I heard at VB2009 by researchers from Symantec about detecting malware with... wait for it... reputation [3]. The CAMP paper doesn’t cite this work, but it does mention Microsoft’s SmartScreen Application Reputation system in IE 9 [4], [5]. The authors characterize SmartScreen as ‘closely related to our work’, which is academic-speak for ‘let the hair splitting begin’.
On the surface, Google would appear to be the latecomer to the reputation party, but it could also be seen the other way around: the company’s bread-and-butter PageRank algorithm is really just a type of reputation score, albeit applied in a different context. Context can be critical, of course, and in the meantime I see that a number of related patents and patent applications for reputation-based malware detection have appeared. A quick search for a few of the usual suspects turned up some Symantec patents for malware detection [6], [7] and reducing false positives [8] with reputation, and some Microsoft patent applications for reputation based malware detection [9], [10]. (I should point out that I’m not a lawyer, and I’m not making any judgement about the claims of these patents. I’m mentioning them merely to connect up some related work.)
Reputation seems to be here to stay. Given the title of this column, I should probably end the first instalment with a shout-out to my academic homies or something, but so far they have all been strangely reluctant to disclose their handles; for now, I’ll have to stick with the secret academic handshake.
[1] Rajab, M. A.; Ballard, L.; Lutz, M.; Mavrommatis, P.; Provos, N. CAMP: Content-Agnostic Malware Protection. 20th Annual Network & Distributed System Security Symposium, 2013.
[2] NDSS Symposium. http://www.internetsociety.org/events/ndss-symposium.
[3] Nachenberg, C.; Ramzan, Z.; Seshadri, V. Reputation: A new chapter in malware protection. 19th Virus Bulletin Conference, 2009. http://www.virusbtn.com/conference/vb2009/abstracts/NachenbergSeshadriRamzan.xml.
[4] Colvin, R. ‘Stranger Danger’ – Introducing SmartScreen Application Reputation. http://blogs.msdn.com/b/ie/archive/2010/10/13/stranger-danger-introducing-smartscreen-application-reputation.aspx, October 2010.
[5] Haber, J. SmartScreen Application Reputation in IE9. http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx, May 2011.
[6] Glick, A.; Graf, N.; Smith, S. Systems and methods for using reputation data to detect packed malware. United States Patent #8,336,100, December 2012. http://www.google.com/patents/US8336100.
[7] Nachenberg, C. S. Systems and methods for using reputation data to detect shared-object-based security threats. United States Patent #8,225,406, July 2012. http://www.google.co.uk/patents/US8225406.
[8] Nachenberg, C. S.; Griffin, K. E. Reputation based identification of false positive malware detections. United States Patent #8,312,537, November 2012. http://www.google.co.uk/patents/US8312537.
[9] Oliver, D. et al. Reputation checking of executable programs. United States Patent Application #20120192275, July 2012. http://www.google.com/patents/US20120192275.
[10] Franczyk, R.; Hulten, G.; Meek, C. A.; Newman, A.; Rehfuss, S.; Scarrow, J. Application reputation service. United States Patent Application #20100005291, January 2010. http://www.google.com/patents/US20100005291.
