The Information Communication Technology (ICT) security threat landscape has gone through significant changes in the last few years, which in turn have altered the distribution profile for new malware. In stark contrast to the past, where typically one strain would infect millions of machines, today the opposite is taking place; millions of malware strains are each targeting only a handful of machines which in turn makes fighting them more complex.
Malware, a shortened term for malicious software, generally includes all computer viruses, worms, Trojan horses, most rootkits, spyware, dishonest adware, crimeware and other unwanted software.
In 2008 alone, more than 120 million distinct malware variants were discovered. In this light security vendors, their threat centres and developers now have to deal with an incredibly sophisticated malware landscape which requires 24X7 combat in order to ensure that the world's machines don't fall prey to malware anarchy of sorts. Reputation-based security has emerged as a solution that complements traditional security techniques by using anonymous software patterns to classify whether files are safe or not.
Data collection
In essence, the solution uses small amounts of data from the file usage on a user's system; this data is collected from a very large distributed community. The data is then used to predict the likelihood of a file being malicious.
More specifically, the (collected) data is continually imported and fed into a reputation engine where dozens of attributes for each file, such as file age, file download source, digital signature, and file prevalence are combined using a statistical reputation algorithm to determine a file's safety reputation.
In turn this allows the security vendor to produce a security reputation rating for every software file ever encountered by every participating user, all without ever having to scan the file itself.
These reputation ratings are then made available to all users through a large cloud-based infrastructure of servers.
No doubt, a significant amount of R&D has gone into developing reputation-based security; however, what are some of the real, practical benefits to users? For one, it provides information on all executable files. An executable file is a file that is used to perform various functions or operations on a computer.
A good way to see it in action is to download a new executable file from the Internet. The reputation information is then used to determine whether the file is safe; the user is then informed of the reputation and a bad-reputation file is automatically blocked.
In addition, a user can right click on any executable file and find out where the file came from, how many other users are using the file, when the security vendor in question first saw the file and what the security reputation is for the file.
Importantly, due to reputation-based security solutions' predictive nature, the likelihood that a brand new, never-before-seen file is either good or bad can be pre-empted simply by looking at its attributes. This in turn greatly increases the speed at which its calculations can be made and a solution deployed, thus protecting the user against a potential malware threat even before it goes 'wild'.
Reputation-based security adds an intelligent and new layer of protection against latest malware plaguing the network, be it internal or dealing with the web.
Fred Mitchell, Symantec Business Unit Manager at Drive Control Corporation (DCC)
