On Dec 9, 2011, at 5:40 AM, William Cerniuk wrote: And I remember way back in 2004 when Intego VirusBarrier added heuristic processing to its AV to look for anomalous activity especially for media files which should not contain executable code:
Heuristics and anomaly detection lead to the "yes, no, maybe" problem with malware.Years ago I was talking to the chief scientist (?) at Symantec, and he told me that was the problem they were facing. People don't like being asked to make a judgment call on something that might be bad but for which the software isn't certain.
Yesterday I was updating my Windows 7 software which I hadn't run in a few months. At one point I got an alert that said something like "Adobe Reader want to modify your system" and then asked if I should let it. I had two scenarios running through my head:
(1) This was a legitimate update by Adobe, and if I block it, I will be left vulnerable.
(2) This is an exploit of Adobe Reader (one is currently in the wild), and if I let it go, it compromises my system.
Yikes! What should I do?
Years ago, after experiencing an alert from Microsoft's firewall I wrote a paper
Why Anomaly Detection Sucks http://www.netsq.com/Research/Single.php?stuff=papers&num=17
And then later after finally resolving this (with about 40 hours of effort), I wrote a follow up paper
Beyond the Anomaly: The Quest for the Underlying Cause
My program "Audit Explorer" is to a great extent a result of these "maybe" scenarios. It lets me trace the history behind an alert. For example, it helps answer questions such as "What are the sequence of programs that eventually created that process that is doing an out bound connection?" or "What files is that program shipping out, and where did those files come from?" Later, as I add more sophisticated detection/analysis tools, they can tap into Audit Explorer (note: it is called "Explorer", not "Detector") to help understand the event flagged by the detection/analysis code.
It is still a lot of work. I wish I could say "Audit trail analysis is easy", but it is still hard. :-\
Todd
|