The evolution of reputational antivirus technologies

Novel protection methods often evolve from older ones. Therefore, we decided to write about a method of malware detection that is tried and true — and also cutting-edge.

Critics of “traditional technologies” have been piping up a lot lately, promoting new methods, but we’ve noticed they don’t seem too eager to define what they consider traditional technologies.

In fact, novel methods often evolve from older ones. Therefore, we decided to write about a method of malware detection that is tried and true — and also cutting-edge. It’s called reputational analysis. You may not have heard of it, but it’s been working to keep you safe for some time.

Reasons to find new methods

The threat landscape changes all the time. Viruses, Trojans, worms, and similar programs dominated for a while, but then we started seeing growing numbers of attacks sponsored and directed by nation states. Narrowly focused, aka targeted, attacks have become common now, and the line between legitimate and malicious software has blurred; attackers are using legitimate software to organize sophisticated attacks. And, most important, malware development has become an industry that produces hundreds of thousands of malware variants every day. Most of this malware employs various obfuscation methods, making detection problematic.

Early security solutions relied on databases only. And this method became problematic in two major ways. First, in the face of the modern malware industry, the time gap between the emergence of new malware and arrival of the database containing its description became too large. Second, that increase in the number of malware programs caused excessive bloating of databases, impeding the updating process.

Solving these problems required a new method — a fast, accurate, and efficient one.

Moving into the cloud

Speed was the core requirement for that new technology. It had to be able to inform endpoints about new threats in a matter of seconds. Cloud-based reputational analysis filled the bill.

The first key distinction of the new method was the detected object itself. Security technologies started processing metadata (i.e., data about data), not the files or their fragments. Metadata comprises information about users’ files (including URLs, the IP addresses from which the files were uploaded, boot protocol IDs, connection port numbers, attributes, file sizes, and files’ hash sums), data about the file uploading process, and much more. Initially MD5 was the sole hashing algorithm, but later on, the h3er SHA1 and SHA2-256 became necessary.

The second distinction of the new method was the two-way communication between the user and the security company’s infrastructure. Updating signature databases required only a one-way link. But by using cloud technology, companies gained the opportunity to receive feedback. Now security solutions could give developers information about suspicious activity on the computer, successfully repelled infections, and malware distribution. Processing the data reveals new attack vectors almost instantly, and security vendors can then swiftly equip other users with appropriate threat detection.

The third distinction is reflected in the very method’s name. Reputation technologies can deduce whether an object is malicious based on statistics — essentially, based on its reputation. If an object is found on 1 million users’ computers but never suspected of any questionable activity, we can guess that it is clean. But if at least 10 users reported that the object attempted to access something it should not, or if the site from which it was downloaded from is a known malware nest, then it would be logical to proceed on the assumption that the object is dangerous.

Kaspersky Security Network

Kaspersky Lab has been employing cloud reputational analysis since 2009. Our implementation is called Kaspersky Security Network, and its primary function is two-way communication: for instant delivery of situation reports to our solutions and collection of metadata about various objects. We then use the data to improve our security practices.

We hasten to mention here that none of the data we collect identifies users, and that the communication occurs only with the consent of an individual or a company. You can learn how we handle user data in this document.

Our expert system processes the data and makes information on the latest threats and their sources available to all of Kaspersky Lab’s users within 40 seconds.

Further development

Many of Kaspersky Lab’s customers use our cloud reputational analysis technology, but unfortunately, not all of them do. Some organizations (primarily government institutions) must comply with rules forbidding the use of software solutions that send any data to external computing systems. For such agencies, we present our new solution: Kaspersky Private Security Network. It provides virtually all of the advantages of KSN but without sending any data to our cloud infrastructure. We will discuss KPSN in a future blog post.