Behavior prohibition: Next step in anti-virus protection
Wen / Carey Nachenberg
introduction
Prior to rapidly spreading worm / mixed virus threats, the main anti-virus technology - viral feature identification software technology - can prove that it provides a way to prevent and actively protect against a general computer virus. That is before the past viral spread, suppliers can install new identification features for most viruses. This is because traditional viruses slowly spread - only when people exchange the infected files - infects the computer after the schedule or week. Therefore, in most cases, anti-virus software stops the initial infection to prevent the company's computers from threatening the virus and pre-exclude expensive manual clearance and free time.
On the contrary, today's worms and mixed viruses threatens quickly amazing, fastest diffusion infections sometimes slip over traditional anti-virus software and protect themselves before the anti-virus supplier publishes its characteristics. Once these machines are infected, the basic role of anti-virus software is transferred from a protected / active defense program to the programs that remove the virus.
Traditional anti-virus software is very effective in violating antiviral fast diffusion threats, which is clear. The problem is: Can the technology change their like a clear tool from the current role to the original role like a protective tool? I believe that the answer is "yes"; and make this possible technology "behavioral prohibition". This article will look at the "behavior ban" technology and explore how this technology can help save the company from the next generation of rapidly spread worms / mixed virus threats.
Feature identification and exploration rules - still effective?
Traditional anti-virus software based on all scanned files, disks, and network propagation, according to hundreds of digital features, based on hundreds of digital features. Each feature is a bit group short sequence taken from a specified virus species. If a specified feature is found, the content of the infected virus will be reported. However, since the anti-viral feature recognition is based on the short sequence of the infection from known viral infections, this technique often encounters failure when detecting the type of new virus.
Explored anti-virus techniques compared to feature recognition, the exploration of anti-virus technology is a structure that carefully checks a program from head to tail - its computer command and other data contained in the file - to check. This exploration scanning software then makes an evaluation report based on the logic meaning of the surface. The program may be malicious. Because it looks for usually possible logic instead of looking for a specified feature, such a system can detect unknown viruses.
The most complex infection, modern feature identification, and exploration engine often hire CPU to simulate or "SAND-Boxing" with a technique of working with a simpler scan byte and bit yuan group. These products are blurred in a variety of simulation works in a virtual machine to aproved. This simulation is extremely limited (often less than 1000 instructions to simulate running in typical programs) and the programs under the monitor are never run on the real CPU or harm the system.
A large additional feature including feature identification and exploration rules is that they can have a viral infection that these threatened viruses have the opportunity to operate and infect computers. This is because these technologies only check the bytes and bitgroups of each file to detect viral infections (or are very limited during virtualization running). However, because these systems do not pay attention to the complete execution of the scanning system, they often have failed when detecting new viruses; simply saying that there are many simple ways to confuse malicious code, but often only one way to confine it is Malicious code - Supervise it runs on true chips and attempts to harm the system. This is the entrance to the behavior prohibited.
Behavior block
Unlike the exploration rules or feature identification, behavioral prohibition software is combined with the host operating system and monitoring programs, and then acts before they have the opportunity to affect the system, the behavior is prohibited from blocking potential malicious action. . Monitoring behavior can include:
1. Try to open, view, delete, or modify the file;
2. Trying to format the disk drive and other unrecoverable disk operations;
3. Modify the logic of executable files, macro scripts;
4. Modify the risk setting of the system, such as start setting;
5. Email scripts and instant messages that send execute content to clients; 6. The beginning of network communication.
If the behavior prohibition system detects that a program will become malicious behavior when it initialize the runtime, it blocks these behaviors in real time and causes these software to stop running. This gives it an important advantage, which exceeds those stupid anti-virus techniques identification or exploration rules. Although there are many different ways to virus or reorganize virus or worm instructions, most viruses can escape the testing of feature identification and exploration rules, and finally malicious code must be a clear request to the operating system. Behavior Prohibition The system can intercept all the requests and can identify and disabate how malicious behaviors are blurred regardless of how the program logic appears.
Oversight software can bring a visible huge benefit to behavioral prohibiting system when it is run in real time; however it is not enough. Because malicious code must be running on the target machine before it can be identified, it can cause huge hazards that have been prohibited before being prohibited from being prohibited from being prohibited from being prohibited from being prohibited from being prohibited from being prohibited from being prohibited from being prohibited from being prohibited from being prohibited from being prohibited from being prohibited from being prohibited from being banned. For example, a new virus may become confused by many files around the driver that cannot be damaged before infection with a single file and prohibited. Even if actual infections are banned, users may not locate their files, bring losses to productivity or may be worse. This is why it is always better to detect viruses and use "Tried-and-True" scanning system to ban infection (this is why feature identification technology will never go away. ).
Strategy and expert system
It is forbidden to be divided into two types: Based on policy prohibiting systems and expert prohibition systems.
Policy-based systems allow the supervisor to specify which behavior is allowed and which behavior is prohibited. Each time a program is a request to the operating system, the behavior is prohibited from intercepting the system, asking its policy database, or allowing the request to continue or prohibit the request. For example, a Java prohibition system based on policy-based behavior may provide the following options:
Use this strategy for all applets:
Operation Description Prohibition request? Allow Applets to open the file: Yes Yes Allow Applets Delete file: Yes Yes Allow Applets Start Network Connection: Yes Yes Allow Applets Acquiors in System Directory: Not
Because their logic is transparent and easy to understand, such systems are often attractive to the supervisor. However, most of this system also has a misfirvous tendency and produces the greatest impact when employment productivity, as they use equivalent to varying malicious and legal procedures; it is not being tried to confirm whether the behavior is malicious. Similarly, there are few very little supervisors to understand the meaning of prohibiting strategies, like "prohibiting all program access system files". How to do so by agreeing with how many legitimate procedures is required, or such a policy choice will be effectively free from viruses and worms?
An expert-based system hires a more opaque operation method than the policy-based system. In these systems, human experts analyze all the types of malicious code, and then designed their behavior prohibiting the system to identify and prohibit suspicious behavior. In some cases the next hazardous behavior is allowed, while it will be disabled in other cases. For example, a behavior prohibiting an expert may know that the% 80 malicious code will first try to modify the startup area of the registry before visiting the system. So he can design his behavior prohibiting the system in the first time I know that the program has only disabled access to the system files after the startup area of the registry. Such a rule only has a smaller possibility to prohibit legitimate procedures, but still prohibit a higher threatening procedure. Although a policy-based system may provide an option to "disable access to system files", an expert-based system will provide an option to "disable behavior of viruses". Obviously, in such a system, the network management must have a large trust in the system design expert who develops these clever choices.
Behavior ban
When manufacturing an expert-based behavioral prohibition system, engineers need to consider different prohibition rules for different types of malicious viruses. In this section I will give some views to some operations that may be prohibited to resist each malicious code type. Forbidden parasitic virus
The parasitic virus is a self-replication program that makes it omit itself in other programs. When an infected program is running, the virus gets control and attaches its logic to another executable file. When a behavioral prohibited system observes a viral infection of another feature, it protects the programs from this type of threat. This modification includes some code to modify the file header and modify the application, and others. Behavior Prohibition The system can use this technology range: prohibiting all programs from being modified by other programs, disabling to modify a file header field to prevent infection.
Prohibit the threat of worms and mixed viruses
Threats of worms and mixed viruses are propagated over the network via email, drives to the network via email or by using other fragile portions. In order to prohibit this threat, behavioral prohibiting the system must inject itself between procedures and their reproductive media. Possible ways to prohibit the use of suspicious email API functions to send executable code, prevent unknown programs from communicating on the network, and prohibiting program use drive sharing and copy executable content to other computers.
Trojan horse
Trojan horses left the false positive may be the most difficult to prohibit. Because these threats do not have a fixed behavior like a virus and worm. Here, behavioral prohibition systems must check many of many possible behaviors, including modifying system files or registry, try access to files or other data exceptions ("Why is this cute graphics to access my extended folder?"), It is forbidden to communicate unknown / illegal procedures on the network, and so on. The problem is that many legitimate procedures have also made all of the above activities, and it is often impossible to distinguish the harmless and malicious intentions.
Behavior prohibition: improved space
It can be proved that the behavioral prohibition system has a huge future with a hierarchy of the surcharge. In fact, many small companies have provided these solutions. Why is these products only have limited success in the enterprise? I believe there are 4 reasons for the lack of success:
1. Positive. Behavior is prohibited, like invasion detection software, there is a terrible reputation for false. The presence of the system has some of their problems and users are not willing or fear on the server due to potential responses or on the server or on the desktop. Purpose is actively returned to them according to the workers.
2. Manage headache. Current behavior prohibits the system of management hierarchical capabilities. Their difficult launches requires many configurations, while their management console (if possible) fails in performance. Finally, some systems require users to change their work - up to one difficult prospect - in order to provide protection (such as all your dangerous files in a directory and set products to access this directory).
3. System overhead. Behavior Prohibition The system must be combined with the operating system to intercept the system access commands to provide protection. Such an integrated system reduces performance in value. If the real-time protection exists is already running on the machine, the second drive may mean trouble.
4. Some suppliers are undergoing a resolution that failure to deal with the true threat of the company: Many companies provide systems that prohibit Java and ActiveX behavior. As a researcher in Engineers and malicious code over the past 11 years, I can use fingers to threaten all Java and ActiveX threats in the world. I believe that customers realize that some commercial behaviors prohibit the system in dealing with true viruses, worms and Trojan horses, and they have invested their dollars else.
These are obviously my own opinions on myself with customers, system engineers and security professors. I welcome the readers of these systems to talk to me about your experience.
Next step
In the next few years, I believe we will see many changes in this field. Large safety company has already spent a lot of time to study these systems, and small security companies have also begun to show customers, a slightly larger company also show on the screen.
There are still many important issues to be resolved for the presence of behavioral prohibition systems. Just like the intrusion inspection system (a brother of a behavioral forbidden system), it is still necessary to worry about positive problems. It is a difficult problem in computer science and this is also an unknown solution. Like Darpa organizations, universities and private companies have been trying to solve these false positive problems in many years, rarely used for commercial results. Finally, I expect customers to learn life at a level of confirmed a positive, and do not take the land in dealing with the least clean worm and mixed virus threats, but to keep watching. Behavior is prohibited to take off is a person's guess, but there is a very clear: anti-virus solutions do not provide positive protection as they have in the past; if they survive in the market, these solutions will need to threatenely with viruses Evolution together. Either we need to hire more IT employees.
