走进ATC：Bitdefender Active Threat Control官方白皮书（施工完成）

Bitdefender Active Threat Control
Proactive Protection Against New and Emerging Threats

Bitdefender 活跃威胁控制
主动防护对抗新兴威胁

Content
目录

#1.Why You Should Read this White Paper
为什么你应该阅读此白皮书

#2.Modern Malware result to new countermeasures against threats
现代威胁催生新的防范措施

#3.Money matters
金钱问题

#4.Heuristics: Detecting tomorrow’s Threats Today
启发式：今日检测明日威胁

#5.Bitdefender Active Threat Control: Heuristic detection advances to the next level
Bitdefender 活跃威胁控制：启发式检测进步到下一等级

#6.How Active Threat Control Works: A Technology Overview
活跃威胁控制如何运作：技术概述

#7.Active Threat Control increases the detection rate of malware
活跃威胁控制提升恶意软件检测率

#8.Conclusion
结束语

#1.Why You Should Read this White Paper
为什么你应该阅读此白皮书


The unprecedented rise of new threats has deemed traditional security mechanisms both ineffective and unreliable in providing adequate defense. Today’s pervasive threats have increased in complexity, making prevention, detection, and remediation difficult for traditional security software.

       新型威胁的空前增长表明传统安全机制难以提供充分的防御。今天遍布的威胁更加复杂，使得传统安全软件难以对其预防、检测和修复。


Bitdefender Active Threat Control is a pro-active and dynamic detection technology, based on monitoring processes and system events, and tagging suspicious activities. It has been designed to act against never-before-seen threats based on their behavior.

       Bitdefender 活跃威胁控制是一种主动和动态的检测技术，它基于监控进程、系统事件和标记可疑活动。它被设计成基于行为对抗未知威胁。

This white paper explains why such protection is necessary and provides technological and technical overview of the detection methodologies used by Bitdefender products.

       本白皮书解释了为什么这种保护是必要的，并且提供 Bitdefender 产品所使用的检测方法的技术概述。

#2.Modern Malware result to new countermeasures against threats
现代威胁催生新的防范措施


Keeping computers secure and protected against threats has never been harder. With more than half a million new and variant strains of malware emerging each month, tracking and mitigating each threat has become an enormously challenging task for all security vendors.

       保持计算机安全和保护计算机免受威胁从未如此艰难。随着每月超过50万新型和变种恶意软件的出现，跟踪和缓解每个威胁已经成为所有安全供应商面临的一项极富挑战性的任务。


   
Source: av-test.org: More than 14 million new and variant malware strains are discovered each month.（P1）
来源：av-test.org：每月发现超过1400万新型和变种恶意软件（P1）


Compounding the problem is the fact that both malware and the mechanisms used to deliver it have become increasingly sophisticated. Trusted websites can be compromised and used to launch complex script-based attacks that cycle through multiple exploits. Advanced packaging methods are deployed in order to conceal malicious payloads. These malware can also actively disable known security software at the time of install and during operation by constantly trying to overwhelm or kill antimalware or software firewall processes.

       雪上加霜的是，恶意软件和其传播机制已变得越来越复杂。可信网站可能被利用以发起利用多个漏洞运转的复杂的脚本攻击。先进的打包方法被部署以隐藏恶意的载荷。这些恶意软件甚至还可以主动在安装时禁用已知的安全软件，并在操作期间不断尝试击垮或终止反恶意软件或软件防火墙进程。


Social networking websites such as Facebook and Twitter provide criminals with new opportunities for exploitation through social engineering and can enable malware to spread faster than ever before. If a malware may once have taken days or even weeks to propagate, it can now reach millions of computers in hours.

       Facebook 和 Twitter 等社交网站为犯罪分子提供社会工程利用的新机会，并使得恶意软件的传播更加迅速。如果（过去）一个恶意软件需要数天甚至数周来传播，如今它可以在数小时内传播至上百万台计算机。


Combined, these factors make it exceptionally difficult to effectively detect and block malware using conventional methods and technology.
      
       综上所述，这些因素使得通过传统手段和技术有效地检测和阻止恶意软件格外困难。

#3.Money matters
金钱问题


The main driver leading to the increase in both volume and complexity of such threats has been money. Historically, viruses were created by teenagers in order to earn notoriety and gain recognition for their coding skills. Today’s malware is created by criminals to earn a living and even generate substantial profit. Spam, phishing, pump-and-dump schemes and data-stealing Trojans and keyloggers can net their creators an enormous amount of income. Malware has evolved into a multinational and multimillion dollar industry that’s just as skilled and versed in security matters, as experts working in the security industry.

       导致这些恶意软件数量和复杂性增长的主要驱动力是金钱。从历史来看，病毒是青少年为了获取坏名声和对他们编码技能的认可而制造的。今天的恶意软件则是犯罪分子为了谋生甚至是获取巨额利益而制造的。垃圾邮件、网络钓鱼、炒股诈骗、数据窃取、木马和键盘记录器能够为它们的制造者带来巨额的收入。恶意软件已经演化形成跨国公司和价值数百万美元的产业，它们与在安全厂商工作的专家一样熟练和精通安全问题。


These monetization patterns have also resulted in a significant change in the nature of today’s threats. For instance, if your computer becomes infected with one such threats, you may not realize it until unexplained transactions occur on your bank statement or it starts consuming more processing resources than usual.

       这些货币化模式也导致了现代威胁性质的重大改变。例如，如果你的计算机感染了一种这样的威胁，你可能不会意识到它的存在，直到不明原因的交易出现在你的银行对账单上或它开始消耗比平时更多的处理资源。


As criminals are able to use their enormous profits to fund malware development, a vicious circle has been created: the more money the criminals make, the better and more sophisticated their malware becomes; and the better their malware becomes, the more money the criminals make. Cybercrime costs the global economy about $445 billion every year, with damages to businesses caused by intellectual property theft exceeding $160 billion, according to the Center for Strategic and International Studies (CSIS) report published on to Jun 9, 2014. With such enormous sums at stake, it is obvious that the criminals have both the motivation and the financial means to develop ever better malware.

       因为犯罪分子能够利用他们巨额的利润资助恶意软件的研发，一个恶性循环随之产生：犯罪分子赚的钱越多，他们的恶意软件就越好、越复杂；他们的恶意软件越好，他们赚的钱就越多。根据战略和国际研究中心（CSIS）于2014年6月9日发表的报告，网络犯罪每年给全球经济造成的损失高达约4450亿美元，而知识产权盗窃造成的商业损失超过1600亿美元。在数额如此巨大的利害关系下，犯罪分子显然有动机和金钱手段去开发更好的恶意软件。
      

#4.Heuristics: Detecting tomorrow’s Threats Today
启发式：今日检测明日威胁


Ensuring a timely response to each new threat can become more than challenging. However, it is critical that the response should be prompt, as the new variants of malware are able to spread rapidly. A slow or delayed response could lead to a large pool of computers being compromised and the potential data loss or impact on the affected network infrastructure could be unquantifiable.

       确保对每个新的威胁的及时响应更具挑战性。尽管如此，因为恶意软件的新变种能够迅速传播，及时的响应又是至关重要的。缓慢或延迟的响应可能导致大量的计算机被感染和潜在的数据损失，或对波及的网络基础设施造成难以估量的冲击。


The challenge is that regardless of how fast security vendors react, there is always a gap between the time a new threat is released into the wild and the time computers are “immunized” against that threat via a signature update. The gap between initial moments when a threat can affect systems until the fix is disseminated creates a window of opportunity for malicious actors. With more than half a million new malware samples emerging each month, chances are the window of opportunity is favor of the attacker.

       挑战在于不管安全厂商的反应有多快，新病毒被释放至外界和计算机通过签名更新“免疫”这一威胁之间总存在时间差。威胁能够影响系统的最初时刻与补救措施被分发的时间差为攻击者创造了机会之窗。随着每月超过50万新型恶意软件样本的出现，机会之窗为攻击者提供了有利条件。


Conventional detection relies on signatures. Anti-malware signatures are code snippets extracted from malware samples and used by antimalware programs to perform pattern-matching. The problem with this method is that it takes time to produce the signature: antimalware vendors need to obtain a sample of the malware, develop a signature, and then push that signature to users – and this leads to the creation of the window mentioned above.

       传统的检测依赖于签名。反恶意软件签名是从恶意软件样本中提取的、被反恶意软件用于执行模式匹配的代码片段。这种手段的问题是制作签名需要时间：反恶意软件需要收集恶意软件样本，开发签名，然后将签名推送给用户——这导致上述空窗的产生。


Heuristics are a form of proactive detection that closes the window during which computers are vulnerable. Rather than relying on signatures or binary or code fingerprints, heuristic detection relies on complex algorithms that specify actual patterns and behaviors, which may indicate that an application is malicious. This works because malicious programs inevitably attempt to perform actions in a context that legitimate applications do not. Examples of suspicious behavior would include attempting to drop files or disguise processes, or injecting or executing code in another process’s memory space. Because heuristic detection look for behavioral characteristics rather than relying on simple pattern-matching, they are able to detect and block new and emerging threats for which a signature or fingerprint has yet to be released.

       启发式是在计算机易于攻击时关闭空窗的一种主动检测形式。启发式不依赖于签名、二进制文件或代码指纹，它依托于复杂的算法，能够识别表明某个应用是恶意程序的实际模式和行为。因为恶意程序不可避免地要执行一系列合法应用不会执行的动作，所以启发式检测能够奏效。可疑行为的例子可能包括企图释放文件或混淆进程，或注入其它进程内存空间并执行代码。因为启发式检测寻找行为特征而不是依赖于简单的模式匹配，它们能够在签名或指纹尚未被发布时检测和阻止新型威胁。

To protect computers, the majority of heuristic detection, including the Bitdefender B-HAVE heuristic engine, temporarily delay applications from starting while the code is executed in a virtual environment that is completely isolated – or sandboxed - from the real computer. If no suspicious behavior is observed, the computer is instructed to start the application normally. On the other hand, if suspicious behavior is observed, the program is blocked from executing. The entire process happens in fractions of a second and so has practically no impact on either the user experience or perceived performance. In order to be even more effective, Bitdefender uses   application reputation, a form of white listing, for having more lightweight heuristics for applications that are known likely to be safe.    Application reputation is kept intact for false positives with frequent updates from Bitdefender cloud.

       为保护计算机，大多数启发式检测，包括Bitdefender B-HAVE启发式引擎，会暂时延迟应用启动，并将代码在完全与真实计算机隔离的虚拟环境或沙箱中执行。如果没有观察到可疑的行为，计算机被引导至正常启动应用。反之，如果观察到可疑的行为，程序将被阻止执行。整个过程发生在很短的时间内，因此几乎不会对用户体验或性能造成实际影响。为了进一步提高效率，Bitdefender使用了应用信誉——一种白名单，对已知很可能为安全的应用进行轻度启发式检测。应用信誉通过Bitdefender云端频繁更新保持完整性并降低误报。


While this approach certainly enhances security considerably, it nonetheless has a couple of shortcomings. Firstly, programs can only be run in the virtual environment for a short period as, obviously, it would not be acceptable to delay launch by any substantial amount of time. This means that malware can avoid detection simply by delaying performing any malicious actions. Secondly, a program that has already been checked (and is, therefore, trusted) could be exploited and either modified in-memory, while running, or used to launch a malware process with its own credentials.

       尽管这种方法确实增强了安全性，但它也有一些缺点。首先，程序只能在虚拟环境中被执行很短的时间，显然，被长时间的延迟执行是无法被接受的。这意味着恶意软件可以简单地通过延迟表现所有可疑动作来规避检测。其次，一个已经被检查过（也因此被信任）的程序可能被利用，在运行时在内存中被修改，或被用来以其自身的凭据运行恶意进程。


To address these shortcomings, Bitdefender introduced Active Virus Control in 2010 (former name of Active Threat Control technology).

       为了克服这些缺点，Bitdefender于2010年介绍了活跃病毒控制（活跃威胁控制技术的前身）。（注：指的是Bitdefender在2010年发布了AVC的白皮书，相关PDF已附在文末）


      

      

#5.Bitdefender Active Threat Control: Heuristic detection advances to the next level
Bitdefender活跃威胁控制：启发式检测进步到下一等级


Starting with 100 heuristics in 2010, Active Threat Control has been developed to have more than 300 to date. They are constantly finetuned, updated, and improved by a dedicated team of security researchers and engineers form Bitdefender Labs. In order to provide maximum security, all Bitdefender products using Active Threat Control follow a four step scanning sequence:

       开始于2010年的100条启发式规则，活越威胁控制如今已经发展到拥有超过300条启发式规则。它们被一个来自Bitdefender实验室的由安全研究人员和工程师组成的专门团队持续地调整、更新和改进。为了提供最大程度的保护，所有使用活跃威胁控制的Bitdefender产品遵循以下四步扫描序列：


Step 1: Each time a file is accessed, copied or downloaded via Web, Email or Instant Messenger, the file is intercepted by either the Bitdefender File System driver or the appropriate proxy and sent for scanning;

第一步：每次一个文件被访问、复制或通过Web、邮件和即时通讯程序下载，它将被Bitdefender文件系统驱动或合适的代{过}{滤}理拦截并被发送以供扫描；

Step 2: The file is checked against the Bitdefender Signature Database (a database of malware “fingerprints”) that is updated in an hourly basis. If the file’s content matches one of the signatures, the product automatically tries to disinfect the threat. If this action fails, the file is moved into quarantine. If no signature is matched, the file is sent to B-HAVE1 to be checked.

第二步：文件被每小时更新的Bitdefender签名数据库（一个恶意软件"指纹"数据库）检查。如果文件内容匹配一条签名，产品将尝试自动解除威胁。如果这一操作失败，文件将被移动至隔离区。如果没有签名匹配，文件将被发送到B—HAVE进行检查。

Step 3: B-Have checks the file by running it in a virtual environment inside the Bitdefender Engine, designed to emulate the behavior or an actual computer. If the file exhibits suspicious, malware-like activity, B-Have reports the file as malicious. If not, the file is declared clean and the process is allowed to run;

第三步：B-HAVE通过在Bitdefender引擎中的被设计来模拟行为或真实计算机的虚拟环境中执行文件来进行检查。如果该文件表现出可疑的、类似恶意软件的动作，B-HAVE报告该文件为恶意软件。否则，该文件被认为是干净的，进程被允许执行。

Step 4: Active Threat Control monitors actions of specific processes as they are running in the OS. It looks for behavior specific to malware and assigns a score for each process based on its actions and the context in which those were done. When the overall score for a process reaches a given threshold, the process is reported as harmful. Depending on the user profile, it is either terminated to isolate and remediate the threat or the user is prompted to specify the action that is to be taken (depending on the settings profile of the Bitdefender product). User profiles are product specific. Usage of user profiles may vary in products.

第四步：活跃威胁控制在特定程序在特定操作系统中运行时监控它们的动作。它寻找类似恶意软件的行为，并基于每个进程的动作及其前后操作给予评分。当一个进程的总分达到给定的阈值，该进程将被报告为有害的。依据用户的配置文件，Bitdefender将终止、隔离进程并修复威胁，或询问用户以确认要采取的操作（取决于Bitdefender产品的配置文件）。用户配置文件适用于特定产品，其用法因产品而异。


Bitdefender proprietary technology for detecting threats.

Bitdefender版权所有的威胁检测技术。





Unlike B-HAVE and other heuristic detection, Active Threat Control constantly monitors processes. This way a delayed execution of malware can be detected and remediated. Constant monitoring prevents malware from exploiting or hijacking already trusted applications.

       与B-HAVE和其它启发式检测不同，活跃威胁控制持续地监控进程。通过这种方式，恶意软件延迟的执行能够被检测和修复。持续的监控阻止恶意软件利用和劫持可信应用。

#6.How Active Threat Control Works: A Technology Overview
活跃威胁控制如何工作：技术概述

Active Threat Control continuously monitors all running applications and processes. To extend the flexibility and performance there are some exceptions:
• White-listed processes that are specifically excluded from monitoring by the user
• Validated system processes that have been tagged by Bitdefender Application Reputation to be clean.

       活跃威胁控制持续地监控所有正在运行的应用和进程。为增强灵活性和性能，这里有一些例外：
• 由用户特意从监控中排除的白名单内的进程。
• 被Bitdefender应用信誉标记为安全的已验证的系统进程




Active applications and processes are continuously monitored suspicious behaviors, like:
• Copying or moving files in System or Windows folders or limited access disk location
• Executing or injecting code in another processes’ space in order to run with higher privileges
• Running files that have been created with information stored in the binary file
• Self-replication
• Creating an auto-start entry in the registry, accessing or executing illegal operations on registry locations that require elevated privileges
• Dropping and registering drivers

       活动的应用和进程被持续地监控可疑行为，例如：
• 复制或移动文件至System、Windows文件夹或被限制访问的磁盘位置
• 复制或注入代码至其它进程空间以获取更高运行权限
• 运行已创建的信息存储于二进制文件中的文件
• 自我复制
• 在注册表中创建自启动项目，访问需要提权的注册表区域或在其中执行非法操作
• 释放和注册驱动


As legitimate applications will sometimes perform one or more of these actions (such as creating an autostart entry), Active Threat Control does not determine a process to be malicious based on any single action; instead, it keeps a running score and only categorizes an application as malicious when a certain threshold is reached. This minimizes incidences of misidentification (false-positives) avoiding unnecessary intervention by the user.
      
       因为合法应用有时也会执行一个或多个上述动作（例如创建启动项），活跃威胁控制不会基于任何单个动作将一个进程识别为威胁；作为代替，它持续地进行评分，仅当达到特定的阈值才会将一个应用识别为威胁。这将错误识别（误报）的发生率降至最低并避免了用户不必要的干涉。

#7.Active Threat Control increases the detection rate of malware
活跃威胁控制增加了恶意软件检出率


A large quantity of malware samples is detected by Active Threat Control. Given that B-HAVE is one of the most advanced and effective heuristic scanning engines on the market, it is clear that Active Threat Control has the ability to provide substantially better protection than other solutions. It drastically reduces the risk of a system being compromised by a new or emerging threat.

       活跃威胁控制能够检测到大量的样本。如果说B-HAVE是市场上最先进和最高效的启发式扫描引擎之一，显然活跃威胁控制有能力保证提供比其它解决方案更好的保护。它使得系统被新兴威胁感染的风险大大降低。

#8.Conclusion
结束语


The criminals that create malware have become increasingly sophisticated in terms of the methods that they use in order to minimize the likelihood of their malicious programs being detected by heuristic detection. Some malware is even able to detect when it is being run inside a virtual machine and delay displaying performing any malicious actions until it has determined to be clean and launched in the real computing environment. Compounding the challenge is the fact that determining whether or not an application is malicious based on the actions it performs is a far from straightforward process. For example, an application that will erase the hard disk may be a perfectly legitimate system tool. However, if that application attempts to mislead users into running it back - masquerading as an image or some other harmless type of file - then it may well be malware.

       制造恶意软件的犯罪分子已经使用越来越复杂的方法以减小他们的恶意程序被启发式检测的可能性。一些恶意软件甚至能够检测自身是否运行于一个虚拟机中，它们将延迟表现执行任何恶意操作直到确定运行于干净的真实计算环境。复合的挑战是基于一个应用所表现的行为决定其是否是恶意的远非一个简单的过程。例如，一个试图擦除硬盘的应用可能是完全合法的系统工具。然而，如果该应用企图通过冒充图片或其它无害文件类型来误导用户执行，那么它很可能是恶意软件。


Active Threat Control is Bitdefender’s response these challenges. It represents a layer of security between the computer and potentially malicious code, providing users with a previously unprecedented degree of protection.

       活跃威胁控制是Bitdefender对这些挑战的回应。它表现为一个介于计算机与潜在恶意代码之间的安全层，为用户提供前所未有的保护程度。


——————————————————————手打分割线—————————————————————————————————
      前阵子在BD官网上逛，只找到了一篇AVC的白皮书，还是2010年的 ，于是在好奇心驱使下上bing搜索了一下，没想到真找到一份2015年的。激动之下，顺手在BD区开了一贴 ，然而挖坑容易填坑难，翻译一堆一堆的从句让我的内心悲痛欲绝 。不管怎么说，这坑今天终于是填上了。可惜由于本人水平有限，错误再所难免；如果发现有翻译错误等问题，可以@我或私信我，我会尽快修改。最后，附上2015年ATC白皮书PDF文档和2010年AVC白皮书PDF文档，有兴趣的同学可以自行比对~

1.2015 Bitdefender ATC白皮书
http://pan.baidu.com/s/1o8xkNMi

2.2010 Bitdefender AVC白皮书
http://pan.baidu.com/s/1qYd3UhA

230f4

Bitdefender已经不是重武器了，它现在既强大又轻便

感谢翻译