查看: 12493|回复: 21

[技术原创] 走进ATC:Bitdefender Active Threat Control官方白皮书(施工完成)

Sailer.X 该用户已被删除
发表于 2016-4-22 00:51:59 | 显示全部楼层 |阅读模式
本帖最后由 霄栋 于 2016-4-25 23:18 编辑

Bitdefender Active Threat Control
Proactive Protection Against New and Emerging Threats

Bitdefender 活跃威胁控制


#1.Why You Should Read this White Paper

#2.Modern Malware result to new countermeasures against threats

#3.Money matters

#4.Heuristics: Detecting tomorrow’s Threats Today

#5.Bitdefender Active Threat Control: Heuristic detection advances to the next level
Bitdefender 活跃威胁控制:启发式检测进步到下一等级

#6.How Active Threat Control Works: A Technology Overview

#7.Active Threat Control increases the detection rate of malware



参与人数 3人气 +4 收起 理由
nick20010117 + 1 版区有你更精彩: )
诸葛亮 + 1 赞一个!
230f4 + 2 精品文章


Sailer.X 该用户已被删除
 楼主| 发表于 2016-4-24 00:38:52 | 显示全部楼层
本帖最后由 霄栋 于 2016-4-25 21:10 编辑

#1.Why You Should Read this White Paper

The unprecedented rise of new threats has deemed traditional security mechanisms both ineffective and unreliable in providing adequate defense. Today’s pervasive threats have increased in complexity, making prevention, detection, and remediation difficult for traditional security software.


Bitdefender Active Threat Control is a pro-active and dynamic detection technology, based on monitoring processes and system events, and tagging suspicious activities. It has been designed to act against never-before-seen threats based on their behavior.

       Bitdefender 活跃威胁控制是一种主动和动态的检测技术,它基于监控进程、系统事件和标记可疑活动。它被设计成基于行为对抗未知威胁。

This white paper explains why such protection is necessary and provides technological and technical overview of the detection methodologies used by Bitdefender products.

       本白皮书解释了为什么这种保护是必要的,并且提供 Bitdefender 产品所使用的检测方法的技术概述。

Sailer.X 该用户已被删除
 楼主| 发表于 2016-4-24 00:39:45 | 显示全部楼层
本帖最后由 霄栋 于 2016-4-25 21:12 编辑

#2.Modern Malware result to new countermeasures against threats

Keeping computers secure and protected against threats has never been harder. With more than half a million new and variant strains of malware emerging each month, tracking and mitigating each threat has become an enormously challenging task for all security vendors.


Source: av-test.org: More than 14 million new and variant malware strains are discovered each month.(P1)

Compounding the problem is the fact that both malware and the mechanisms used to deliver it have become increasingly sophisticated. Trusted websites can be compromised and used to launch complex script-based attacks that cycle through multiple exploits. Advanced packaging methods are deployed in order to conceal malicious payloads. These malware can also actively disable known security software at the time of install and during operation by constantly trying to overwhelm or kill antimalware or software firewall processes.


Social networking websites such as Facebook and Twitter provide criminals with new opportunities for exploitation through social engineering and can enable malware to spread faster than ever before. If a malware may once have taken days or even weeks to propagate, it can now reach millions of computers in hours.

       Facebook 和 Twitter 等社交网站为犯罪分子提供社会工程利用的新机会,并使得恶意软件的传播更加迅速。如果(过去)一个恶意软件需要数天甚至数周来传播,如今它可以在数小时内传播至上百万台计算机。

Combined, these factors make it exceptionally difficult to effectively detect and block malware using conventional methods and technology.


您需要 登录 才可以下载或查看,没有帐号?快速注册

Sailer.X 该用户已被删除
 楼主| 发表于 2016-4-24 00:40:01 | 显示全部楼层
本帖最后由 霄栋 于 2016-4-25 23:00 编辑

#3.Money matters

The main driver leading to the increase in both volume and complexity of such threats has been money. Historically, viruses were created by teenagers in order to earn notoriety and gain recognition for their coding skills. Today’s malware is created by criminals to earn a living and even generate substantial profit. Spam, phishing, pump-and-dump schemes and data-stealing Trojans and keyloggers can net their creators an enormous amount of income. Malware has evolved into a multinational and multimillion dollar industry that’s just as skilled and versed in security matters, as experts working in the security industry.


These monetization patterns have also resulted in a significant change in the nature of today’s threats. For instance, if your computer becomes infected with one such threats, you may not realize it until unexplained transactions occur on your bank statement or it starts consuming more processing resources than usual.


As criminals are able to use their enormous profits to fund malware development, a vicious circle has been created: the more money the criminals make, the better and more sophisticated their malware becomes; and the better their malware becomes, the more money the criminals make. Cybercrime costs the global economy about $445 billion every year, with damages to businesses caused by intellectual property theft exceeding $160 billion, according to the Center for Strategic and International Studies (CSIS) report published on to Jun 9, 2014. With such enormous sums at stake, it is obvious that the criminals have both the motivation and the financial means to develop ever better malware.

Sailer.X 该用户已被删除
 楼主| 发表于 2016-4-24 00:40:21 | 显示全部楼层
本帖最后由 霄栋 于 2016-4-26 12:10 编辑

#4.Heuristics: Detecting tomorrow’s Threats Today

Ensuring a timely response to each new threat can become more than challenging. However, it is critical that the response should be prompt, as the new variants of malware are able to spread rapidly. A slow or delayed response could lead to a large pool of computers being compromised and the potential data loss or impact on the affected network infrastructure could be unquantifiable.


The challenge is that regardless of how fast security vendors react, there is always a gap between the time a new threat is released into the wild and the time computers are “immunized” against that threat via a signature update. The gap between initial moments when a threat can affect systems until the fix is disseminated creates a window of opportunity for malicious actors. With more than half a million new malware samples emerging each month, chances are the window of opportunity is favor of the attacker.


Conventional detection relies on signatures. Anti-malware signatures are code snippets extracted from malware samples and used by antimalware programs to perform pattern-matching. The problem with this method is that it takes time to produce the signature: antimalware vendors need to obtain a sample of the malware, develop a signature, and then push that signature to users – and this leads to the creation of the window mentioned above.


Heuristics are a form of proactive detection that closes the window during which computers are vulnerable. Rather than relying on signatures or binary or code fingerprints, heuristic detection relies on complex algorithms that specify actual patterns and behaviors, which may indicate that an application is malicious. This works because malicious programs inevitably attempt to perform actions in a context that legitimate applications do not. Examples of suspicious behavior would include attempting to drop files or disguise processes, or injecting or executing code in another process’s memory space. Because heuristic detection look for behavioral characteristics rather than relying on simple pattern-matching, they are able to detect and block new and emerging threats for which a signature or fingerprint has yet to be released.


To protect computers, the majority of heuristic detection, including the Bitdefender B-HAVE heuristic engine, temporarily delay applications from starting while the code is executed in a virtual environment that is completely isolated – or sandboxed - from the real computer. If no suspicious behavior is observed, the computer is instructed to start the application normally. On the other hand, if suspicious behavior is observed, the program is blocked from executing. The entire process happens in fractions of a second and so has practically no impact on either the user experience or perceived performance. In order to be even more effective, Bitdefender uses   application reputation, a form of white listing, for having more lightweight heuristics for applications that are known likely to be safe.    Application reputation is kept intact for false positives with frequent updates from Bitdefender cloud.

       为保护计算机,大多数启发式检测,包括Bitdefender B-HAVE启发式引擎,会暂时延迟应用启动,并将代码在完全与真实计算机隔离的虚拟环境或沙箱中执行。如果没有观察到可疑的行为,计算机被引导至正常启动应用。反之,如果观察到可疑的行为,程序将被阻止执行。整个过程发生在很短的时间内,因此几乎不会对用户体验或性能造成实际影响。为了进一步提高效率,Bitdefender使用了应用信誉——一种白名单,对已知很可能为安全的应用进行轻度启发式检测。应用信誉通过Bitdefender云端频繁更新保持完整性并降低误报。

While this approach certainly enhances security considerably, it nonetheless has a couple of shortcomings. Firstly, programs can only be run in the virtual environment for a short period as, obviously, it would not be acceptable to delay launch by any substantial amount of time. This means that malware can avoid detection simply by delaying performing any malicious actions. Secondly, a program that has already been checked (and is, therefore, trusted) could be exploited and either modified in-memory, while running, or used to launch a malware process with its own credentials.


To address these shortcomings, Bitdefender introduced Active Virus Control in 2010 (former name of Active Threat Control technology).




Sailer.X 该用户已被删除
 楼主| 发表于 2016-4-24 00:40:50 | 显示全部楼层
本帖最后由 霄栋 于 2016-4-25 23:06 编辑

#5.Bitdefender Active Threat Control: Heuristic detection advances to the next level

Starting with 100 heuristics in 2010, Active Threat Control has been developed to have more than 300 to date. They are constantly finetuned, updated, and improved by a dedicated team of security researchers and engineers form Bitdefender Labs. In order to provide maximum security, all Bitdefender products using Active Threat Control follow a four step scanning sequence:


Step 1: Each time a file is accessed, copied or downloaded via Web, Email or Instant Messenger, the file is intercepted by either the Bitdefender File System driver or the appropriate proxy and sent for scanning;


Step 2: The file is checked against the Bitdefender Signature Database (a database of malware “fingerprints”) that is updated in an hourly basis. If the file’s content matches one of the signatures, the product automatically tries to disinfect the threat. If this action fails, the file is moved into quarantine. If no signature is matched, the file is sent to B-HAVE1 to be checked.


Step 3: B-Have checks the file by running it in a virtual environment inside the Bitdefender Engine, designed to emulate the behavior or an actual computer. If the file exhibits suspicious, malware-like activity, B-Have reports the file as malicious. If not, the file is declared clean and the process is allowed to run;


Step 4: Active Threat Control monitors actions of specific processes as they are running in the OS. It looks for behavior specific to malware and assigns a score for each process based on its actions and the context in which those were done. When the overall score for a process reaches a given threshold, the process is reported as harmful. Depending on the user profile, it is either terminated to isolate and remediate the threat or the user is prompted to specify the action that is to be taken (depending on the settings profile of the Bitdefender product). User profiles are product specific. Usage of user profiles may vary in products.


Bitdefender proprietary technology for detecting threats.


Unlike B-HAVE and other heuristic detection, Active Threat Control constantly monitors processes. This way a delayed execution of malware can be detected and remediated. Constant monitoring prevents malware from exploiting or hijacking already trusted applications.



您需要 登录 才可以下载或查看,没有帐号?快速注册

Sailer.X 该用户已被删除
 楼主| 发表于 2016-4-24 00:42:13 | 显示全部楼层
本帖最后由 霄栋 于 2016-4-25 21:39 编辑

#6.How Active Threat Control Works: A Technology Overview

Active Threat Control continuously monitors all running applications and processes. To extend the flexibility and performance there are some exceptions:
• White-listed processes that are specifically excluded from monitoring by the user
• Validated system processes that have been tagged by Bitdefender Application Reputation to be clean.

• 由用户特意从监控中排除的白名单内的进程。
• 被Bitdefender应用信誉标记为安全的已验证的系统进程

Active applications and processes are continuously monitored suspicious behaviors, like:
• Copying or moving files in System or Windows folders or limited access disk location
• Executing or injecting code in another processes’ space in order to run with higher privileges
• Running files that have been created with information stored in the binary file
• Self-replication
• Creating an auto-start entry in the registry, accessing or executing illegal operations on registry locations that require elevated privileges
• Dropping and registering drivers

• 复制或移动文件至System、Windows文件夹或被限制访问的磁盘位置
• 复制或注入代码至其它进程空间以获取更高运行权限
• 运行已创建的信息存储于二进制文件中的文件
• 自我复制
• 在注册表中创建自启动项目,访问需要提权的注册表区域或在其中执行非法操作
• 释放和注册驱动

As legitimate applications will sometimes perform one or more of these actions (such as creating an autostart entry), Active Threat Control does not determine a process to be malicious based on any single action; instead, it keeps a running score and only categorizes an application as malicious when a certain threshold is reached. This minimizes incidences of misidentification (false-positives) avoiding unnecessary intervention by the user.


您需要 登录 才可以下载或查看,没有帐号?快速注册

Sailer.X 该用户已被删除
 楼主| 发表于 2016-4-24 00:42:32 | 显示全部楼层
本帖最后由 霄栋 于 2016-4-25 21:08 编辑

#7.Active Threat Control increases the detection rate of malware

A large quantity of malware samples is detected by Active Threat Control. Given that B-HAVE is one of the most advanced and effective heuristic scanning engines on the market, it is clear that Active Threat Control has the ability to provide substantially better protection than other solutions. It drastically reduces the risk of a system being compromised by a new or emerging threat.

Sailer.X 该用户已被删除
 楼主| 发表于 2016-4-24 00:42:56 | 显示全部楼层
本帖最后由 霄栋 于 2016-4-26 08:11 编辑


The criminals that create malware have become increasingly sophisticated in terms of the methods that they use in order to minimize the likelihood of their malicious programs being detected by heuristic detection. Some malware is even able to detect when it is being run inside a virtual machine and delay displaying performing any malicious actions until it has determined to be clean and launched in the real computing environment. Compounding the challenge is the fact that determining whether or not an application is malicious based on the actions it performs is a far from straightforward process. For example, an application that will erase the hard disk may be a perfectly legitimate system tool. However, if that application attempts to mislead users into running it back - masquerading as an image or some other harmless type of file - then it may well be malware.


Active Threat Control is Bitdefender’s response these challenges. It represents a layer of security between the computer and potentially malicious code, providing users with a previously unprecedented degree of protection.


      前阵子在BD官网上逛,只找到了一篇AVC的白皮书,还是2010年的 ,于是在好奇心驱使下上bing搜索了一下,没想到真找到一份2015年的。激动之下,顺手在BD区开了一贴 ,然而挖坑容易填坑难,翻译一堆一堆的从句让我的内心悲痛欲绝 。不管怎么说,这坑今天终于是填上了。可惜由于本人水平有限,错误再所难免;如果发现有翻译错误等问题,可以@我或私信我,我会尽快修改。最后,附上2015年ATC白皮书PDF文档和2010年AVC白皮书PDF文档,有兴趣的同学可以自行比对~

1.2015 Bitdefender ATC白皮书

2.2010 Bitdefender AVC白皮书

发表于 2016-4-25 23:28:21 | 显示全部楼层

您需要登录后才可以回帖 登录 | 快速注册


手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 湘ICP备2021004765号-1 ) GMT+8, 2021-9-26 05:39 , Processed in 0.140343 second(s), 18 queries .


快速回复 客服 返回顶部 返回列表