此文是网上找到的,权做科普^_^,如已在卡饭中出现,请斑竹删贴
AUTHOR:ANDREW NIKISHIN
KASPERSKY LAB
http://www.kaspersky.com | www.viruslist.com
Heuristic Analyzer
Policy-Based Security
Intrusion Prevention System (IPS)
Protection against Buffer Overruns
Behaviour Blockers
Different Approaches to Proactive Protection
Pros and Cons of Different Proactive Detection Methods
--------------------------------------------------------------------------------
CONTENTS
1. Introduction
2. Proactive Protection
2.1 Heuristic Analyzer
2.2 Policy-Based Security
2.3 Intrusion Prevention System (IPS)
2.4 Protection against Buffer Overruns
2.5 Behaviour Blockers
2.5.1 ?Prehistoric? Behaviour Blockers
2.5.2 Behaviour Blocker for VBA Programs. KAV Office Guard
2.5.3 Second-Generation Behaviour Blockers
2.6 Different Approaches to Proactive Protection
2.6.1 Other Methods
2.7 Summary
2.8 Pros and Cons of Different Proactive Detection Methods
2.8.1 Heuristic Analyzer
2.8.2 Policy-Based Security
2.8.3 IPS
2.8.4 Protection against Buffer Overruns
2.8.5 Behaviour Blockers
3. Conclusions
3.1 Summary Table of Proactive Technologies Used by Vendors
--------------------------------------------------------------------------------
1. INTRODUCTION
Surging numbers of virus outbreaks, hacker attacks making news, network scams, the threat posed by spyware – all of this has contributed to growth in demand for anti-virus systems. There are a multitude of anti-virus solutions on the market. How does one select the best product? Which anti-virus solution can guarantee 100% virus detection rates with the lowest possible false-posi-tive levels? Which anti-virus solution offers the broadest range of technologies to ensure adequate protection of the computer and the network against all kinds of malicious program?
An essential part of any anti-virus product is the so-called anti-virus engine, the module responsible for scanning objects and detecting malicious programs. It is the anti-virus engine that determines the quality of malicious program detec-tion, and therefore the protection level offered by an anti-virus solution. How-ever, due to explosive growth in the number of malicious programs, the impor-tance of pre-emptive – or proactive – methods of detecting malicious software has lately been increasing. These methods help detect malicious software before anti-virus databases are updated – in other words, detect a threat be-fore it appears. Importantly, in this case false-positive rates should also be as low as possible (ideally, there should be no false positives at all).
This document describes and evaluates the main approaches to proactive protection implemented by different vendors. It is intended primarily for com-puter security experts familiar with the basic operating principles of anti-virus software.
2. PROACTIVE PROTECTION
In the past several years the “death” of classical anti-virus solutions, which use one kind of signature or another to detect malicious software, has been the subject of extensive discussion in the information security market. The principal reason for this is believed to be the speed with which malicious soft-ware is spreading, which is faster than the rate at which anti-virus databases are distributed. In addition, some time is always needed to analyze a new virus. Therefore, users remain unprotected from the time a malicious program is discovered until the time an anti-virus database update becomes available. Different companies envisage several different approaches to addressing this situation.
2.1 Heuristic analyzer
When the number of existing viruses exceeded several hundreds, anti-virus experts began to explore the idea of detecting malicious programs the exis-tence of which is as yet unknown to the anti-virus program because the rel-evant signatures do not exist yet. As a result, the so-called heuristic analyzers were developed.
A heuristic analyzer is a set of subroutines analyzing the code of executable files, macros, scripts, memory or boot sectors to detect all sorts of malicious program that cannot be identified using the usual (signature-based) methods. In other words, heuristic analyzers are intended to search for unknown mali-cious software .
Heuristic analyzers have relatively low detection rates, as virus writers have dozens of ways in which they can “cheat” them. In addition, heuristic analyz-ers with high detection rates also have high false-positive levels, making them unacceptable for most purposes. Detection rates of even the best anti-virus products do not exceed 25-30% when it comes to new malicious programs. In spite of low detection rates, heuristic methods are still often used in contempo-rary anti-virus solutions. There is a simple reason for this: detection quality can be improved by combining various pre-emptive methods of virus detection.
2.2 Policy-based security
A security policy is an essential part of any well-designed strategy of protec-tion against IT threats. A well-designed policy reduces several-fold the risk of infection by a malicious program, hacker attacks or leaks of confidential information. A simple example: if the user is not allowed to open e-mail attach-ments, the risk of a mail worm infecting the computer is practically eliminated. Blocking the use of removable media also reduces the risk of malicious code penetration. A security policy should always be designed very carefully to take into account the needs and business processes for all divisions and employ-ees of the company.
Besides the approach described above, various vendors mention policy-based security in their information materials. There are currently several approaches to this method of ensuring security.
The Trend Micro approach
Trend Micro Outbreak Prevention Services. This service is based on distribut-ing policies that help prevent an outbreak, i.e. a policy is distributed before anti-virus database updates or patches are released. At first glance, this looks like a reasonable solution. However, Trend Micro is slow to add procedures for detecting new malware, and the purpose of this solution is to “plug a hole” in the slow work of the TrendLab virus lab. In addition, creating a policy takes time (sometimes as long as it takes to analyze a virus and add detection proce-dures to the AV database), which means that there is still a time period during which a user is unprotected against the new threat. Another shortcoming of this approach is the rate at which security policies are changed. All the advan-tages of policy-based security are based on infrequent changes of the policies themselves. This helps the staff to get used to which things and actions are allowed and which are forbidden. However, if policies are replaced several times a day, this will only lead to confusion, resulting in no security policy at all. It would be more accurate to see the Trend Micro method as accelerated releasing of a certain kind of signature update rather than a policy-based se-curity approach. Therefore, in most cases this approach is not really proac-tive. An exception is policies making it impossible to take advantage of certain software vulnerabilities.
The Cisco-Microsoft approach
Limiting access to the corporate network for computers that do not comply with the company’s security policy (e.g. not having required operating system updates, the latest anti-virus database updates etc.). To bring a computer in line with the security policy, it is allowed access only to a special updates server. After installing all the necessary updates and performing other actions required by the security policy, the computer is granted access to the corpo-rate network.
2.3 Intrusion prevention systems (ips)
Intrusion Prevention Systems (IPS) are able to close a computer’s vulnerabilities that are most often used by malicious programs in order to block new threats before the anti-virus databases are updated. This involves blocking ports to eliminate the possibility of infection penetrating into the computer and further reproducing, creating policies to limit access to directories or individual files, detecting a source of infection on the network and blocking further communi-cation with it. This technology offers good protection against hacker attacks and bodiless worms and viruses, but it is not effective against mail worms, classical viruses and Trojan programs.
2.4 Protection against buffer overruns
The idea behind this technology is preventing buffer overruns for the most common programs and Windows services, including Word, Excel, Internet Ex-plorer, Outlook and SQL Server. Most attacks nowadays exploit various vul-nerabilities involving buffer overruns. Preventing buffer overruns can also be regarded as proactive protection, as this technology simply prevents exploita-tion of such vulnerabilities by any malicious code or attack.
2.5 Behaviour blockers
The history of behaviour blockers goes back more than 13 years. This type of anti-virus software was not popular 8-10 years ago, but as new IT threats ap-peared, behaviour blockers were remembered again. The main idea behind a blocker is analysis of program behaviour and blocking of any hazardous ac-tions. In theory, a blocker can prevent the distribution of any virus, both known and unknown (i.e. written after the blocker was released). This is the direction in which most anti-virus software developers are moving. There are numerous implementations of this technology. Most mail worm protection systems have lately been developed based on behaviour blocker mechanisms.
2.5.1 ?Prehistoric? behaviour blockers
The first generation of behaviour blockers appeared as far back as the mid-nineties (at the height of the DOS virus era). Their operating principle was simple: when a potentially hazardous action was detected, the user was prompted to allow or block the action. In many cases this approach worked, but “suspicious” actions were also performed by legitimate programs (including the operating system), and if the user was not sufficiently competent, the anti-virus program’s prompts caused confusion. As personal computers became more widespread, the average user’s competence level decreased and the demand for the first generation of behaviour blockers waned.
2.5.2 Behaviour blocker for vba programs. KAV Office Guard
As mentioned above, the principal shortcoming of early behaviour blockers was the frequency with which a user was prompted for action. This was be-cause a behaviour blocker was unable to decide whether a particular action was malicious or not. However, with programs written in VBA it is easy to distinguish malicious actions from useful with a very high degree of accuracy. This is why KAV Office Guard is not as “obtrusive” as its file brethren. How-ever, despite asking the user fewer questions this blocker has not become less reliable: a user utilizing it is protected against practically all macro viruses, both existing and those not yet written. In other words, by using advantages offered by an operating environment it became possible to achieve a reason-able balance between reliability and the number of prompts a user gets. How-ever, in terms of its operating principles KAV Office Guard is still a “prehistoric” behaviour blocker.
2.5.3 Second-generation behaviour blockers
The second generation of behaviour blockers is different in that they analyze sequences of actions rather than individual actions, using this analysis to de-cide whether a particular piece of software is malicious. This greatly reduces the frequency with which a user has to be prompted, improving detection reli-ability at the same time. An example of a second-generation behaviour blocker is the Proactive Defense Module implemented in Kaspersky Lab products.
2.6 Different Approaches to Proactive Protection
StormFront, the first product in the new generation of commercial proactive protection systems based on behaviour blockers, was released by Okena, a company specializing in development of intrusion detection and protection systems. In January 2003 Okena was acquired by Cisco Systems, and Storm-Front was released as Cisco Security Agent. This product is a classical behav-iour blocker designed for corporate customers. The product needs to be set up by a qualified administrator before it can be used.
McAfee is actively developing proactive protection technologies incorporated into products in the McAfee Entercept family. These products are able to close a computer’s vulnerabilities to a new threat before anti-virus database updates are released (IPS/IDS). This involves blocking ports, i.e. the possibility of infec-tion penetrating into the computer and further reproducing, creating policies to limit access to directories or individual files, detecting a source of infec-tion on the network and blocking further communication with it. In addition, these products are able to prevent buffer overruns for approximately 20 most common programs and Windows services, including Word, Excel, Internet Ex-plorer, Outlook and SQL Server, which can also be regarded as proactive protection. Personal products use only WormStopper, an improved heuristic technology detecting Internet worms distributed via e-mail and blocking suspi-cious activity on a computer, such as sending a large number of unauthorized e-mails to people in the address book.
Panda TruPrevent is comprised of three components: a process behaviour analyzer, which analyzes the behaviour of processes running on the system and detects suspicious actions, a heuristic analyzer and a set of IDS func-tions detecting malicious packets and protecting against buffer overrun. The product is positioned by Panda Software as the second line of defence against any unknown malicious software (a classical anti-virus solution is should be used as the first line of defence) and is designed to detect unknown malware launched on the computer. The product is intended for end-users (not an administrator).
In Symantec products, pro-active protection incorporates a built-in heuristic analyzer capable of detecting unknown virus modifications based on their characteristic actions on the system, as well as Norton Internet Worm Pro-tection, a set of IPS/IDS (Intrusion Prevention/Detection System) components blocking the most common paths used by malware to penetrate into the sys-tem (Prevention) and detecting suspicious actions (Detection). Also, the com-pany offers Outbreak Alert, a feature providing alerts on particularly hazardous internet threats (supplied as part of Norton Internet Security 2005). In addition, at the service level Symantec offers Early Warning Services (EWS), a service providing early alerts when vulnerabilities are identified. The service is now being integrated into a new system, Global Intelligence Services.Microsoft is also developing proactive methods of protection against malicious software. The details and time frame are unknown.
Trend Micro’s PC-cillin Internet Security 2005 incorporates a heuristic analyzer and an Outbreak Alert System providing proactive notification of new impend-ing threats. Its corporate product, Trend Micro OfficeScan Corporate Edition 6.5, uses signatures with the Outbreak Prevention Service, which automati-cally configures protection rules to prevent infection from penetrating into the system even before anti-virus databases are updated. This functionality is not available in the personal product.
In BitDefender products proactive protection means a behaviour analyzer blocking malicious programs based on analyzing their characteristic actions on the system (the application monitors system files, the system register and internet activity).
New Kaspersky Lab products use the company’s proven heuristic analyzer in combination with a number of cutting-edge proactive protection technologies. Kaspersky Lab products use an intrusion detection and prevention system (IPS/IDS) designed to fight hacker attacks and bodiless viruses. The notifica-tion system notifies users of outbreaks and other security events. But the most important innovation from the viewpoint of fighting new threats is the second-generation behaviour blocker. The blocker has an important feature: “rollback” of actions performed by malicious code. This helps dramatically reduce the number of questions the system asks the user and reduce the risk of damage to the system before new malicious software is detected.
2.6.1 Other methods
Mail traffic can be protected using special methods based on analyzing mes-sages passing through a mail server, helping to nip an outbreak in the bud. The following statistics can give grounds for suspecting the beginning of an outbreak:
- Mass mailing or reception of identical attachments;
- Mass mailing or reception of identical messages with different attach-ments;
- Attachments with double extensions
- Etc.
In addition, linguistic analysis can be performed on message bodies.
[ 本帖最后由 nicolashuang 于 2007-2-21 13:51 编辑 ] |
发表于 2007-2-21 12:52:52
楼主
发表于 2007-2-21 15:02:21