Pattern, Matching and IT Folklore
Every once in a while there is a lively discussion about the efficiency of pattern-based security measures. Usually you see these discussions in the wake of security software tests. Mostly it concerns intrusion detection, malware filter or spam filter tools. As soon as you are trying to implement filters or detection, you will need some criteria to base decisions on. It doesn’t matter if you apply whitelisting, blacklisting or a mixture of both. Even if you add some intricate algorithms ranging from good ideas to artificial intelligence you still need to base the decision on something. Patterns and signatures is still the way to go. So why do these discussion about „all methods using patterns/signatures are snake oil“ stem from?
Let’s take another pattern-based defence mechanism as an example – our immune systems. It is used as a prime analogy for anti-virus software (of course the use of virus in this context is another analogy). We all got a working immune system, but we still get sick. The immune system works best against threats which have been detected before. Still there’s „biological malware“ around that cannot be fought since there is no cure. How do we deal with this imperfect design? Well, we manage the risks to the best of our ability. There is no other way. Basically you do the same as you do in the digital world. You can reduce exposure. You can add additional layers (such as protective clothing or hygiene procedures). Yet 100% protection is the theoretical limit which you will never attain. This fact is clear to every medical, biological or security expert. Why do we keep repeating the discussion about the imperfections about pattern/signature based mechanisms then?
The cause is most probably rooted in the mindset. System administrators have hear statements like this before: „I got anti-virus software, I can open any e-mail and visit every web site without caution.” On the other hand here’s something you won’t hear very often: „I can drink raw sewage, because I have an immune system.“ This is quite an inconsistency. It also illustrates how analogies do not work. Just by calling a piece of code a „virus“ and the deployment of filter software „to inoculate“ you do not get more than the cosy feeling of self-deception. The same is true for all the other bells and whistles found in web browsers for example. In turn this realisation is no breaking news and no scientific breakthrough. Sorry to have wasted your time, but these things can’t be stated often enough.
However if you have some breaking news or a scientific breakthrough when it comes to decision algorithms for security software, please let us know. The Calls for Paper for DeeSec 2012 and DeepINTEL are the prime place to put your discovery. In the meantime, please don’t start yet another discussion about the drawbacks of patterns and signatures. We already know.