How do you distinguish good from evil? Have you ever asked yourself this question? In order to avoid diving into philosophy let’s translate evil to harmful and good to harmless. What’s your strategy to find out if something is harmful or harmless? When it comes to food maybe you try a small bit and gradually increase the dose. This strategy fails for software since you cannot install a bit of code and install more if everything looks ok. Analysing the behaviour is the next analogy in line. Behavioural analysis is well-known to anthropologists, psychologists and most human resources departments. Does is work for code, too?
If you look at your security tools you will probably find tools that use a rule-based approach; then there are signatures and some tools offer to detect/decide based on heuristic (often describe by cynical sysadmins as „doesn’t know anything, but will decide any way“). There is really no clear winner. Every strategy has their merits and drawbacks. In his talk at DeepSec 2011 Sourabh Satish, Distinguished Engineer and Chief Architect at Symantec, will focus on rule-based behavioral security and will explain why this technique is no silver bullet to solve your malware problems. Sourabh will use real-world threats as case studies to showcase the approach’s strengths and weaknesses. He will talk about how techniques such as supervised and unsupervised machine learning can address many of the inherent limitations in legacy behavioral systems. You will see how to implement such a machine learning-based behavioral system using freely available tools like WEKA, and you will get homework to further investigate this area on your own.
Since we won’t hand out silver bullets for security reasons Sourabh will then discuss their limitations of these machine learning-based solutions and propose several potentially fruitful areas of research.
Sourabh Satish’s talk contains real world threat examples to illustrate his points. You should attend this talk if you want to understand what your security tools do and how you can assess the risks mitigated and the risks that still pose a threat to your assets (the malware case studies will be your guide). If you are interested in security research, then this talk is especially for you. Developers who are looking for new ideas to create prototypes are always welcome.