Symantec to identify safe software by 'reputation'

The company's tech will judge whether an app is unsafe by looking at where it can be found across the database of Symantec users and categorizing those machines as safe or otherwise.

Symantec will soon introduce a "reputation-based" software-rating technology that it has claimed can accurately differentiate malicious malware from legitimate programs.

"Reputation-based security is the latest and greatest technology in malware detection," said Basant Rajan, chief technology officer of the IT security vendor's India office.

Essentially, this approach involves looking at where a program can be found across the database of Symantec users, categorizing the reputation of those machines and coming to a judgment on whether the application poses any security risks.

"When seeking good food, we'll most likely go to the restaurant with the most customers. That's an example of a reputation-based choice in selecting a restaurant," Basant said in an interview with ZDNet Asia, during his visit to Symantec's Kuala Lumpur office.

"You just look at the behavior of people and make a decision based on that behavior. We can do the same with programs," he explained.

According to Basant, Symantec's reputation-based approach assumes three distinct populations in its user base, which numbers in the millions. "You have one population that is ultra-safe, one that is adventurous and one that is completely unsafe," he said.

"We identify these by looking at the history of infections on their machines," said Basant, who plays a key role in driving innovation for Symantec's next-generation technologies, architecture and standards.

The safe group encompasses "prim and proper" users who only download applications from reputable software companies, he explained, while the adventurous group is users who are generally safe, but are willing to try out online games or new programs.

Users in the unsafe crowd are those who frequent a class of websites where they can get infected easily, he added. For example, when a new program is detected, the reputation-based approach will entail looking at where the program is found among the machines of millions of Symantec users.

"If a large number of the 'safe' machines have it, making an educated guess is to say that this is a safe program," Basant said. "But, if you see this application only [installed] with the unsafe crowd and a few of the adventurous guys, it is almost certain that this is an unsafe program. You wouldn't lose money betting that this is an unsafe program."

The new technology, which is currently being tested, will complement Symantec's current approach to addressing problems with malicious codes. The traditional method involves a blacklist to identify highly prevalent malware, as well as a white list to identify popular and legitimate programs.

Asked when the new reputation-based technology will be introduced into Symantec's Norton security products, Basant said: "[This] will happen when the product teams deem the market timing is right for it". He added that tests have been encouraging so far, as the false positives rate was extremely low.

The white list component was introduced into Norton's security products at the end of 2007, to augment the traditional blacklist approach to detecting malware.

Bad outpacing the good
In its Internet Security Threat Report Vol XIII, covering a six-month period from June to December 2007, Symantec measured the release of both legitimate and malicious software and found that 65 percent of the 54,609 unique applications released to the public, were categorized as malicious. Basant said that marked the first time Symantec observed malicious software outpacing legitimate applications.

"This means, if you make a list of all the good programs and bad programs, and the list of good programs is smaller, it becomes worthwhile to keep track of the good programs as opposed to keeping track of the bad ones," he explained. He noted that a key advantage of adopting the white list approach was that it enables Symantec's security programs to run scans considerably faster.

Basant added that Symantec builds and maintains a white list of safe programs. While the obvious method is to list all programs from reputable publishers, such Microsoft, Adobe and IBM, he noted that there are also lesser-known, smaller players writing legitimate programs.

Symantec uses a "crowd sourcing" method to determine if applications from small software developers should be added to the white list.

"We can actually look at what seems to be running safely on a vast majority of machines on which… we have a footprint," Basant said. "We just look at the aggregate behavior of these programs over millions of machines, and deduce that these programs are safe and can, therefore, be added to the white list."

The Symantec executive acknowledged that the nature of today's security threats has changed radically, as organizations are now targeted individually. "So now, the malware that came to you probably only went to four other people in the world," he said. "How do you ever write a blacklist signature for it when only five people got it?"

To protect the targeted few, Basant said Symantec's security products leverage behavioral-analysis technologies and, in the near future, will tap reputation-based security, which does not depend on a signature but behavior or prevalence to determine whether a program is legitimate.

Lee Min Keong is a freelance IT writer based in Malaysia.