In my last blog post, I talked about the infection rates of Immunet users (namely looking at how many threats we blocked on different machines). In this post, I’d like to dive into how frequently a piece of malware might show up on a given system.
I took a look at data queried to Immunet’s cloud from between September 15, 2010 and October 15, 2010 (i.e., a one-month period), and looked specifically at convictions issued through our basic 1-1 signatures. As of October 15th, we had approximately 580,000 users and were tracking about 16 million unique threats. (As of today we have over 620,000 users and data on around 16.5 million threats.)
For the purpose of this exercise, I was more interested in seeing how prevalent known threats were, which is why I only examined results from our basic 1-1 signature approach. (Note that detection against known threats is only a part of Immunet’s overall protection stack; for example, we have technologies like Ethos and Spero that are designed to catch threats that were not previously known to us. Check out my other blog post on Ethos and Spero). The results are graphed below.
Of all the threats we identified (by SHA-2), slightly less than half were on more than one system. The remaining threats were seen exactly once and never again. At the other end of the spectrum, less than 1% of the distinct threats we saw were on more than 23 machines. Note that the results are cumulative, so the bars will add up to more than 100%. (For example, a threat that is on three machines will be counted in columns one and two.)
These findings have a few implications. First, they point to a significant shift in balance of the economics of traditional push-based signatures that many incumbents in the AntiVirus space use. Does it really make sense to push out tens of thousands of new AntiVirus definitions to millions of users (as many vendors are doing) when 99% of these threats will trigger on less than a couple of dozen machines? From the data we are seeing, the answer is an overwhelming no. In this capacity having a cloud-based pull approach provides far more favorable economic tradeoffs.
Second, these findings point to the highly transient nature of threats (a topic that I will definitely cover in a future blog post). Many existing companies in the AntiVirus space suffer from significant latencies in their back office operations. From the time that they know about a threat internally to the time users are protected against these threats, anywhere between tens of hours to tens of days could pass. Given how many threats are detected on just one machine, this approach is a classic case of “too little too late.” At Immunet we’ve built an architecture that inherently eliminates these inefficiencies, and yields a near real-time feedback loop.
Finally, these findings cement the argument that a pure signature-based approach has limited value. Signatures work especially well for popular threats. They are conceptually easy, well tested, and are targeted enough to ensure a low rate of false positives (i.e., a case where a legitimate application was mistakenly called bad). However, they fail miserably for fly-by-night threats. This shortcoming of signatures is one reason why we developed approaches like Ethos and Spero (among others) for finding ephemeral threats.
Ultimately, it’s obvious that the old way of doing things is not working, and a changing of the guard is necessary. Although the data we are seeing makes it abundantly clear, the reality is that the writing has been on the wall for far longer. We formed Immunet to address shortcomings that we’ve seen in the industry for some time. As we catch threats that others miss, we can score one more for the good guys. There is an amazing feeling in knowing that we might have just protected someone from getting their identity stolen or having their computer usurped for more nefarious purposes.