The Future of Internet Security – Part II
Sunday, May 10th, 2009 by Shlomo TouboulSo, Shlomo, why did you bring back your idea from 1996? Is this really what is needed now? How can this help? These are some of the questions that collegues asked me, after publishing my last blog.
Lets have a deep look on the scope of the Anti Virus challenges. The graph below shows how the number of signatures within the DB is growing. Today, most of the DB sizes range from 50MB to 60MB in RAM. The better job the Anti Virus company is doing, fewer signatures covers more Malware, meaning smaller memory footprint and lower CPU cycles consumption.
Source: Kaspersky Lab Virus Statistics
However, if this trend continues, within 3-4 years the size of the DB will reach 1GByte. It’s hard to see that PC users will agree to pay the toll of the largest PC application. Needless to mention how long it will take a PC to startup and how slow Windows will be. A huge application will scan every file operation, local or in the network, against a huge DB…
So, most of the AV companies are rushing these days to the open warm arms of In The Cloud Security (ITCS) technology. What is so promising about ITCS?
First, how does it work? A collection of servers (cloud) store the large signature DB and powerful scanner. CPU and memory resources can easily be added to the cloud to maintain high performance with no effect to service availability. Most of end users have high speed connection to the internet, which will be used by a “thin” AV client installed on the PC. The thin AV client, will create a checksum for every file (instead of scanning for known Malware signature) and will send the checksum to the cloud. The cloud will check if a file with the specific checksum has signature of known Malware. If such match found, the thin client will notify of Malware attempt and will delete the file. If there is no known Malware associated with the checksum, the file will be loaded, executed or opened on the PC.
The result is a small fingerprint on the PC (little memory consumption) regardless the size of the signature DB. Assuming high-speed network and powerful cloud, a performance improvement may be achieved also.
Where is the drawback?
The above technology is very good at outbreak time. However, the nature of the internet refer to millions of new file born every day. There are many new programs, scripts, HTML pages (need to be scanned too), potential email phising and SPAM, etc. If the client reaches a new file, the cloud may not have its checksum ready. In such case the cloud or the client needs to download the entire file, scan it, return the result and store the new checksum and scan result. Since this happens very often, such delay may be presented every day reducing the effectiveness of the cloud.
One way in which Anti Virus companies want to mitigate this drawback, is by adding a long white list to the cloud. The file white list will have checksum of non Malware files and will be maintained on daily basis. They are also considering adding proactive scanning which adds a lot of false positives. The combination of white list and proactive scanning may improve the solution, reduce the symptoms but not really fixing the problem.
So, again, what does all of this have to do with the 3 laws of security and what does it have to do with Yoggie?
For that, you will need to read Part III of this blog thread
Stay tuned and, Part III will come soon.
Cheers, Shlomo.
Tags: Gatekeeper, Malware, Phishing, Security, Spyware, Virus, Yoggie