The document introduces Symantec Ubiquity, a new technology that provides safety ratings for programs based on data from over 100 million Symantec users. It aims to address limitations of traditional signature-based detection in dealing with the growing number of unique and low-prevalence malware. Symantec Ubiquity analyzes the behavior, prevalence, and other attributes of files across all clients to identify suspicious programs. It is being integrated into Symantec's security products to enhance detection capabilities against unknown and targeted threats. Initial results show Ubiquity providing safety ratings for over 1.5 billion files and serving billions of ratings per month.
2. The Problem
A quick look at Cyber security 2009 by the numbers
3,200,000,000
attacks blocked by Symantec in 2009
⁻ 12 new 0day vulnerabilities
⁻ 14 new public SCADA vulnerabilities
⁻ 321 browser plug-in vulnerabilities
240,000,000
⁻ 4,501 new vulnerabilities
million new malware variants
⁻ 17,432 new bot C&C servers
⁻ 30,000 domains hosting malware
⁻ 59,526 phishing hosts
In the time it takes to give this
presentation, we will block more than
⁻ 2,895,802 new AV signatures 540,000 attacks!
⁻ 6,798,338 bot infected computers
Symantec Ubiquity 2
3. The Problem
Protection is a constant challenge
Like a game of cat and mouse…
• As we improve and innovate our
technologies, malware authors
adapt and innovate too
• Their techniques are easy –
exploit, encrypt, deploy and
repeat
Symantec Ubiquity 3
4. The Problem
Malware authors have switched tactics
240M+ distinct new threats
discovered last year!
From: To:
A mass distribution of a A micro distribution model e.g.
relatively few threats e.g.
The average Vundo variant is
Storm made its way onto millions distributed to 18 Symantec users!
of machines across the globe The average Harakit variant is
distributed to 1.6 Symantec users!
What are the odds a security vendor will discover all these threats?
If you don’t know about it, how do you protect against it?
Symantec Ubiquity
4
5. The Problem
Millions of file variants (good and bad)
• So imagine that we know:
– about every file in the world today…
– and how many copies of each exist
– and which files are good and which are bad
• Now let’s order them by prevalence with
– Bad on left
– Good on the right
Symantec Ubiquity 5
6. The Problem
No Existing Protection Addresses the “Long Tail”
Today, both good and bad software obey a long-tail distribution.
Bad Files Unfortunately neither technique Good Files
works well for the tens of millions of
files with low prevalence.
Prevalence
(But this is precisely where the
majority of today’s malware falls)
Blacklisting works For this long tail a new Whitelisting works
well here. technique is needed. well here.
Symantec Ubiquity 6
9. Ubiquity
is something different
Symantec Ubiquity
10. Ubiquity™
A revolutionary technology that provides safety
ratings for every program on the Internet,
based on the collective wisdom to Symantec's
more than 100 million users.
Symantec Ubiquity 10
11. How will this file behave if executed?
Is the source associated with infections?
How often has this file been downloaded?
Is it signed?
How old is the source?
Where is it from? Does it have a security rating?
Have other users reported infections?
Is the source associated with infections?
Ubiquity
What rights are required? How will this file behave if executed?
Is the file associated with files that are linked to infections?
Does the file look similar to malware?
How old is the file? Is the source associated with SPAM?
Have other users reported infections? Who created it?
Is the source associated with many new files?
Who owns it? What does it do?
12. The Idea
Unique programs are almost always suspicious
You probably want to know if you are the first
person to run a program or if the file was just
created
Symantec Ubiquity 12
14. Identify what is unique
Supplement with risk ratings
End up with a highly confident assessment
Symantec Ubiquity 14
15. Ubiquity - How it works
4 Serve the
rankings during
2 Rate every
scans
file on every
client
1 Build a
collection
network
Prevalence
Provide 3 Assemble into a Age
5 DB and data Source
actionable data
mine Behavior
Symantec Ubiquity Associations 15
16. Why Ubiquity?
Exceptional Blazing Unmatched Security based Policies based
Detection Performance Accuracy on real data on actual risk
Ubiquity
Not a replacement technology
It makes our other technologies more powerful
Symantec Ubiquity 16
17. Exceptional
Detection
Detection
It blocks unknown It ratchets up the It kills targeted and
malware “resolution” of our mutated malware,
heuristics and behavior once and for all
blocking
– Let’s see why…
Symantec Ubiquity 17
18. Exceptional
Spotting Unique Threats Detection
Hackers mutate threats to evade fingerprints
In Context, mutated threats stick
out like a sore thumb
It’s a catch-22 for the virus writers
– Mutate too much = Easily spotted
– Mutate too little = We’ve seen it before
Symantec Ubiquity 18
19. Blazing
Performance
Blazing Performance
On a typical system, 80% of active
applications can be skipped!
Traditional Scanning Ubiquity
Symantec Ubiquity 19
20. Empower Users Users – Given
the tools to
make choices
Symantec Ubiquity 20
21. Policies based
Data Driven Policies on actual risk
Applications with
Help-desk
Finance Dept:
aemployees can
low reputation
Only software
forbidden from
install medium-
with at least
accessing
reputation
10,000 users over
documents
software with at
identifiedold DLP
2 months by
least 100 other
as users.
containing
financial data.
Symantec Ubiquity 21
22. Conclusion
Ubiquity Changes the Rules of the Game
• Amplifies the protection of
our current technologies
• We no longer rely solely on
traditional signatures
• Use data from tens of millions
of users to automatically identify
otherwise invisible malware
• Shifts the odds in our favor –
attackers can no longer evade
us by tweaking their threats
Symantec Ubiquity 22
23. Conclusion
Where is Ubiquity in use today?
• Deploying into all our flagship products
– First used in blocking mode in the Norton 2010 products.
– Currently also used in Symantec Hosted Endpoint Protection
– Will soon be available in the Symantec Web Gateway product
– Will follow in others
• Is also used within Symantec back office systems
– To enrich and validate traditional malware analysis
– Fast tracks new malware detections
– Provides a safety check to further mitigate false positives
Symantec Ubiquity 23
24. Conclusion
Results
– Ubiquity’s reputation database now contains accurate safety
ratings on more than 1.5 billion good and bad executable files.
– New files are being discovered at the rate of 22 million each week.
– Ubiquity data confirms the original premise that malware today is
largely micro-distributed – more than 75 percent of malware
discovered by Ubiquity affects less than 50 Symantec users.
– Today Ubiquity serves an average of more than 45 billion
application safety ratings every month for customers.
– Ubiquity was recently named the winner of the network security
category in the 2010 Wall Street Journal Technology Innovation
Awards
… and this is just the beginning!
Symantec Ubiquity 24