Anti-virus technologies might not be on their last legs, but they could use a second wind, security researchers say.
According to a report published recently by researchers at the University of Michigan's Electrical Engineering and Computer Science Department and network security company Arbor Networks, anti-virus products are inconsistent at best when it comes to identifying attacks such as worms, phishing and botnets. The report is called "Automated Classification and Analysis of Internet Malware".
"Using a large, recent collection of malware that spans a variety of attack vectors (e.g., spyware, worms, spam), we show that different AV products characterise malware in ways that are inconsistent across AV products, incomplete across malware and that fail to be concise in their semantics," the report says.
The report shows that host-based anti-virus techniques failed to "detect or provide labels for between 20 and 62% of the malware samples".
The researchers argue that a new classification technique is required that "describes malware behaviour in terms of system state changes (e.g., files written, processes created) rather than in sequences or patterns of system calls. To address the sheer volume of malware and diversity of its behaviour, we provide a method for automatically categorising these profiles of malware into groups that reflect similar classes of behaviours and demonstrate how behaviour-based clustering provides a more direct and effective way of classifying and analysing internet malware."
The researchers demonstrated the usefulness of this approach during a six-month period on 3,700 malware samples.
Traditional, signature-based anti-virus methods for detecting and tackling the growing volumes and variety of viruses and other malware have been termed dead by some industry watchers.
Companies such as McAfee, Symantec and Trend Micro have in fact started to reveal plans to move their security products to the next level through whitelisting and other approaches.