SONAR is a behavioral security engine that is at the heart of our antimalware defenses. With the unprecedented growth in malware that has been observed over the last few years, an effective security product has to able to distinguish a bad piece of new binary/software from a good one without the need for a fingerprint. SONAR, first introduced a couple years ago into the Norton products, has been re-written for the 2010 products to keep pace with today’s threat landscape and take advantage of other new capabilities, such as our Quorum reputation services.
Why do we need behavioral security?
It’s no secret that today’s threat activity is heavily focused on the web, and specifically on breaking into a system through the web browser, whether it’s Internet Explorer, Firefox or something else. The tactics used to distribute malware include social engineering, where the user is tricked to download a piece of malware packaged inside a benign utility or pretending to be something useful (like a Video Codec installer). Other methods include drive-by-downloads, where the browser and/or its component vulnerabilities are exploited to download a malware on an end user’s machine without user involvement. Behind both of these infection techniques lies a web server that was either set up by the attacker for the purpose of attacking people, or more frequently, one that was hacked and used for the same reason. Using the attacking web server and code readily available in underground economies, the cybercriminal can generate new and unique malware variants on the fly in an attempt to evade detection by security software. The ability of attackers to create malware that looks unique on-demand has put incredible pressure on the traditional signature-based malware detection strategy. Signature-based security approach requires the malware to have been seen for the fingerprint to be created and released to the engine or the cloud, for detection. This is not to say that “signatures are dead” or not useful—they are still an important line of defense in a modern security product, but they now play more of a supporting role rather than the central one they did before. Behavioral protection compliments the signature and reputation model by detecting unknown malware based on what it does (or attempts to do) on a system.
What is unique about the behavioral protection in Norton’s 2010 products?
In a very generic description, behavioral security identifies key behaviors of an executable and uses these behaviors to identify the class of software it belongs to. This may sound fairly straight-forward, but the real trick is to do this without impacting performance and without asking the user what to do with a suspicious program when you’re not 100% certain of its disposition. Last year we focused on introducing the industry’s lightest and fastest security products and our performance goals this year were even more ambitious. The demand for even better unknown malware detection without sacrificing performance poses a key challenge for our "real-time" behavioral security engine, SONAR2, as it has to monitor runtime activities and block malicious behavior synchronously. Symantec’s Quorum backend intelligence, first introduced in 2009 Norton products as whitelisting, plays a key role in shaping the effectiveness of SONAR 2,helping us deliver an engine that can reliably do its job without bothering the user with strange questions about unknown programs and with minimal overhead on the PC.
How does SONAR 2 compare with previous releases?
Norton users have had the benefit of behavioral security in earlier Norton releases too. With SONAR2, the engine has evolved significantly to offer highly effective, real time behavioral protection. In previous versions of this technology, there were fewer and different behaviors being analyzed. SONAR 1 was one of the "last lines of defense" and reactive for the most part but was effective at dealing with many unknown threats nonetheless. With SONAR 2, the technology becomes proactive and real-time, making sophisticated decisions using a broad set of factors that should make our unknown malware protection both faster and more effective. SONAR2 has the ability to challenge the actions of executables and attempt to classify new suspicious processes before their actions are allowed on the system. Upon classifying software as malicious, it has the ability to completely remediate the threat and its components from the system.
How does SONAR2 work?
With the breadth of security engines and technologies we have, SONAR2 leverages all possible sources of information to make a very quick judgment call about the risk a file poses to a PC and its owner. As an example, the source URL, site reputation and transport method are a few of the pieces of information, among many others, used by the pre-classification system to quickly make a call about an unknown file. Thus the pre-classification system allows us to narrow our focus more specifically on suspicious files and components. Following pre-classification, SONAR2 then analyzes and uses evidence about the file itself and its relation to the system. Relation analysis involves understanding and gathering information about the file from a system use perspective. However, 'gathering information' is not a reactive but a real time activity being performed as the file enters the system. Again, this allows us to even challenge the existence of the file as it becomes part of the system, by registering itself to the OS and its various applications. Hence a file can be classified as a malicious and convicted much before it ever runs on the system.
Now when the file executes, SONAR 2 observes key behaviors in real time, synchronously. These behaviors are carefully chosen to have the least performance impact but the most amount of insight into the potential “maliciousness” of the running process. As the process exhibits these key behaviors, the knowledge of what it is doing is added to the evidence gathered during pre-classification and relation analysis and all of this is fed into a real time classification engine that helps determine the maliciousness of the process and the file. The classification engine is not just using the knowledge of good and bad behaviors, like 1st generation behavioral engines typically did. The classification engine in SONAR 2 also uses the strength of the Norton Community and Quorum technology to build a classifier that is truly representative of prevalence of these behaviors in applications across the Norton user community. Thus a malicious behavior observed extensively in large class of malware may be the only evidence required to convict a new piece of suspicious software. At Symantec, the security analysts are constantly observing and analyzing new malware families and this classification system is routinely measured for its in-field effectiveness. The classification system can be seamlessly updated and released to our customers to make sure they have the best protection for the latest threats, without having to release a new engine, as was often done in the past.
Again, the combination of pre-classification system and observation of key malicious behaviors helps the engine to be very confident of its classification results as early in the life cycle of a process as possible. Except in rare instances, the system need not and does not have to gradually/slowly increase the suspicion on the process to lead to a conviction, giving it time to download other threats or otherwise compromise the system.
SONAR2 system uses more than ~400 data points in the classification system. These data points are extensively researched and measured constantly for the value they provide in the classification system and are constantly added to or dropped to keep up with the constantly changing landscape. The data points comprise of existential evidence of the file, its relation to the system, its runtime behaviors, etc.
The runtime behaviors are not limited to merely how the process interacts with the OS or what the process does on the system. SONAR2 has the unique advantage of even observing behaviors that are exhibited by the software over the network. Since most malware are motivated to communicate externally over the network, the unique visibility we have into the process behaviors allows us to use this additional data point in the classification system resulting in very high success rates in the final classification of a process.
SONAR2 is a much broader and effective behavioral engine that does not just focus on classifying a file/process. Once the engine identifies a malicious file or a process, the process of convicting a file or a process is also "state of the art". It attempts to trace the malicious file, all its components and its lineage information to do effectively a clean "uninstall" of the entire malicious package rather than just the malicious file itself.
Even before we shipped our 2009 products last year, we began work on designing SONAR 2 for delivery in this year’s versions of NAV and NIS. It’s been a long journey and even a bit harder than expected, but we’re proud to introduce it to you this year and believe it offers truly powerful protection versus unknown malware with minimal performance impact and user interaction.
Message Edited by sourabhsatish on 07-09-2009 05:55 PM