SONAR 3: A new level of behavioral security in Norton 2011
This year we have some innovative changes that build upon the successful, effective, and efficient SONAR 2 behavioral security engine. For those who are not familiar with SONAR technology, here is a link to an article that describes it. With SONAR 2, we have a proven track record of being able to convict malware and secure Norton users from malware designed to evade most other security features. In the last nine months alone we prevented upward of 4.2 million infections out of about 140 million incidents that we analyzed for Norton users. Most of these incidents were never-before-seen malware and infection scenarios, thus truly providing "zero-day" protection! The effectiveness of our technology was repeatedly confirmed by external 3rd-party tests and reviews (specifically behavioral security tests and reviews), where we performed at or near 100% detection rates. Behavioral security is a critical security solution, especially in this era of server-side polymorphic malware where each and every infection can have a unique piece of malware file (unique from the file fingerprint perspective) downloaded on the victim's machine. We are very excited about our next SONAR 3 release outperforming SONAR 2!
We believe that security is a journey and not a destination. Over the last year, we have taken note of a couple of interesting trends in the malware world, such as a surge in the misleading application threat category and targeted, sophisticated attacks like Hydraq. It was gratifying to see that SONAR 2 detected Hydraq without any changes to our classifier. We have further fine-tuned the classifier to deal with these trends. We have also added about 60 new features to our classifier and have seen significant improvement in threat detection rates in our internal lab testing. This brings our set of features to about 400!
This large number of features give us the advantage that, with SONAR tracking and inspecting so many aspects about a file, a process, or its related activity for classification, it becomes that much harder for a malware variant to get past our classification engine or for a clean sample to be misclassified. Of course the challenge is in analyzing all this information almost instantaneously without impacting system performance, while making decisions automatically for the user. And SONAR 3 is proof of how all of this is possible.
Having analyzed more than 140 million incidents for millions of Norton users, in SONAR 3 we have added many more features and provisions for identifying clean samples so that we can specifically focus on suspicious scenarios. This is what enables us to continue to add to our feature set for an even more accurate classifier. The quicker we can ignore a sample and classify it as clean, better the user experience.
In addition to the changes we have made to add many more attributes, the SONAR team has been very busy adapting and creating new classifiers as the world of malware and clean software evolves. The team has been busy updating our classifiers and releasing seven definition updates in the last nine months since shipping SONAR 2. The SONAR team generated and evaluated over 200 different classifiers since we shipped SONAR last year, addressing the feedback we have gotten from our Norton users to convict more malware and reduce the infrequent false-positive incidents that have occurred.
One major threat category that we have focused on with SONAR 3 is misleading applications. This class of threat has gotten much attention and we are glad to be able to provide significant improvements for detecting it in SONAR 3.
We have also made further improvements in the area of behavioral signatures, where we can quickly react to new and upcoming threats by writing behavioral signatures that leverage specific features. While our classifier has been quite successful at detecting new and emerging threats and their variants, we believe in a layered security model. In some specific threat scenarios it is more effective and worthwhile to target the threat with its specific characteristics than to leave it to a classifier.
As has been detailed in the SONAR 2 posts, SONAR aggregates and correlates information from a number of engines within the product like the Firewall, AV Engine, Intrusion Prevention Engine, etc. All this information is then used by the classifier to improve efficacy. We feel this is a big differentiator for Norton over other vendors. Most other security products simply don’t have this depth and breadth of information to make a good classifier. In SONAR 3 we have further enhanced our integration with the network component in order to classify, convict, and remediate malware on the basis of its malicious network activity. With this feature in place, we will continue to block and remove many new variants of malware that leave their network footprint unchanged.
With these and all the improvements we are continuing to work on, we believe we are taking behavioral security to a whole new level. We hope that these new improvements will prove to be invaluable in dealing with the fast-evolving threat landscape and in keeping you safe. We cannot wait to ship SONAR 3 out to millions of Norton users. All the Norton 2010 and N360v4 users will also benefit from these advances, thanks to the ability to use Live Update for SONAR enhancements that we adopted with SONAR 2.
So that’s what we are up to! Let us know what you think--the SONAR team values your feedback and we hope you see all the improvements in the public Beta. Your feedback helps us know where we need to improve and we take your comments and suggestions as our most important barometer of success!