Anti-virus software too inconsistent

Anti-virus technologies are inconsistent when it comes to identifying attacks such as worms, phishing and botnets.

That's according to a report from the University of Michigan's Electrical Engineering and Computer Science Department and network security company Arbor Networks, anti-virus products are inconsistent at best when it comes to identifying attacks such as worms, phishing and botnets.

The report, Automated Classification and Analysis of Internet Malware, said that "Using a large, recent collection of malware that spans a variety of attack vectors (e.g., spyware, worms, spam), we show that different AV products characterise malware in ways that are inconsistent across AV products, incomplete across malware, and that fail to be concise in their semantics."

It goes on to show that host-based anti-virus techniques failed to "detect or provide labels for between 20 and 62 percent of the malware samples."

The researchers argue that a new classification technique is required that "describes malware behaviour in terms of system state changes (eg files written, processes created) rather than in sequences or patterns of system calls. To address the sheer volume of malware and diversity of its behaviour, we provide a method for automatically categorising these profiles of malware into groups that reflect similar classes of behaviours and demonstrate how behaviour-based clustering provides a more direct and effective way of classifying and analysing Internet malware."

The researchers demonstrated the usefulness of this approach during a six-month period on 3,700 malware samples.

Traditional, signature-based anti-virus methods for detecting and squelching the growing volumes and variety of viruses and other malware have been termed dead by some industry watchers.

Companies such as McAfee, Symantec and Trend Micro have in fact started to reveal plans to move their security products to the next level through whitelisting and other approaches.