Google researchers have combined a number of reputation techniques to create a system that is 99 percent successful in detecting and blocking malicious executables downloaded by users of its Chrome browser. The system, known as Content-Agnostic Malware Protection or CAMP, triages up to 70 percent of executable files on a user’s system, sending attributes of the remaining files that are not known to be benign or malicious to an online service for analysis, according to a paper (pdf) presented at the Network and Distributed System Security Symposium (NDSS) in February. While the system uses a blacklist and whitelist on the user’s computer to initially detect known good or bad files, the CAMP service utilizes a number of other characteristics, including the download URL, the Internet address of the server providing the download, the referrer URL, and any certificates attached to the download.<\/p>\n","protected":false},"excerpt":{"rendered":"
“CAMP bridges the gap between blacklists and whitelists by augmenting both approaches with a reputation system that is applied to unknown content,” the researchers wrote in the paper, adding: “One of CAMP’s important properties is to minimize the impact on user privacy while still providing protection.”<\/p>\n
Google’s own real-world test–deploying the system to 200 million Chrome users over six months–found that CAMP could detect 98.6 percent of malware flagged by a virtual-machine-based analysis platform.<\/p>\n
<\/p>\n
In many ways, CAMP is an answer to Microsoft’s SmartScreen, a technology that Microsoft built into its Internet Explorer and the latest version of its operating system, Windows 8.<\/p>\n
The CAMP service renders a reputation–benign, malicious or unknown–for a file based on the information provided by the client and reputation data measure during certain time windows, including daily, weekly and quarterly measurements. Information about the download URL, the Internet address of the download server, any referrer information, the size and hash value of the download and any certificates used to sign the file are sent to Google to calculate a reputation score.<\/p>\n
<\/p>\n
URL classification services–such as McAfee’s SiteAdvisor, Symantec’s Safe Web, and Google’s own Safe Browsing–fared eve<\/p>\n
n worse, only detecting at most 11 percent of the URLs from which malicious files were downloaded.<\/p>\n
<\/p>\n
The Google researchers who authored the paper–including Moheeb Abu Rajab and Niels Provos–decided to focus on executables downloaded by the user, not on malicious files that attempted to exploit a user’s system.<\/p>\n
<\/p>\n