On the "Cloudiness" of Detections

As you know, the Immunet by Sourcefire anti-malware leverages the “cloud” for detections, which provides a few distinct benefits:

• Rather than having the endpoint directly cross-reference the newest file on a system against tens of millions of known threats, the endpoint instead transmits a small amount of meta-data to our back-end servers, which perform the heavy processing.
• Because we do not “ship” tens of thousands of virus definitions to endpoints every few hours, we are not encumbered by bandwidth constraints. Similarly, our back-end analytics infrastructure provides significant storage capabilities. The upshot is that our customers directly benefit from all the intelligence we’ve gathered. In contrast, many vendors must cherry pick the detection capabilities that are transmitted to endpoints – and usually they can’t predict ahead of time if they’ve made the right selections.

To impart a better sense of the value provided by our approach, I took a week’s worth of recent detection data and churned out some stats.

About 84% of in-field detections (five out of six detections) leveraged our cloud-based protection technologies. The remaining were detected using some of our more traditional offline protection capabilities (such as those found in our Tetra engine that is included in the Immunet Plus product or in the Clam engine, which comes in our free product). Given that many of our users run Immunet antivirus alongside of other antivirus products, the fact that a large fraction of items still get detected using our cloud speaks to the unique value it adds in terms of providing our full set of detection capabilities to customers.

Of our cloud detections, about 14.3% of our cloud convictions (one out of seven convictions) came about through one of our advanced (not 1-to-1) detection engines. This quantity is pretty impressive considering that one-to-one convictions tend to have high multiplicity (e.g., a single one-to-one signature may trigger a thousand times for a single popular threat -- whereas our advanced detection technologies are specifically tuned to catch low-prevalence threats, which are the Achilles heal of traditional signature-based anti-malware technologies).

Also, 42% of distinct threats detected via our cloud technologies were detected using one of our advanced approaches (i.e., something other than a basic 1-to-1 signature). Note that this metric counts distinct threats, rather than total threat volume (and the same threat may appear on many different machines).

These last two metrics deserve some emphasis because there is a misconception that “cloud” anti-\virus simply means using the cloud to publish signatures rather than shipping signatures to individual clients. (And some vendors who tout cloud capabilities limit themselves to this approach.)

The reality, however, is that there is much more you can do. The “cloud” need not simply be some large hard drive in the sky, but (if architected properly) can be made into a full-fledged large-scale analytics engine that detects threats of all shapes and sizes. One thing, however, is starkly clear: these advanced capabilities ultimately allow our customers to steer clear of many dangers lurking on the Internet.