According to a report published recently by researchers at the University of Michigan's Electrical Engineering and Computer Science Department and network security company Arbor Networks, antivirus products are inconsistent at best when it comes to identifying attacks such as worms, phishing and botnets.
"Using a large, recent collection of malware that spans a variety of attack vectors (such as spyware, worms, spam), we show that different AV products characterise malware in ways that are inconsistent across AV products, incomplete across malware, and that fail to be concise in their semantics," the report claims.
The report shows that host-based antivirus techniques failed to "detect or provide labels for between 20 and 62 percent of the malware samples".
The researchers argue that a new classification technique is required that "describes malware behavior in terms of system state changes (such as files written, processes created) rather than in sequences or patterns of system calls. To address the sheer volume of malware and diversity of its behaviour, we provide a method for automatically categorising these profiles of malware into groups that reflect similar classes of behaviours and demonstrate how behaviour-based clustering provides a more direct and effective way of classifying and analysing internet malware."
The researchers demonstrated the usefulness of this approach during a six-month period on 3,700 malware samples.
Traditional, signature-based antivirus methods for detecting and squelching the growing volumes and variety of viruses and other malware have been termed dead by some industry watchers.
Companies such as McAfee, Symantec and Trend Micro have in fact started to reveal plans to move their security products to the next level through whitelisting and other approaches.