Do you actually need a security product in your car? Part 2: the classical antivirus

I wrote in the first part of this article about Detection, Protection, Remediation and I stopped at the part where we analyze what kind of security products do you need in the car of tomorrow.

1)The classical antivirus

We know it to be used mostly for files. But it can much more than that.

a) Files

There are many files that can enter the car and can produce damages:

  • music
  • video
  • updates (binary or data)
  • scripts
  • configuration files for various subsystems
  • html and javascript (plain text) for rendering
  • Java compiled files (especially if you run Android)
  • possibly Adobe Flash (not sure though)
  • possible Microsoft Silverlight (not sure though)
  • PDFs (reports, help files)
  • Emails (MIME)
  • SMSs

Plenty of files to scan, isn’t it?

These files can either contain malicious code (Java, JS) or may be specially crafted to exploit known vulnerabilities. This means that there has to be a kind of file checking, so classical antivirus is definitely not dead, despite the vehement comments of some executives and marketing people that wanted to advertise their newest technologies.

However, it should be kept in mind that these scanners are mostly signature based. I say “mostly” because even though there are a lot of other detection methods there like heuristics, generic, emulation, etc., they are usually applicable in the Windows OS running on a PC. It is not so easy to do them on some ARM processor with limited power and RAM. But not impossible. This is actually one of the differentiators between the security producers out there.

Needles to say, this requires that you get your hands on the malware.

 

b) Heuristic detection

Such a detection is analysing the content of the potentially malicious file (which API it uses and which regions of the devices it affects) and the actions it makes. Even if the latter sounds more like sandboxing, it is not. The heuristic detection interprets the function calls and doesn’t execute them, as a sandbox would do.

Such a behavior is important for industrial systems, IoT devices and cars. It is basically the most established way you can use previous knowledge on threats to detect new threats.

Also d) Detection based on machine learning/AI is going into the same area, but the approach is different.

Same as the previous detection methods, this requires previous knowledge of the malware.

 

c) Generic detection

A generic detection means that you write a piece of code that detects a malicious action and through it you potentially detect a lot more than one single malicious piece of code. So, you write code once after you have seen several malware, and then you detect any kind of malicious software that acts in the same way.

 

Same as the previous detection methods, this requires previous knowledge of the malware.

 

d) Detection based on machine learning/AI

This is a relatively new approach on malware analysis. For the industrial, IoT and cars it might be the best method to detect new malware because it is the less resource consuming of all.

It requires either a dedicated hardware device in the device to be protected (e.g: car) or a permanent connection to a cloud service

Same as the previous detection methods, this requires previous knowledge of the malware.

 

 

In the next post we will investigate anomaly detection systems. Note that they are very related to machine learning/AI but they work different. Read on…

 

2) Intrusion detection and prevention systems (IDS/IPS or IDPS)

<to come>


© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch