Symantec's Ramzan on solving the antivirus puzzle

As technical director and architect at Symantec, Zulfikar Ramzan spends his time trying to outsmart the virus writers responsible for the onslaught of malware that infects millions of computers on a daily basis.

Ramzan, 33, talked with CNET News this week about how his early hobbies of chess and computer programming led to his cryptography studies and a job at Symantec, where he puts theory into practice.

Q: When did you get interested in computers?
Ramzan: I think I was probably around 8 years old or so and my birthday was coming up and I saved a bit of allowance money, and my parents helped supplement it, and we went out and bought a Commodore VIC-20. It was $100 for the keyboard and you hook it up to the back of your television. Games were pretty expensive back then, and being 8 years old and somewhat naive, I said "I'll just write my own games." I was forced to open up the manual and figure out how it worked. At that point, I was writing simple programs in basic and gaining a good sense of the fundamental operations of a computer. Nowadays it's so much harder to gain that low-level of computer experience because there is just so much complexity in a typical processor these days. In those days, it was easy for someone to tinker with what was going on at the lowest levels of a computer.

When did you get interested in security in particular?
Ramzan: When I was very young I had a book of puzzles. These were very simple ciphers; it was meant as a game book as part of Scholastic book club. That's when my interest in security was formed. That's the first moment I started thinking about security issues. Later on, in high school, we had machines donated to us that were Internet-enabled. This was at a time when the whole notion of having an Internet connection was not very popular, especially in high school. The system was being administered by one of the teachers who didn't know much about comp security so the system was basically wide open. It was possible for anybody who paid a bit of attention to find their way around the system and understand all its nuances. That was my first exposure with doing things that were related to security. I was fascinated by the whole aspect of understanding what it was, what it took to protect the system, finding ways to circumvent that protection and what you could do if you were able to do so.

Did you ever dabble in gray hat hacking?
Ramzan: I don't think I ever really got to the point where I had crossed the line and was in a place I shouldn't be because these computer systems didn't hold any classified information. They were just meant for educational purposes. It was more interesting to see what we could do with them, in terms of could I read a certain file or create an e-mail account for someone. It was in a more playful fashion than what you think of today as gray hat hacking.

Tell me about your work with cryptography?
Ramzan: It kind of started with that book of puzzles when I was young, but that obviously was amateurish cryptography. Later on I was an undergraduate at Cornell and had a chance to work with a professor who mentored a research project... We started working in areas related to machine learning. Imagine you have a black box of some sort and you see what goes in and what goes out. You try to figure out how that black box works. It's really the fundamental problem of how a computer can learn. To me that was a fascinating problem in and of itself, but in many ways, it was a precursor to traditional cryptography where you are trying to design these black boxes where no one can figure out how they work. For me, that was an opportunity to not only to study something formally in a computer science setting, but it really helped build a foundation for studying cryptography later on. When I went to graduate school at MIT I joined the cryptography information security group where we conducted cutting edge research in the area of cryptography.

I got into cryptography because I thought it was a field where there was a deep theoretical and mathematical component and at the same time it was largely something that could be applied and was being used to protect real transactions and real people.

I got into cryptography because I thought it was a field where there was a deep theoretical and mathematical component and at the same time it was largely something that could be applied and was being used to protect real transactions and real people

How did you end up at Symantec?
Ramzan: I got into cryptography because I thought it was a field where there was a deep theoretical and mathematical component and at the same time it was largely something that could be applied and was being used to protect real transactions and real people. So that kind of confluence of theory and practice together was very exciting to me. It was an opportunity to both think deeply about a problem and actually see the results benefit people. After graduating form MIT, I spent a while working at a couple of start-ups and then I spent a few years at a research lab where I was doing fundamental research in the area of cryptography. I was writing research papers and was going to conferences and writing patents on the work I was doing. It was a very much hands-free environment and I was able to pursue whatever academic interests I wanted to pursue. But what I found throughout that was even though I was working really hard and thinking deeply about these problems, at the end of it I was only producing a research paper, which maybe some people would read. But I wasn't doing anything deeper or more practical than that. Around that time, I got a call from somebody who was recruiting to fill a position at Symantec.

What are you working on now at Symantec?
Ramzan: I'm working on probably the most exciting project I've had a chance to work on at Symantec yet, and that's the area of reputation-based security. This is going to be coming out in the next Norton line of products at the end of the summer. Within Symantec we have a program called Norton Community Watch, where customers submit data back to us about security events and related things happening on their systems at any given moment in time. On the back end we're doing large-scale data mining and correlation in order to produce more rich contextual information that allows us to classify new programs as good or bad. When you look at traditional anti-malware software, it basically tries to determine what the intent of a particular file is on one machine at one moment in time. That's a very much a myopic view of the world. In contrast, reputation-based security is really about looking across your entire spectrum of machines to make a much more informed decision about what the one file is doing. So we might know that file is doing X on this machine, but if we know what it's patterns look like across our user base, we can determine whether the file is good or bad with much higher accuracy.

What are the main challenges with blocking viruses and spam?
Ramzan: One of biggest challenges overall is that these things are rapidly evolving. We're seeing variations upon variation of various types of malware and viruses. The traditional approach of trying to use a signature-based detection to detect that this part file is good or bad is going to be limited. Signatures were very good 10 years ago when there were a small number of samples out there that were on a large number of machines. Nowadays, when you have essentially micro-distribution of a large number of threats, where maybe there are millions and millions of threats out there and each is on only a few machines, having a signature to try to protect against those threats doesn't work as well. That's because you're only protecting a few users at once with a given signature. It doesn't scale nicely. With reputation-based protection, we look at not only what the software is doing, but we might know that this application is only on five machines in the world. That's something we can monitor very easily. Whereas before the attacker would try to be the needle in a haystack and hide...we now have a very powerful magnet so we can find those needles effortlessly.

So is signature-based antivirus protection dead?
Ramzan: No, not at all. I think that signatures are very useful, but in a certain context. There are still threats out there that do get to a large number of machines. For example, we've seen the Conficker, or Downadup worm come out recently. That's a classic example of a threat that makes sense to protect with signatures. Signatures are simple, they're easy to compute, they've been around for a long time. They have their uses, but they only protect you against one spectrum or one part of the spectrum of possible threats out there.

Is that where the industry as a whole is headed?
Ramzan: In general, a lot of the major vendors in the antivirus industry have been investing in heuristic-based and behavioral technologies where the idea is that rather than relying on a specific pattern to be present, they're trying to determine the overall intent of that file, what it's doing on a machine. I think that's one aspect of what you have to do. At Symantec, we're using reputation (technology) to basically complement those technologies because reputation (technology) can tell us not just about what's happening on the one machine, but how that fares across a number of machines.

Signatures are simple, they're easy to compute, they've been around for a long time. They have their uses, but they only protect you against one spectrum or one part of the spectrum of possible threats out there.

For example, suppose we have an application and it seems to be doing something strange, like it's sending out messages from your machine. Traditional antivirus software might say this seems suspicious so let's kill this program. But suppose we ask the reputation back end "what do you know about this file?" and it says we first saw the file three months ago and we know it's on a million different machines. We may not know what it is, but if we know that we've seen it for three months, it's on a million different machines and it's not a signature for something that is known to be bad, it's almost definitely going to be a good file. So what the behavioral engine can now do is say it's got to be a good file and allow it to run. Maybe it turns out it was an instant messaging application. The idea here is basically to provide additional accuracy that allows the behavioral and heuristic technologies to do their stuff without worrying about accidentally triggering on good applications.

So it could be used to eliminate false positives?
Ramzan: Absolutely. That's going to be one application of it. It also allows behavioral and heuristic technology to become more aggressive because they have a safety net built in. And we are able within the reputation technology to infer based on how an application came into our system how it exists across our user base. We can infer with very high (degree of) accuracy whether it's good or bad without knowing much more about it.

You've got an interesting name. Where are you from?
Ramzan: I was born in Africa, in Dar Es Salaam, Tanzania. I came to the United States when I was 2 years old. More or less I grew up in New York. At some point I did have a New York accent but I lost that. My parents were born in Tanzania but our ancestry is Indian.

How many languages do you speak?
Ramzan: I can speak an Indian dialect called Kutchi fluently. It has some Swahili words mixed in. That's what I learned growing up. My mom was born in Zaire, which was a former French colony, so I learned some French through her...I studied Russian in college.

Why did you take Russian?
Ramzan: When I was in junior high I got interested in playing chess. I started taking it seriously, competing and so on. Around that time, in the late '80s early '90s, the fall of Soviet Union was happening and there were a lot of Russian immigrants, including some well-known chess players. I made friends with these guys. I got interested in learning Russian to better communicate with these new friends and also to help further my own playing of chess, to read magazines and books on chess. I was interested in bettering my game in some way.

Seems like there are correlations between chess, computer science and security.
Ramzan: Sure. They're all very analytic fields. They involve some level of deep problem solving. The one thing that's unique, if you look at computer science research, cryptography research or even playing chess, which has an artistic component that doesn't get talked about much...A lot of times coming up with solutions to various types in all these domains requires a kind of "aha" moment, or requires thinking out of the box in a way that might be initially very unconventional, but after a while you build up a certain level of intuition about what's going on. So in many ways I think that's why I was captured into all these areas. They all had this fundamental relationship with being analytical but also invoking a certain creative spirit.