Most malware, whether worm or virus, share a common characteristic: they tend to spread over time from one device to another device if not contained. The ability to get up-to-date and real-time metrics on mobile networks is critical for quickly developing strategies for containing worm and other virus attacks. There is a need to assimilate statistical information about potential malware on the network and present it to network administrators in a meaningful way so they can quickly take appropriate actions to stop worm and other virus attacks before they have had a chance to widely proliferate.
Client anti-virus applications provide a level of security against malware on mobile phones. However, network operators also need to reinforce the security at the network level to ensure that all handsets are uniformly protected regardless of whether or not the client devices install anti-virus software. Malware-detection systems at the mobile network level have to run so that they will not introduce significant delay to the network traffic. This is because mobile networks transmit voice traffic and introducing even a minor network delay would unacceptably degrade voice quality. Placing a detection system so that network traffic passes directly through the detection system, or “in-line” with the network communication, allows the detection system to scan all data blocks passing through the network. This permits infected data blocks to be blocked before they reach another mobile device. However, such an in-line detection system can introduce unacceptable latency and a corresponding decrease in quality of service to the mobile user.
Currently, once malware has been identified and analyzed, it can be detected using signatures extracted from the malware and cleaned according to its specific ways of spreading and infecting. The more difficult problem is in identifying new malware as early as possible to prevent it from proliferating. Although firewalls are used in the mobile network to limit or forbid suspicious behavior, no existing methods provide a comprehensive security solution towards eliminating all new malware. This is at least in part because the forms and functionalities of new malware are unpredictable. Also, malware can propagate through any number of locations making it impossible to capture all new malware samples at a single location. To effectively combat new malware, new malware samples need to be quickly gathered, identified, and analyzed as soon as they appear on the network so that cleaning schemes using signature schemes or other methods can be implemented before the malware has had a chance to widely proliferate. The sooner a sample of new malware is obtained, the sooner the mobile network can be protected against the new malware and the less damage the malware will ultimately cause.
New malware and malware variants are constantly appearing. Once new malware has been identified, service providers need a way to update mobile devices in the network so that they can remove the new malware from the mobile devices or prevent other mobile devices from becoming infecting. With most malware prevention systems, users manually initiate a process to update their malware prevention system with a server. In the interim, however, their systems remain vulnerable to the new malware. With the growing popularity of smart phones and the potential for greater interaction between mobile phones, there is a need to be able to update mobile devices as soon as new malware is identified.