One example of this approach is Microsoft's Windows Defender, which allows a "vote" on newly discovered threats. Users can determine whether the threats should be deleted, quarantined, or allowed by default. Automatic reports are sent across the network to a system that Microsoft calls "Microsoft SpyNet". Despite the ominous name, the functionality behind it is an excellent example of distributed computing that implements a form of herd intelligence. Such techniques allow Microsoft to determine what specimens it should write signatures for. Based on real-world customer needs, a company can optimize detection and the actions that its product should take.
Other herd intelligence systems include behavior-based detection mechanisms, which hunt for phishing imposter Web sites and other sites that contain browser-exploiting URLs. The findings are all reported back to the vendor in a distributed fashion, improving the collective intelligence of the antimalware system. I whole-heartedly expect to see more of this kind of technique in the future.
This was first published in February 2008