The evolving power and complexity in malware of all kinds demands an equivalent response from security suites and anti-virus software. The methods of detection and prevention that were traditionally used are no longer enough. New techniques and new technologies are required to cope with today’s landscape of existing and emerging cyber-threats. In this article, we’ll be looking at Behavior Based Anti-virus Technology – how anti-virus technologies based on behavioral analysis are contributing to better protection against malicious software and cyber-attacks.
The Trouble with Signatures
Signature-based detection mechanisms were central to the operation of the earliest anti-virus systems and are still an integral part of many.
They function by referring to a database of known characteristics (or “signatures”) associated with specific files. These signatures are compiled when an anti-virus system records a static “fingerprint” of a file – which might be a certain sequence of data or a cryptographic hash of a file and its various parts.
When a file is scanned, its signature is compared with the current contents of the virus database, to see if there’s a match. If there is, the anti-virus throws up a red flag, indicating the possible presence of malware.
It is termed a “possible” presence because sometimes false positives (i.e. the file signature suggests malware, but the file isn’t malicious) occur. The method can’t detect malicious files for which no signatures have been recorded, or whose signatures are continually changing. The development of polymorphic viruses (which constantly mutate to throw off signature-based detection) occurred for precisely this reason.
There’s also an overhead associated with virus signatures. Anti-virus suites based on signature detection are only as powerful as their current database, which is why they need to be updated so often. On the client machine where the anti-virus software is installed, this typically requires a lot of disk space, and a fair amount of processing power to grind through all the data.
The Heuristic Approach
Rather than requiring an exact file signature match, the heuristic approach examines files for characteristics that the system deems suspicious. This may be done statically or through emulation when the anti-virus uses a low clocking cycle to simulate running the file to see what it would do.
In this method, “suspicious” activity is largely a matter of interpretation, based on the risk thresholds configured into the software. Several characteristics observed together may set off an alarm, but heuristic-based detection mechanisms are noted for flagging legitimate files as malware.
Watching for Signs
Detection mechanisms fully based on behavioral analysis work by observing how files and programs actually run, rather than by emulating them. The anti-virus tools seek to identify malware by watching for abnormal or suspicious behavior, such as the sending out of multiple emails, modifying or observing keystrokes, attempting to alter hosts files, generating autorun.inf files on network drives or removable media, or unpacking malicious code.
As with the heuristic approach, it may be several observed behaviors that throw the light of suspicion onto a file, and it’s possible for behaviorally-based detection systems to identify malware that was previously sitting undetected on a protected system.
The polymorphic signature issue isn’t a problem here, either. There’s no reliance on a fixed set of signature data – and if a malicious file keeps altering its characteristics, this in itself should show up as a red flag to a behaviorally-based system.
These anti-virus systems are a serious step up from purely signature-based detection and an evolution of the presumptive approach adopted by heuristics. They’re also a step toward bringing anti-virus suites into the realm of host intrusion prevention systems, or HIPS.
Spreading the Net
Cloud technology is now bringing an additional element to the behaviorally-based analysis of files and software. It’s a feature now included as part of several of the market leading anti-virus packages.
In its purest form, cloud-based behavior analysis works like this:
- Data on protected machines is collected from endpoints – that is, client machines with lightweight installations of an anti-virus suite. This might include relevant details on the structure of a file and the way in which it executes on the endpoint machine.
- The captured data is analyzed on the cloud provider’s infrastructure, which could include multiple servers, along with access to online databases, forums, and pools of expert knowledge.
- Any suspicious activity observed on client endpoint machines from files not previously considered malicious is added to the cloud service’s database, and incorporated into future analysis.
With behavioral analysis divorced from the client system, there’s the possibility of rapid response from a cloud server’s enhanced infrastructure, with results and responses in real or near real time.
The burden of processing is taken away from the client, and with analysis pooled from multiple systems, users benefit from the combined experience and knowledge of a larger community.
Finding the Right Mix
In truth, there’s a multiplicity of threats out there, and anti-virus systems need to be fully featured and adaptable in order to cope. So a combination of approaches is usually required.
As is the case with some of the market leading offerings, an anti-virus suite may rely on a signature database to some extent, while incorporating heuristic and/or behavior-based analysis on the fly.
Improved and more stable internet access allows the cloud analysis option to become part of the mix, and for individual software installations to be reduced in size on client machines.
Share this Post