The rapid growth of computer and network technologies has resulted in surge of computer malware, such as viruses, worms, Trojans, spam, etc. Computer malware is typically designed to gain unauthorized access to personal computers, mobile communication devices, network servers, databases, etc., in order to cause damage or steal information. To combat malware, many different computer and network security technologies have been developed, such as antivirus, anti-spyware, firewalls, anti-spam software, etc. However, the most effective mechanism of defense from malware remains antivirus software. Antivirus software uses various malware detection techniques, such as signature checking, heuristic analysis and behavioral analysis to detect known and sometimes newly emerging types of malware.
The signature analysis is a classic method of detection of malicious software objects. The signatures contain samples of the code of malicious program that characterize that program. The majority of modern antivirus programs use malware signatures taken directly from malicious file or network packets. Antivirus programs typically perform signature analysis during scanning of files or network packets for potentially dangerous program. If, during such a scan, a code is found that corresponds to the signature code, then the object with this code is classified as malicious. The signature analysis typically effective in detection of known malicious objects described by signatures, but often fails to detect unknown malware.
Heuristic analysis is an expert-based analysis that determines the susceptibility of a system towards particular threat/risk using various decision rules or weighing methods. Most antivirus programs that utilize heuristic analysis perform this function by emulating execution of a suspicious file, thereby allowing the antivirus program to internally simulate what would happen if the suspicious file were to be executed while keeping the suspicious code isolated from the real-world machine. It then analyzes the commands as they are performed, monitoring for common viral activities such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If any malicious actions are detected, the suspicious file is flagged as a potential malware, and the user alerted. However, the heuristic analysis often fails to detect new computer viruses and also often results in false detection of malware.
The behavioral analysis monitors processes launched by programs to identify malicious behavior patterns (or signatures). For instance, if a program writes data in sector 1, track 0, side 0, then this action makes changes in sectioning of the hard disc drive. However, except for the auxiliary program “fdisc” and other similar utilities, this command is not used by any other program. Thus, if a program suddenly performs this action, it must be a boot virus (bootkit) malware. When malware is detected, antivirus software can take defensive actions such as terminating processes launched by the malware. One shortcoming of the behavioral analysis is that behavioral signatures typically do not cover all known malware because they also produce false positives when detecting clean programs. In addition, the development of heuristic and behavioral signatures is very resource-intensive and requires expertise.
To overcome deficiencies of individual malware analysis methods, many modern antivirus applications use several different detection techniques together in order to increase the effectiveness of detection of known and unknown malware by taking the advantages of different detection techniques, which mutually compensate for their individual deficiencies. However, different detection techniques can give different results, which may cause mistakes in operation of the antivirus software. These mistakes typically fall into two categories. The first category of mistakes includes an erroneous characterization of dean objects as malicious. These mistakes are known as false positives. The second category of mistakes includes a failure to detect malicious objects. These mistakes are known as false negatives.
In order to improve effectiveness of operation of the antivirus application that uses different malware detection techniques, it is desirable to minimize both types of mistakes.