Heuristic analysis
Heuristic analysis is a method employed by many computer antivirus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the "wild".[1]
Heuristic analysis is an expert based analysis that determines the susceptibility of a system towards particular threat/risk using various decision rules or weighing methods. MultiCriteria analysis (MCA) is one of the means of weighing. This method differs from statistical analysis, which bases itself on the available data/statistics.
Operation
Most antivirus programs that utilize heuristic analysis perform this function by executing the programming commands of a questionable program or script within a specialized virtual machine, thereby allowing the anti-virus program to internally simulate what would happen if the suspicious file were to be executed while keeping the suspicious code isolated from the real-world machine. It then analyzes the commands as they are performed, monitoring for common viral activities such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus, and the user alerted.
Another common method of heuristic analysis is for the anti-virus program to decompile the suspicious program, then analyze the machine code contained within. The source code of the suspicious file is compared to the source code of known viruses and virus-like activities. If a certain percentage of the source code matches with the code of known viruses or virus-like activities, the file is flagged, and the user alerted.
Effectiveness
Heuristic analysis is capable of detecting many previously unknown viruses and new variants of current viruses. However, heuristic analysis operates on the basis of experience (by comparing the suspicious file to the code and functions of known viruses). This means it is likely to miss new viruses that contain previously unknown methods of operation not found in any known viruses. Hence, the effectiveness is fairly low regarding accuracy and the number of false positives.
As new viruses are discovered by human researchers, information about them is added to the heuristic analysis engine, thereby providing the engine the means to detect new viruses.
What is Heuristic Analysis?
Heuristic analysis is a method of detecting viruses by examining code for suspicious properties.
Traditional methods of virus detection involve identifying malware by comparing code in a program to the code of known virus types that have already been encountered, analyzed and recorded in a database – known as signature detection.
While useful and still in use, signature detection method has also become more limited, due to the development of new threats which exploded around the turn of the century and are continuing to emerge all the time.
To counter this problem, the heuristic model was specifically designed to spot suspicious characteristics that can be found in unknown, new viruses and modified versions of existing threats as well as known malware samples.
Cybercriminals are constantly developing new threats, and heuristic analysis is one of the only methods used to deal with the huge volume of these new threats seen daily.
Heuristic analysis is also one of the few methods capable of combating polymorphic viruses — the term for malicious code that constantly changes and adapts.
How Does Heuristic Analysis Work?
Heuristic analysis can employ a number of different techniques. One heuristic method, known as static heuristic analysis, involves de-compiling a suspect program and examining its source code. This code is then compared to viruses that are already known and are in the heuristic database. If a particular percentage of the source code matches anything in the heuristic database, the code is flagged as a possible threat.
Another method is known as dynamic heuristics. When scientists want to analyze something suspicious without endangering people, they contain the substance in a controlled environment like a secure lab and conduct tests. The process is similar for heuristic analysis — but in a virtual world.
It isolates the suspicious program or piece of code inside a specialized virtual machine — or sandbox — and gives the antivirus program a chance to test the code and simulate what would happen if the suspicious file was allowed to run. It examines each command as it's activated and looks for any suspicious behaviors, such as self-replication, overwriting files, and other actions that are common to viruses. Potential Issues are reported to the user.
Heuristic analysis is ideal for identifying new threats, but to be effective heuristics must be carefully tuned to provide the best possible detection of new threats but without generating false positives on perfectly innocent code.
For this reason, heuristic tools are often typically just one weapon in a sophisticated antivirus arsenal. They are typically deployed along with other methods of virus detection, such as signature analysis and other proactive technologies.
References
- Wong, W.; Stamp, M. (2006). "Hunting for metamorphic engines". Journal in Computer Virology. 2 (3): 211–229. doi:10.1007/s11416-006-0028-7.