This article is about antivirus software. For the application of heuristics in usability evaluation, see heuristic evaluation.
Heuristic analysis is a method used by many computer antivirus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the wild.
Heuristic analysis is based on expert analysis that determines the susceptibility of a system to a particular threat/risk using various decision rules or weighting methods. Multi-Criteria Analysis (MCA) is one of the weighing tools. This method is different from statistical analysis, which relies on available data/statistics.
Most antivirus programs that use heuristic analysis perform this function by executing programming commands from a questionable program or script in a specialized virtual machine, thereby allowing the antivirus program to internally simulate what would happen if suspicious file had to be executed while saving suspicious code isolated from the real world of the machine. It then analyzes commands as they are executed, monitoring common virus activities such as replication, file rewrites, and attempting to hide the existence of a suspicious file. If one or more viruses are detected, the suspicious file is flagged as a potential virus, and the user is alerted.
Another common heuristic analysis method is for an antivirus program to decompile a suspicious program and then analyze the machine code contained within. The source code of the suspicious file is compared with the source code of known viruses and virus-like activities. If a certain percentage of source code matches the code of a known virus or virus-like activity, the file is flagged and the user is alerted.
Heuristic analysis can detect many previously unknown viruses and new variants of current viruses. However, heuristic analysis works based on experience (by comparing a suspicious file with the code and function of known viruses). This means that you are likely to miss new viruses that contain previously unknown operating methods not found in one of the known viruses. Consequently, the efficiency is quite low in terms of accuracy and number of false positives.
As new viruses are discovered by human researchers, information about them is added to the engine's heuristic analysis, thereby providing the engine with a means to detect new viruses.
Heuristic analysis is a method of detecting viruses by analyzing code for suspicious properties.
Traditional virus detection methods involve identifying malware by comparing the code in the program with the code of known types of viruses that have already been encountered, analyzed and recorded in a database - known as signature detection.
While useful and still in use, signature detection has also become more limited due to the development of new threats that exploded at the turn of the century and continue to appear all the time.
To solve this problem, a heuristic model was specifically designed to identify suspicious features that can be found in unknown, new viruses and modified versions of existing threats, as well as known malware samples.
Cybercriminals are constantly developing new threats, and heuristic analysis is one of the few methods used to combat the sheer volume of these new threats seen daily.
Heuristic analysis is also one of the few methods capable of combating polymorphic viruses - a term for malicious code that is constantly changing and adapting. Heuristic analysis is included in advanced security solutions offered by companies such as Kaspersky Labs to detect new threats before they cause harm, without the need for a specific signature.
Heuristic analysis allows you to use many different techniques. One heuristic technique, known as static heuristic analysis, involves decompiling a suspicious program and looking at its source code. This code is compared with viruses that are already known and located in heuristic databases. If any percentage of the source code matches an entry in the heuristic database, the code is flagged as a possible threat.
Another method is known as dynamic heuristics. When scientists want to analyze something suspicious without endangering people, they keep the substances in a controlled environment, like a secure laboratory and conduct testing. This process is similar for heuristic analysis - but also in the virtual world.
It isolates suspicious programs or a piece of code inside a specialized virtual machine- or sandboxes - and gives the antivirus program a chance to inspect the code and simulate what would happen if the suspicious file were allowed to run. It looks at each command, how it works, and looks for any suspicious behavior, such as self-replicating, overwriting files, and other actions that are common to viruses. Potential problems
Heuristic analysis is ideal for identifying new threats, but to be effective heuristics must be carefully tuned to provide the best detection of new threats without generating false positives on completely innocent code.
What is a heuristic analyzer?
For greater clarity, this approach can be compared with artificial intelligence independently conducting analysis and making decisions. However, this analogy only partially reflects the essence, since the heuristic does not know how to learn and, unfortunately, has low efficiency. According to antivirus experts, even the most modern analyzers are not able to stop more than 30% of malicious codes. Another problem is false positives, when a legitimate program is detected as infected.
However, despite all the shortcomings, heuristic methods are still used in antivirus products. The fact is that a combination of different approaches can increase the final efficiency of the scanner. Today, products of all major players on the market are equipped with heuristics: Symantec, Kaspersky Lab, Panda, Trend Micro and McAfee.
During the heuristic analysis process, the file structure and its compliance with virus patterns are checked. The most popular heuristic technology is to check the contents of a file for modifications of already known virus signatures and their combinations. This helps identify hybrids and new versions of previously known viruses without additional update antivirus database.
Heuristic analysis is used to detect unknown viruses, and, as a result, does not involve treatment.
This technology is not 100% capable of determining whether a virus is in front of it or not, and like any probabilistic algorithm it suffers from false positives.
Any questions will be resolved by me, contact me, we will help in any way we can
The anti-virus program searches for viruses and malicious objects based on a comparison of the program under study with its database of virus descriptions. When a match is detected, the antivirus can treat the found virus, and the rules and treatment methods are usually stored in the same database.
However, this database becomes a vulnerability of the antivirus - it can only detect viruses described in its database. This problem can be partially eliminated by a heuristic analyzer - a special antivirus subsystem that tries to detect new types of viruses that are not described in the database. In addition to viruses, the AVZ heuristic analyzer tries to detect spyware, Hijackers and Trojans.
The work of the heuristic analyzer is based on the search for viruses and spyware features (fragments of program code, certain registry keys, files and processes). In addition, the heuristic analyzer tries to assess the degree of similarity of the object under study to known viruses.
To search for spyware, RootKit and Hijacker, the most effective heuristic analysis is not individual files on the disk, but the entire system as a whole. This analyzes the totality of data in the registry, files on disk, processes and libraries in memory, listening TCP and UDP ports, active services and loaded drivers.
A feature of heuristic analysis is a fairly high percentage of errors - the heuristic can report the detection of suspicious objects, but this information needs to be verified by virologist specialists. As a result of the scan, the object is recognized as malicious and included in the database, or a false positive is recorded and an amendment is introduced into the heuristic analyzer algorithms.
Most antiviruses (including AVZ) have the ability to adjust the sensitivity of the heuristic analyzer. In this case, a contradiction always arises - the higher the sensitivity, the higher the likelihood of the heuristics detecting an unknown malicious object. But as the sensitivity increases, the probability of false positives increases, so you need to look for some kind of “golden mean”.
The heuristic analyzer has several sensitivity levels and two special modes:
blocking the heuristic analyzer. In this case, the analyzer is completely switched off. In AVZ, in addition to adjusting the sensitivity level of the heuristic analyzer, it is possible to turn on and off the heuristic analysis of the system;
"paranoid" mode - in this mode the maximum possible sensitivity is turned on and warnings are displayed at the slightest suspicion. This mode is naturally unacceptable due to the very high number of false positives, but it is sometimes useful.
The main messages of the AVZ heuristic analyzer are given in the following list:
"File name >>> suspicion of virus_name (brief data about the object)" A similar message is issued when an object is detected that, according to AVZ, is similar to a known malicious object. The data in brackets allows the developer to find the entry in the antivirus database that led to the issuance of this message;
"File name >>> PE file with non-standard extension" - this means that a program file has been detected, but instead of the typical extension EXE, DLL, SYS, it has a different, non-standard extension. This is not dangerous, but many viruses disguise their PE files, giving them the PIF, COM extensions. This message displayed at any heuristic level for PE files with the extension PIF, COM, for others - only at the maximum heuristic level;
"File name >>> File name has more than 5 spaces" - many spaces in a file name are rare, but many viruses use spaces to disguise the real extension, creating files with names like "photo.jpeg .exe";
"File name >>> Extension masking detected" - similar to the previous message, but issued when more than 15 spaces are detected in the name;
"File name >>> file has no visible name" - issued for files that do not have a name (i.e. the file name is ".exe" or ".pif");
"Process Filename can work with network" - displayed for processes that use libraries like wininet.dll, rasapi32.dll, ws2_32.dll - i.e. system libraries containing functions for working with the network or managing the process of dialing and establishing a connection. This check is performed only at maximum level of heuristics: The fact that network libraries are used is naturally not a sign that the program is malicious, but it is worth paying attention to the incomprehensible processes in this list;
After the message, a number may be displayed that represents the degree of danger as a percentage. Special attention should be paid to files for which a danger level of more than 30 has been issued.
Search for viruses similar to known ones
Heuristics means “to find.” Heuristic analysis is based on the (very plausible) assumption that new viruses are often similar to some already known ones. Therefore, anti-virus databases contain signatures for identifying not one, but several viruses at once. Therefore, the heuristic method is to search for files that do not completely, but very closely match the signatures of known viruses.
Advantages: the ability to detect new viruses even before signatures are allocated for them.
Flaw:
Search for viruses that perform suspicious actions
Another heuristic-based method assumes that malware in one way or another seek to harm the computer, and is based on identifying the main malicious actions.
For example:
Performing each of these actions separately does not constitute a reason to consider the program malicious. However, when a program performs several such actions in succession, for example, it records the launch of itself in the autorun key of the system registry, intercepts data entered from the keyboard and with a certain frequency sends this data to some address on the Internet, then this program, at least, suspicious. Based on this principle, a heuristic analyzer constantly monitors the actions that programs perform.
Advantages: the ability to detect previously unknown malicious programs, even if they are not very similar to already known ones (using a new vulnerability to penetrate a computer, and after that performing already familiar malicious actions). Such a program may be missed by a heuristic analyzer of the first type, but may well be detected by an analyzer of the second type.
Flaws:
Before we begin to consider the concept of “heuristic analysis,” it is necessary to understand what the word “heuristics” itself means. To do this, we need to go back to history, namely to Ancient Greece. The word "heuristic" comes from the word "to find", translated from Greek. The main point of all is that all solutions to any problems, according to these methods, are based on assumptions that may be true.
They are not characterized by the use of strict facts or premises.
The above sounds quite vague and probably incomprehensible. Therefore, we will try to understand what heuristic analysis is using specific examples. So.
Exists a large number of viruses on the Internet, which have very similar properties. Thus, modern antivirus programs look for files whose signatures are very similar to malware code. This allows you to significantly reduce the size of databases used to search for viruses. Using heuristic analysis, antivirus manufacturers significantly save resources on the computers on which they are installed software. It also becomes possible to find new viruses even before the signatures are updated.
The next example is also related to the fight against viruses. Its logic lies in the very name “malware”. With this approach, the assumption is made that all viruses inflict one way or another. There is an approximate list of actions that the heuristic analysis checks before making a decision. This is write, delete, write to system registry, reading clicks, opening ports, sending spam. Naturally, when one action is performed, this is not a reason to panic, but when they happen simultaneously and at a particularly fast pace, there are reasons to think. The main advantage of this process is the ability to identify viruses, even if they are not similar to signatures already in the database.
Another industry where heuristic analysis is used is economics. Moreover, its application is very wide. Economic analysis is one of many sub-fields where the application of the methods discussed is of great help. At its core, it is a detailed and comprehensive study. It is based on information from various sources that are available. Many internal aspects of the functioning of a particular organization are also assessed. Carrying out these actions is aimed at improving work, which is achieved by introducing and developing new optimal management solutions.
The widespread use of heuristic methods can significantly simplify decision-making processes, as well as eliminate various problems that can be eliminated through the use of statistical data. This allows you to significantly save resources and time. The experience gained earlier can be safely used in the daily activities of the organization.
