Malware Detection – Signatures vs. Behavior Analysis
August 16, 2017
Shah Sheikh (1294 articles)

Malware Detection – Signatures vs. Behavior Analysis

Malware has threatened computers, networks, and infrastructures since the eighties. There are two major technologies to defend against this, but most organizations rely almost exclusively on just one approach, the decade’s old signature-based methodology. The more advanced method of detecting malware via behavior analysis is gaining rapid traction, but is still largely unfamiliar.

Signature-based malware detection is used to identify “known” malware. Unfortunately, new versions of malicious code appear that are not recognized by signature-based technologies. These newly released forms of malware can only be distinguished from benign files and activity by behavioral analysis.

Signature-based technologies track known threats

In computing, all objects have attributes that can be used to create a unique signature. Algorithms can quickly and efficiently scan an object to determine its digital signature.

When an anti-malware solution provider identifies an object as malicious, its signature is added to a database of known malware. These repositories may contain hundreds of millions of signatures that identify malicious objects. This method of identifying malicious objects has been the primary technique used by malware products and remains the base approach used by the latest firewalls, email and network gateways.

Signature-based malware detection technology has a number of strengths, the main being simply that it is well known and understood – the very first anti-virus programs used this approach. It is also speedy, simple to run, and widely available. Above all else, it provides good protection from the many millions of older, but still active threats.

Don’t wait for signatures

Verifying that a new file is malicious can be complex and time consuming, and often the malware has already evolved by then. The Cisco 2017 Annual Cybersecurity Report found that 95% of malware files they analyzed weren’t even 24 hours old, indicating a fast “time to evolve”. The delay in identifying new forms of malware makes corporations vulnerable to serious damages.

Modern malware often strikes immediately, decimating in a short period of time. Jigsaw for example, starts deleting files within 24 hours. HDDcryptor infected 2000 systems at the San Francisco Municipal Transport Agency before it was detected. Therefore, being vulnerable to infection while waiting for a signature is very risky.

Behavior-based malware detection

Behavior-based malware detection evaluates an object based on its intended actions before it can actually execute that behavior. An object’s behavior, or in some cases its potential behavior, is analyzed for suspicious activities. Attempts to perform actions that are clearly abnormal or unauthorized would indicate the object is malicious, or at least suspicious.

There’s a multitude of behaviors that point to potential danger. Some examples include any attempt to discover a sandbox environment, disabling security controls, installing rootkits, and registering for autostart.

Evaluating for malicious behavior as it executes is called dynamic analysis. Threat potential or malicious intent can also be assessed by static analysis, which looks for dangerous capabilities within the object’s code and structure.

While no solution is completely foolproof, behavior-based detection still leads technology today to uncover new and unknown threats in near real-time. Some examples of where behavior-based technology succeeds when signature-based systems fail are:

– Protecting against new and unimagined types of malware attacks
– Detecting an individual instance of malware targeted at a person or organization
– Identifying what the malware does in a specific environment when files are opened
– Obtaining comprehensive information about the malware

Not all behavior-based technology is created equal

Conventional sandbox technologies have limited visibility and can only evaluate the interaction between an object and the operating system. By observing 100 percent of the actions that a malicious object might take, even when it delegates those actions to the operating system or other programs, CSOs can evaluate not only the malware’s communication with the operating system, but each instruction processed by the CPU.

How behavior-based solutions work

Advanced malware detection solutions observe and evaluate in context every line of code executed by the malware. They analyze all requests to access specific files, processes, connections, or services. This includes each instruction executed at the operating system level or other programs that have been invoked, including low-level code hidden by rootkits.

The technology identifies all malicious, or at least suspicious activity, which when taken together, makes it very clear that a file is malicious before it is released onto the network to actually execute any potentially damaging behavior.

Both signature and behavior-based malware detection are important and have advantages. The best security will come from utilizing both technologies. Too many security officers are misled by vendors promoting ‘next-generation’ firewalls and other ‘state-of-the-art’ security tools. They don’t realize that these ‘latest’ products are relying exclusively on the decades old signature-based approach to malware detection that will miss evasive malware and zero-day attacks.

No organization with sensitive data or critical operations to protect should be without behavior-based malware detection to augment the capabilities of existing security tools.