Heuristic analysis
From Wikipedia, the free encyclopedia
This article does not cite any references or sources. (October 2006) Please help improve this article by adding citations to reliable sources. Unverifiable material may be challenged and removed. |
Heuristic Analysis is a method employed by many computer antivirus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the wild.
Heuristic Analysis An expert based analysis. Expert determines the susceptibility of a system towards particular threat/risk using various decision rules or weighing methods. MultiCriteria Analysis (MCA) is one of the means of weighing. This method differs with Statistical Analysis, which bases itself on the available data/statistics.
[edit] How it works
Most anti-virus programs that utilize heuristic analysis perform this function by executing the programming commands of a questionable program or script within a specialized virtual machine, thereby allowing the anti-virus program to internally simulate what would happen if the suspicious file were to be executed while keeping the suspicious code isolated from the real-world machine. It then analyzes the commands as they are performed, monitoring for common viral activities such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus, and the user alerted.
Another common method of heuristic analysis is for the anti-virus program to decompile the suspicious program, then analyze the source code contained within. The source code of the suspicious file is compared to the source code of known viruses and virus-like activities. If a certain percentage of the source code matches with the code of known viruses or virus-like activities, the file is flagged, and the user alerted.
[edit] Effectiveness
Although heuristic analysis is capable of detecting many previously-unknown viruses and new variants of current viruses, the effectiveness is fairly low regarding accuracy and the number of false negatives. This is because computer viruses, just like biological viruses, are constantly changing and evolving. Since heuristic analysis mostly operates on the basis of past experience (by comparing the suspicious file to the code and functions of known viruses), it is likely to miss new viruses that contain previously unknown code or methods of operation not found in any known viruses. Fortunately, heuristic analysis is also evolving along with the viruses. As new viruses are discovered using alternative methods of detection, information about them are added to the heuristic analysis engine, thereby providing it the means to detect any new viruses based on the previously-unknown code.
The Effectiveness of heuristic analysis is not as hight as we expect. The independent tests of heuristic components of popular antiviruses show that their detection rates usually are not higher than 40-50% of new malware.