Page 11 - Cyber Warnings
P. 11
Advanced Malware Detection Signatures vs. Behavior Analysis
By John Cloonan, Director of Products, Lastline, Inc.
Malware has threatened our computers, networks, and infrastructures since the eighties. It is
constantly evolving, and deploying products that effectively detect it is crucial to preventing
costly data breaches. There are two major technologies to accomplish this, but surprisingly,
most organizations rely almost exclusively on just one approach, the decades old signature-
based methodology. The more advanced method of detecting malware via behavior analysis is
gaining rapid traction, but is still unfamiliar to many.
Signature-based malware detection is a proven method for identifying “known” malware.
Unfortunately, new versions of malicious code appear daily that are not recognized by
signature-based technologies. These newly released forms of malware can only be
distinguished from benign files and activity by analyzing its behavior.
Signature-Based Technologies Track Known Threats
In computing, all objects (including operating system components, executable programs,
documents, images and others) have attributes that can be used to create a unique digital
fingerprint or signature. Algorithms can quickly and efficiently scan an object to determine its
digital signature.
When an anti-malware solution provider identifies an object as malicious, its signature is added
to a database of known malware. These repositories may contain hundreds of millions of
signatures that identify malicious objects. This method has been the primary technique used by
most malware detection products and remains the fundamental approach used by the latest
firewalls, email and network gateways, and other intrusion detection systems.
Signature-based malware detection technology has a number of strengths, including:
• Signature-based malware detection is well known and well understood. The very first
anti-virus programs used this approach.
• It’s fast. Signature-based technologies can rapidly identify known malware.
• Signature-based malware detection is relatively simple and will run in minimal endpoint
environments.
• It’s readily available within a number of leading network security tools such as next-
generation firewalls, email gateways, and IPS.
• It provides good protection from the many millions of older, but still active threats.
i
But there are over a million new versions of malware released daily . Many of these have very
specific targets—often just one. As a result, on top of the much greater number of overall
11 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
