Monday, April 28, 2008

what are heuristics?

in anti-malware, heuristics refer to a family of techniques/technologies meant to determine if a given program is malware based on a collection of rules (heuristic can be considered to be a fancy word for "rule of thumb") derived from past experience with malware...

heuristic analysis looks for structures/routines/behaviours/etc (depending on the implementation) commonly found in malware rather than looking for actual specific instances of malware... one could think of this as being a measure of similarity, not necessarily to a specific malware sample (though there are heuristic engines capable of reporting that X is a new or modified variant of Y), but rather to malware in general... this gives it the potential to detect new/unknown malware but also carries with it the potential to raise false alarms as there is nothing done by malware that is unique to just malware (rules of thumb aren't an exact science)... in order to prevent an unacceptable number of false alarms the heuristic detection typically gets watered down (by requiring more heuristic conditions to be met, or by requiring a higher heuristic score if the conditions aren't weighted equally, before the heuristic engine decides to raise an alarm), but this also has the effect of lowering the true alarm rate as well...

heuristics ability to detect unknown malware is meant to compensate for known-malware scanning's complete inability to do so, however it cannot detect all unknown malware and with the constraints placed on it to avoid false alarms that ability is reduced to an even lower level of effectiveness... as the instantaneous population of unknown malware increases, this shortfall in effectiveness becomes an increasingly troublesome problem...

back to index

0 comments: