Antivirus software is widely used as a way to combat malware and prevent computers from getting compromised. They have also been one of the first users of advanced algorithms that emulate the processes of the human mind. In a method called behavioural analysis, antivirus technologies crack down on viruses that aim to circumvent previous methods used for antivirus processes.
The move of companies towards a behavioural analysis pattern for their antivirus indicates the rise of a proactive antivirus strategy, as opposed to a reactive one. This not only improves upon existing methods but also shuts off multiple avenues of attack that could otherwise be used.
How Antivirus Worked In The Past
Many prominent antivirus service providers such as Norton, McAfee, AVG and Avast all use a similar type of detecting viruses. First, all the files in the computer are scanned, with the software looking to match software signatures. Signatures are what identify a virus as being so, and antivirus providers maintain a database of known malicious signatures to prevent users’ security from being compromised.
This is one of the first methods that was used by cybersecurity service providers to ensure a safe experience. It is also one of the most basic methods of running an antivirus scan and is a well-established method that protects against hundreds of millions of threats detected from many years ago.
It also does not utilize a large number of resources, as it simply checks the signature of the files against a database of known signatures. It is also simple to run, not requiring a lot of expertise.
However, a survey by Cisco in 2017 showed that 95% of all the malware analyzed is less than 24 hours old. This showed that viruses were evolving at a rate that antivirus software was simply unable to keep up with. This was due to multiple reasons, mainly that the code was evolving to the point where determining signatures became redundant.
It was also easy to keep the purpose of malware while changing the signature, so as to get past antivirus programs. Multiple methods such as code obfuscation, polymorphism and metamorphism were employed to change the signature of the payload while still being effective. For all its benefits, signature verification slowly fell behind as a new and more effective method emerged.
A New-Age Solution To An Established Problem
The fast evolution of malware producers forced antivirus companies to come up with new methods to combat the rise of malicious software. This came in the form of a behaviour-based analysis of detecting malware which overcame the problems of the previous method.
Algorithms were created focusing on real-time protection and multiple heuristic-based methods were used to achieve this. While the previous method was strictly reactive and could only see the virus upon a scan, it was flawed. There was no way of detecting completely new signatures, as the signatures needed to be in the database for them to be detected.
Moreover, modern malware was also progressing to the point of affecting and decimating infected systems within 24 hours. In other words, writing malware had progressed to machine speed while antivirus was still functioning in the past.
Behavioural-based analysis, as the name suggests, analyses the behaviours of software on a computer to detect if any suspicious activity is occurring with respect to the file. These activities are well-documented, as there a few suspicious behaviours that can go on in the background with the user being oblivious to it. Malware often search for whether the computer is in a sandbox, installing a rootkit to lock out the computer, or even registering for starting up automatically as the computer does.
A Real-Time Approach For A Faster-Than-Life World
Behaviour-based malware detection algorithms offer multiple benefits over signature detection, as they can protect against undiscovered methods of attack. This is especially risky for enterprises, as they are attacked with unknown malware regularly.
Moreover, attack vectors are currently a known set of vulnerabilities that can be exploited. As mentioned previously, it is possible to narrow down whether software is malicious or not simply by the behaviours it exhibits.
By studying malware in a sandbox environment, it is possible to see the behaviours it exhibits. After data collection as to the various types of attacks that can be mounted, antivirus algorithms are trained on this and released to the public. This not only offers comprehensive information on one type of malware but also the general attack style of malware in general.
However, care must be taken when using this in a cloud-based solution, as it introduces significant latency during the meantime. This is due to the process required to carry out the scan itself. It is also important to note that one must not utilize strictly signature-based or behaviour-based algorithms, as both of them have their own downfall. This can be mitigated by using a security solution that utilizes both of these methods in order to protect against evolving malware.
