Signature-Based Anti-Malware Approaches
Signature-based anti-malware approaches Signature-based detection is a malware detection approach that identifies a malware instance by the presence of at least one byte code pattern present in a database of signatures from known malicious programs. If a program contains a pattern that exists within the database, it is deemed malicious. This approach to malware detection is also called signature-based or misuse detection. Although signature-based detection is currently the most commonly used technique for malware detection, it has the following two disadvantages (especially in a Web 2.0 environment):Since the signatures or patterns are derived from known malware, these detection schemes can be easily evaded by using program obfuscation such as packing and junk insertion. Even simple program obfuscations (such as inserting no-ops and code re-ordering) can create malware variants that can evade signature-based detectors. There is also strong evidence that hackers are already using these obfuscations to evade signature-based detectors. Disadvantage No. 2: Cannot detect unknown malware Since the signatures are constructed by examining known malware, signature-based detection can only detect "known malware." In fact, signature-based detection is unable to even detect variants of known malware. Therefore, signature-based detectors provide very limited zero-day protection. Moreover, since a signature-based detector has to use a separate signature for each malware variant, the database of signatures also grows at an exponential rate. Whitelisting: beyond signature-based Signature-based approaches are no longer enough. But what are the alternatives? Let's evaluate whitelisting and several types of behavior-based anti-malware. Whitelisting is popular way for people to actively manage the software that is installed on their computer. Whitelisting software tools only permit approved software to install and run. Software products that are not explicitly on the control list lock down the computer. Whitelisting is a very promising way to protect computers, but it also creates a very rigid environment where rules about what software can be downloaded are strict. But whitelisting detection has three shortcomings. First, it can create an annoying computer experience. Users are subjected to pop-up warnings constantly. Second, whitelisting limits users' ability to easily download and use new software. And third, whitelisted applications can be vulnerable. For example, if you whitelist a browser, then any malware that operates inside the browser will not be detected. In fact, a lot of malware inject themselves into the browser.
Disadvantage No. 1: Susceptible to evasion