Signature-Based Anti-Malware Approaches

By Somesh Jha  |  Posted 2009-02-25 Print this article Print

Signature-based anti-malware approaches

Signature-based detection is a malware detection approach that identifies a malware instance by the presence of at least one byte code pattern present in a database of signatures from known malicious programs. If a program contains a pattern that exists within the database, it is deemed malicious. This approach to malware detection is also called signature-based or misuse detection. Although signature-based detection is currently the most commonly used technique for malware detection, it has the following two disadvantages (especially in a Web 2.0 environment):

Disadvantage No. 1: Susceptible to evasion

Since the signatures or patterns are derived from known malware, these detection schemes can be easily evaded by using program obfuscation such as packing and junk insertion. Even simple program obfuscations (such as inserting no-ops and code re-ordering) can create malware variants that can evade signature-based  detectors. There is also strong evidence that hackers are already using these obfuscations to evade signature-based detectors.

Disadvantage No. 2: Cannot detect unknown malware

Since the signatures are constructed by examining known malware, signature-based detection can only detect "known malware." In fact, signature-based detection is unable to even detect variants of known malware. Therefore, signature-based detectors provide very limited zero-day protection. Moreover, since a signature-based detector has to use a separate signature for each malware variant, the database of signatures also grows at an exponential rate.

Whitelisting: beyond signature-based

Signature-based approaches are no longer enough. But what are the alternatives? Let's evaluate whitelisting and several types of behavior-based anti-malware.

Whitelisting is popular way for people to actively manage the software that is installed on their computer. Whitelisting software tools only permit approved software to install and run. Software products that are not explicitly on the control list lock down the computer. Whitelisting is a very promising way to protect computers, but it also creates a very rigid environment where rules about what software can be downloaded are strict. 

But whitelisting detection has three shortcomings. First, it can create an annoying computer experience. Users are subjected to pop-up warnings constantly. Second, whitelisting limits users' ability to easily download and use new software. And third, whitelisted applications can be vulnerable. For example, if you whitelist a browser, then any malware that operates inside the browser will not be detected. In fact, a lot of malware inject themselves into the browser.

Dr. Somesh Jha is co-Founder and Chief Scientist of NovaShield. He has more than 19 years of research and development experience (both academic and industrial) in security and IT. He is currently a member of the faculty at the Department of Computer Science at the University of Wisconsin-Madison. He focuses primarily on computer system security and is a frequent speaker at security-related conferences and events across the United States. Dr. Jha has been recognized through numerous awards including the NSF CAREER award, ACM SIGSOFT distinguished paper award and best paper award at ACSAC. He also conducted four years of advanced research during a postdoctoral fellowship at Carnegie Mellon University's Computer Emergency Response Team (CERT). He also serves on the editorial board of the Journal of Computer Security, and on the program committees for WORM05, RAID05, USNIX Security Symposium and WWW (Security and Privacy Track). Dr. Jha completed his PhD in Computer Science at Carnegie Mellon University and B.Tech in Electrical Engineering from IIT-Delhi, India. He can be reached

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel