Heuristic analysis is a method employed by Many computer antivirus programs designed to detect Previously unknown computer viruses , as well as new variants of viruses already in the “wild”. [1]
Heuristic analysis is an expert based analysis of the susceptibility of a system towards a particular threat / risk using various decision rules or weighing methods. MultiCriteria analysis (MCA) is one of the means of weighing. This method differs from statistical analysis, which bases itself on the available data / statistics.
Operation
Most antivirus programs that utilize heuristic analysis perform this function by executing the programming commands of a program or program within the framework of a specific virtual machine , thereby allowing the program to be internally simulated. the suspicious code isolated from the real-world machine. It then analyzes the controls as they are performed, monitoring for common viral activities such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus, and the user alerted.
Another common method of heuristic analysis is for the anti-virus program to decompile the suspicious program, then analyze the source code contained within. The source code of the suspicious file is compared to the source code of known viruses and viruses. If a percentage of the source code matches the code of known viruses or virus-like activities, the file is flagged, and the user alerted.
Effectiveness
Heuristic analysis is capable of detecting many previously unknown viruses and new variants of current viruses. However, heuristic analysis operates on the basis of experience (by comparing the suspicious file to the code and functions of known viruses). This means that it is likely to be known to those viruses that have not been previously known. Hence, the effectiveness is fairly low compared to the number of false positives .
As new viruses are uncovered by human researchers, the information is provided to the heuristic analysis engine, which provides the engine to detect new viruses.
References
- Jump up^ Wong, W .; Stamp, M. (2006). “Hunting for metamorphic engines”. Journal in Computer Virology . 2 (3): 211-229. doi : 10.1007 / s11416-006-0028-7 .