HEURISTIC SCANNING AND SANDBOX APPROACH IN MALWARE DETECTION
Keywords:
heuristics, scanning, malware, signature, sandboxing, detectionAbstract
A heuristic approach in malware detection is similar to the method of detecting anomalies applied to the intrusion detection system (IDS). It speeds up the process of finding sufficiently good solution in situations where the implementation of detailed research is not practical or is very time-consuming - for example, using various general rules, informed speculation, intuition and common sense. Instead of looking for matches (like in static signature-based detection), heuristic intrusion detection looks for behavior that is out of the ordinary, in regard to a baseline of the normal network traffic and activity. Heuristic scanning uses rules and/or algorithms to look for commands which may indicate malicious intent without needing a signature. Analysis of static signatures will fail to catch new types of attacks but have usually less false positives. Heuristics might catch more new malware but this usually comes with higher false positive rate. Because of that, most modern and efficient IDS software use both signature and heuristic-based methods in combination, with the goal of increasing the chance to detect and remove malware. In parallel with the heuristic and signature-based method, sandboxing approach is also used in detection of network anomalies. This is a software management technique that isolates examined applications from critical system resources and other programs. Without sandboxing, an application may have unrestricted access to all system resources and user data on a computer. Similar to heuristics, this method also has its benefits and limitations. The general conclusion is that the best network security can be achieved utilizing more methods simultaneously - by multi-scanning (scanning with multiple anti-malware engines).
References
2. Dragan Pleskonjić, Borislav Đorđević, Nemanja Maček, Marko Carić: Sigurnost računarskih mreža, Beograd, Viša elektrotehnička škola, 2006.
3. Aleksandar Lazarevic, Vipin Kumar, Jaideep Srivastava: Managing Cyber Threats: Issues, Approaches and Challenges, Kluwer Academic Publishers, Boston, doi: 10.1007/b104908, 2005.
4. Mohaddeseh Zakeri, Fatemeh Faraji Daneshgar, Maghsoud Abbaspour: A Static Heuristic Approach to Detecting Malware Targets, Wiley Online Library, 2015, https://onlinelibrary.wiley.com/doi/full/10.1002/sec.1228
5. Muhammad Ali, Stavros Shiaeles, Maria Papadaki, Bogdan Ghita: Agent-based vs Agent-less Sandbox for Dynamic Behavioral Analysis, Global Information Infrastructure and Networking Symposium (GIIS), 2018.
6. Anna Bryk: Sandbox-Evading Malware: Techniques, Principles, and Examples, 2018, https://www.apriorit.com/dev-blog/545-sandbox-evading-malware
7. Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz: Automatic Analysis of Malwarebehavior Using Machine Learning, Journal of Computer Security, 19(4), pp. 639–668, 2011.
8. Joris Kinable, Orestis Kostakis: Malware Classification Based on Call Graph Clustering, Journal in Computer Virology, 7(4), pp. 233–245, 2011.
9. Zahra Bazrafshan, Hashem Hashemi, Seyed Mehdi Hazrati Fard, Ali Hamzeh: A Survey on Heuristic Malware Detection Techniques, 5th Conference on Information and Knowledge Technology (IKT), pp. 113-120, 2013.
10. David Harley, Andrew Lee: Heuristic Analysis - Detecting Unknown Viruses, White Paper, Eset, 2009, https://www.welivesecurity.com/media_files/white-papers/Heuristic_Analysis.pdf
11. Umakant Mishra: Finding and Solving Contradictions of False Positives in Virus Scanning, Semantic Scholar, https://pdfs.semanticscholar.org/6666/30ad1ec7fdf70d1441c1c883264b3bdee20f.pdf
12. Comodo, https://help.comodo.com/topic-72-1-284-3011-.html
13. Huawei FireHunter, https://e.huawei.com/en/related-page/products/enterprise-network/security/apt/firehunter6300/brochure/security_firehunter6300_en
14. Datasharp - integrated communications, https://datasharp-ic.co.uk/blog/dell-security-multi-engine-approach-advances-sandboxing-beyond-threat-detection-to-complete-prevention-with-new-sonicwall-capture-advanced-threat-protection-atp-service
15. SANS Institute, Protection from the Inside, http://www.sans.org/reading-room/whitepapers/analyst/protection-inside-application-security-methodologies-compared-35917
16. OPSWAT, https://www.opswat.com/blog/understanding-heuristic-based-scanning-vs-sandboxing
