Subscribe by Email

Thursday, March 4, 2010

Antivirus Software - Signature based detection

Antivirus software is a computer program that detects, prevents, and takes action to disarm or remove malicious software programs, such as viruses and worms. Computer viruses are software programs that are deliberately designed to interfere with computer operation, record, corrupt, or delete data, or spread themselves to other computers and throughout the Internet.

There are several methods which antivirus software can use to identify malware :

Signature Based Detection

It is the most common method that anti-virus software uses to identify malware. This method is somewhat limited by the fact that it can only identify a limited amount of emerging threats, e.g. generic, or extremely broad, signatures.
Advantages :
- The signatures are easy to develop and understand if you know what network behavior you're trying to identify.
- The events generated by a signature-based IDS can very precisely inform you about what caused the alert.
- Signature based rules are based on Pattern matching, and with modern day systems pattern-matching can be performed very quickly.
- If your network is only having DNS, HTTP and SMTP traffic, all other signatures can be removed from the policy files.

Disadvantages :
- Signature based IDS can only detect known attacks, a signature must be created for every attack, and 0-day attacks cannot be detected.
- Signature based IDS systems are also prone to false positives since they are commonly based on regular expressions and string matching.
- Since they are based on pattern match, signatures usually don't work that great against attacks with self-modifying behavior.

No comments:

Facebook activity