Heuristic analysis

Heuristic analysis

Heuristic analysis is a method employed by many computer antivirus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the wild.

Heuristic analysis is an expert based analysis that determines the susceptibility of a system towards particular threat/risk using various decision rules or weighing methods. MultiCriteria analysis (MCA) is one of the means of weighing. This method differs with statistical analysis, which bases itself on the available data/statistics.

How it works

Most antivirus programs that utilize heuristic analysis perform this function by executing the programming commands of a questionable program or script within a specialized virtual machine, thereby allowing the anti-virus program to internally simulate what would happen if the suspicious file were to be executed while keeping the suspicious code isolated from the real-world machine. It then analyzes the commands as they are performed, monitoring for common viral activities such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus, and the user alerted.

Another common method of heuristic analysis is for the anti-virus program to decompile the suspicious program, then analyze the source code contained within. The source code of the suspicious file is compared to the source code of known viruses and virus-like activities. If a certain percentage of the source code matches with the code of known viruses or virus-like activities, the file is flagged, and the user alerted.

Effectiveness

Although heuristic analysis is capable of detecting many previously-unknown viruses and new variants of current viruses, the effectiveness is fairly low regarding accuracy and the number of false negatives. This is because computer viruses, just like biological viruses, are constantly changing and evolving. Since heuristic analysis mostly operates on the basis of past experience (by comparing the suspicious file to the code and functions of known viruses), it is likely to miss new viruses that contain previously unknown code or methods of operation not found in any known viruses. Fortunately, heuristic analysis is also evolving along with the viruses. As new viruses are discovered using alternative methods of detection, information about them are added to the heuristic analysis engine, thereby providing it the means to detect any new viruses based on the previously-unknown code.

See also

* [http://www.av-comparatives.org/ Retrospective/proActive antivirus test from AV-Comparatives.org]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать курсовую

Look at other dictionaries:

  • Heuristic — (hyu̇ ˈris tik) is a method to help solve a problem, commonly an informal method. It is particularly used to rapidly come to a solution that is reasonably close to the best possible answer, or optimal solution . Heuristics are rules of thumb ,… …   Wikipedia

  • Heuristic algorithm — In computer science, a heuristic algorithm or simply a heuristic is an algorithm that ignores whether the solution to the problem can be proven to be correct, but which usually produces a good solution or solves a simpler problem that contains or …   Wikipedia

  • heuristic device — Any procedure which involves the use of an artificial construct to assist in the exploration of social phenomena. It usually involves assumptions derived from extant empirical research. For example, ideal types have been used as a way of setting… …   Dictionary of sociology

  • Heuristic (engineering) — In engineering, heuristics are experience based methods that are used to reduce the need for calculations pertaining to equipment size, performance, or operating conditions. Heuristics are fallible and they do not guarantee a correct solution.… …   Wikipedia

  • Shifting bottleneck heuristic — The Shifting Bottleneck Heuristic is a procedure intended to minimize the time it takes to do work, or specifically, the makespan in a job shop. The makespan is defined as the amount of time, from start to finish, to complete a set of multi… …   Wikipedia

  • Factor analysis — is a statistical method used to describe variability among observed, correlated variables in terms of a potentially lower number of unobserved, uncorrelated variables called factors. In other words, it is possible, for example, that variations in …   Wikipedia

  • Root cause analysis — (RCA) is a class of problem solving methods aimed at identifying the root causes of problems or events. Root Cause Analysis is any structured approach to identifying the factors that resulted in the nature, the magnitude, the location, and the… …   Wikipedia

  • Boolean analysis — was introduced by Flament (1976). The goal of a Boolean analysis is to detect deterministic dependencies between the items of a questionnaire in observed response patterns. These deterministic dependencies have the form of logical formulas… …   Wikipedia

  • Population viability analysis — (PVA) is a species specific method of risk assessment frequently used in conservation biology. It is traditionally defined as the process that determines the probability that a population will go extinct within a given number of years. More… …   Wikipedia

  • Shape analysis (software) — Shape analysis is a static code analysis technique that discovers and verifies properties of linked, dynamically allocated data structures in (usually imperative) computer programs. It is typically used at compile time to find software bugs or to …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”