Behavior-based anti-malware analysis doesn’t aim to replace anti-malware signature or heuristic detection but provide an additional layer of intelligent proactive protection. There are two types of behavior-based anti-malware detection – one is called ‘specification-based’ and the other is ‘anomaly-based’.
Specification-based malware detection
Specification-based malware detection uses a predetermined policy (there may be more than one policy too) which would allow or deny executable files from being installed. The major advantages of this type of malware detection is the low false positive count and increased malware detection and remediation.
Anomaly-based malware detection
Anomaly-based malware detection considers what is normal behavior, so any variation from the normal profile (not a policy unlike the specification-based model mentioned above) would be considered suspicious (which means the ‘False Positive’ count is higher than normal). Anomaly detection can be both ‘passive’ and ‘active’. Passive detection scans a program to see if there are any deviations from the normal profile; Active detection means using a sandbox to monitor the behavior of a program – deciding whether to allow or deny a program from running.
Behavior-based vs Signature-based malware detection
The behavior-based approach doesn’t rely on signature databases (which as we know depends on pattern recognition) to scan and detect malware.This means that signature-based malware detection isn’t effective against new or unknown malware. The biggest challenge facing signature-based detection (apart from attempting to keep up with the malware authors), is the growing size of the signature database. This has back-end server as well as resource and cost implications for antivirus vendors.
As a result, behavior-based anti-malware completes the picture of protecting an individual’s computer with no requirement to be regularly updated, thereby reducing the malware propagation threat as well as removing the resource and cost implications surrounding the signature-based methodology.
Safe surfing folks!