1
382views
Explain the signature implementation impact in cyber strategy management.
1 Answer
0
2views

Solution

  • There are several methods which antivirus scanners can use to identify malwares:

    • Signature-based detection: To identify malwares, AV compares the contents of a file to its database of known malware signatures.

    • Heuristic-based detection: Detects malware based on characteristics typically used in known malwares.

    • Behavioral-based detection: This is based on the behavioral aspects of the malware at run time. This technique can detect (known or unknown) malware based on their behaviors.

    • Data mining techniques: Data mining and machine learning algorithms are used to try to classify the behavior of a file or an http link (as either malicious or benign) given a series of extracted features.

  • Scanners of antiviruses or anti-malwares search files or packets using a set of predefined signatures to determine if those files or packets are malicious.

  • Those signatures are the known, from previous knowledge, patterns of malicious files.

  • Some signatures can represent simple pattern-matching techniques (e.g., finding a specific string, CRCs (checksums), or MD5 hashes).

  • Those simple signatures may work in some cases. Other fuzzy logic-based signatures, such as applying the CRC algorithm on specific chunks of data (as opposed to hashing the whole file), can also identify various files (Koret and Bachaalany 2015).

  • Most notable AV signatures include (Koret and Bachaalany 2015):

    • Byte-streams: The simplest form of an antivirus signature is a byte-stream that is specific to a malware file.

    • Checksums: The most typical signature-matching algorithm is used by almost all existing AV engines and is based on calculating CRCs.

    • Cryptographic hashes: A cryptographic hash function generates a “signature” that univocally identifies one buffer and just one buffer, which thus reduces producing a false-positive result.

    • Fuzzy hashing: A fuzzy hashing signature is the result of a hash function that aims to detect groups of files instead of just a single file, such as the cryptographic hash functions’ counterparts do.

Please log in to add an answer.