PDA

View Full Version : Heuristics is the way forward (news article)...

javacool
February 25th, 2002, 05:01 PM
From vunet.com comes an interesting article on Heuristics, and how anti-virus technology should be built for the future...

Article link: http://www.vnunet.com/News/1129441

Enjoy! *;D
javacool
February 25th, 2002, 05:03 PM
Couresty of vunet.com:
{QUOTE->
Bug Watch: Heuristics is the way forward

By Jack Clarke, Network Associates [22-02-2002]

Viruses need to be cured before they're even written.

Each week vnunet.com asks a different expert from the antivirus world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.
This week Jack Clarke, of antivirus firm Network Associates, asks whether heuristic technology could come into its own in 2002.

Increasingly, there are three questions at the forefront of an IT manager's mind when thinking about the security of a network. How do you predict a virus? What do you do to stop a virus before it's even written? Can antivirus software predict the future?

So the question for this debate is whether or not heuristic technology provides the salvation the industry is looking for.

The word heuristic originates from the Greek word heuriskein meaning 'to discover'. In the antivirus world, it refers to software that evaluates incoming data against a set of rules to assess whether it contains a potential virus and, if so, prevent it from entering the network.

In a world where fast always needs to be faster and cures are needed the instant viruses are identified, heuristic software can theoretically help to find cures before viruses have even been created.

It is a proactive measure that does not try and bolt the door after the horse has left but keeps it bolted all the time so the horse never contemplates the idea of escape.

It is potentially the platform on which all future antivirus development will be built and, as seen with the Badtrans virus, can generate the cure months before the virus is written.

The volume of new viruses, and the wealth of their variety, is rising as virus writers constantly think of new ways to cause chaos. Just taking a reactive approach and waiting for new signature scanning parameters to be released is not going to be enough this year to protect against the ever worsening danger.

So will heuristic technology, come into its own? As we know, virus writers are a highly intelligent breed, constantly looking for new challenges. Last year exposed the true extent of the threat they pose as the variety of virus types steadily rose, along with their frequency. More viruses were identified in November and December than in the previous 10 months.

The threat is constant and users need to be increasingly diligent in downloading the latest antivirus fix. Heuristic software can provide a certain level of assurance, as it is looking to catch tomorrow's outbreak before it has a chance to hit the system and then require a cure.

Heuristic software has a set of rules which are applied to the data's structure, programming logics and code sequences, as well as its behaviour. If one email generates 500 responses, the IT manager needs to be wary. Anything suspicious is brought to the system's attention for further scrutiny.

As with any miracle cure, there's always likely to be a catch. At the moment heuristics cannot be used as the only mechanism to identify viruses because too many false positive reports are generated, identifying normal items as potential viruses.

This, of course, has an obvious implication for any network: it slows it down and removes the real-time communication that the internet brings. The other potential concern is that users can get complacent with the vast number of false reports and either turn the system off or stop taking any notice of the alerts generated.

Regardless of these problems, heuristic detection is still our best bet for the future and is currently the only solution for stopping a virus before it becomes a real threat. Vendors need to improve the way heuristics detect viruses in order to ensure that the network's defences are bolstered, not restricted or hindered.

It needs to become more of an integral part of any antivirus system, working alongside the signature scanning software in place for known viruses. The internet is ubiquitous and therefore new viruses are accessible to any user in minutes. Any form of defence that helps to identify those new viruses, such as MyParty.com, before they can cause problems and need to be fixed, has to be the future of virus detection.

Virus writers are not about to go away; they are only going to continue developing more extreme viruses. Antivirus vendors will continue to identify these new viruses, then write cures and protection patches to prevent possible infection.

However, the writers follow certain patterns when creating viruses. It is now up to antivirus vendors to start being smarter and exploit this knowledge to create a more scientific technology that proactively develops cures before viruses are even created and launched.

Fast will never be fast enough, but smarter heuristic software could help prevent this being an issue in the battle.


<-QUOTE}