Next: Precise Identification Tools Up: Research Efforts Previous: Research Efforts

Heuristic Binary Analysis

Static analysis detection tools, based upon heuristic binary analysis, are a focus of research at this time. Heuristic binary analysis is a method whereby the analyzer traces through an executable looking for suspicious, virus-like behavior. If the program appears to perform virus-like actions, a warning is displayed.

Functionality

Binary analysis tools examine an executable for virus-like code. If the code utilizes techniques which are common to viruses, but odd for legitimate programs, the executable is flagged as ``possibly infected.'' Examples include self-encrypted code or code that appears to have been appended to an existing program.

Selection Factors

Both false positives and negatives are sure to result with use of this type of software. False positives occur when an uninfected program uses techniques common to viruses but uncommon in legitimate programs. False negatives will occur when virus code avoids use of those techniques common to viruses.

Binary analysis tools are fairly easy to use. The user simply specifies a program or directory to be analyzed. Analyzing the results is more difficult. Sorting out the false positives from real infections may require more knowledge and experience than the average user possesses.

Heuristic analysis is more computationally intensive than other static analysis methods. This method would be inappropriate for daily use on a large number of files. It is more appropriate for one-time use on a small number of files, as in acceptance testing.

A heuristic analysis program will require updates as new techniques are implemented by virus writers.

Summary

Early examples of this class of tool appear to have fairly high error rates as compared with commercial detection software. As with system monitors, it is difficult to define suspicious in a way that prevents false positives and false negatives. However, these types of tools have been used successfully to identify executables infected by ``new'' viruses in a few actual outbreaks.

Heuristic binary analysis is still experimental in nature. Initial results have been sufficiently encouraging to suggest that software acceptance procedures could include these tools to augment more traditional technology.



Next: Precise Identification Tools Up: Research Efforts Previous: Research Efforts


konczal@csrc.ncsl.nist.gov
Fri Mar 11 21:26:02 EST 1994