These are just thoughts that came to my mind. Being in the security industry for past 2 years, I've got to learn a lot about computer security.
There was a age when computer security was only confined to some sectors of government organizations. After internet flourished between the common people, viruses, bots etc(commonly termed as malware) become more prevalent. And now as the days pass on, the e-commerce has taken a good pace. Just imagine of how much of online transactions are carried on every day. Every bit and piece of information is being digitized. Attracting more and more looters to get in cyber crimes. This has tremendously increased the number of malware's in the market. And this is why, computer security applications entered the market.
--------------------------------------------------------------------------------------------
Signature based detection
--------------------------------------------------------------------------------------------
The very basic logic of finding a malware is to create a signature of a malware, and then use this signature to detect the malware.What are signatures?
Signatures are basically the bit patters present in the files of the malware. These signatures are designed by the industry experts so wisely, such that it matches only the malware's binary file. You will find a lot of information pertaining to this on the web.
In-fact, today there are more than millions of malware's in the online market, may be even more. That means millions of signatures, and scanning each binary file on the machine against each signature, though this can be reduced by using some techniques, its a substantial count. This count will increase day by day as the new malware's are added to the detection list. How long can this be supported, is a difficult question to answer.
The very basic logic how these malware's infect a machine is by exploiting the vulnerabilities on the machine. Vulnerability in a software (can be operating system) is a security bug (flaw), that allows the malware to enter in the system and execute itself.
--------------------------------------------------------------------------------------------
Ingenious Techniques
--------------------------------------------------------------------------------------------
Vulnerability Scanning
This type of detection technique scans for the vulnerabilities present in the system. The users are educated about the various vulnerabilities present on the system. These type of scanners usually categorize the vulnerabilities on the basis of their risk. And also informs how to fix these vulnerabilities, if a fix (patch) is available.
The advantage of vulnerability scanning is that it helps the user to identify the flaws before the malware even finds your machine. However, the fix needs to be applied, only vulnerability scanner is no good. The updates that you usually get for any application not only contains new features, but also contains security patches, that fix the existing known vulnerabilities in the application.
Some scanners actually attack the system to detect the vulnerabilities, these innovative techniques sometimes find the flaws even before an attacker can find them. These vulnerability scanner range from desktop clients, mobile to network devices.
The advantage of vulnerability scanning is that it helps the user to identify the flaws before the malware even finds your machine. However, the fix needs to be applied, only vulnerability scanner is no good. The updates that you usually get for any application not only contains new features, but also contains security patches, that fix the existing known vulnerabilities in the application.
Some scanners actually attack the system to detect the vulnerabilities, these innovative techniques sometimes find the flaws even before an attacker can find them. These vulnerability scanner range from desktop clients, mobile to network devices.
Vulnerabilities need to be fixed.
Behavioral Based Detection
As most of the malware's are just designed to exploit the system for resources (data, processing power, storage etc), it has to do some task that is apart from the normal functioning of major applications. This makes it stand out from others. Security researchers found this as a novel technique to detect an existence of a malware on the system. eg. if a software other than the mail client is trying to send an email, its operations are blocked and the user is queried if the application sending the email is a legitimate application. If the user identifies it to be known application, it is allowed to proceed, else the application is terminated and stopped from getting executed in future.
The major advantage of this technique is that, its a very generic way of detection. Even a malware that is not yet known in the market can be stopped effectively.
You misbehave and you are thrown out.
As of today, the above 2 techniques seem to take over the IT security industry in the near future. As the malware writers bring in new techniques, the computer security industry is also emerging with new ways to defend it. And this is going to go on for ever and ever and ever.
I have just tried to touch some basic aspects of these techniques, so that they can be understood easily. Actually these topics are as big as, one can write huge reference books on each. These methods have been in the industry since a while, however, it might not totally replace the traditional signature based scanning, but will surely gain much more importance, in near future.
If you have any thoughts about this, surely add it into the comments.
