AT this very moment, your systems may be protected by heuristics-based antivirus or intrusion detection software.
The emergence of predictive antivirus software marks a shift in virus detection. Traditional signature-based antivirus software protects systems from known viruses. Heuristics adds a level of intelligence. Instead of looking for specific viruses, heuristics-based software looks for characteristics in the code.
"Heuristic engines have the ability to detect unknown malicious codes based on known functionality," said Markus Schmall, who works in the IT Security department of T-Mobile Germany. Signature-based scanners can also this, "but with the risk of enormous false positive rates."
With some tweaking, a heuristics-based system can have virtually no false positives, Schmall said. "Modern heuristic engines can detect about 95% of all existing macro viruses and the false positive rate is really low (heard of cases of about 4 false positives per year for a popular AV engine)," Schmall said.
As virus writers increase their use of encryption, polymorphism and other techniques to keep their malicious code from being detected, heuristics offers an added layer of protection. "With heuristics you don't need to match an exact match, but just look for the telltale signs of a virus," said Edward Skoudis, vice president of security strategy for New York-based Predictive Systems, an infrastructure network consulting company.
Skoudis offers a linguistic analogy. A signature-based system would recognize a statement like "How are you?" but it wouldn't recognize equivalents such as "How are you doing?" and "What's up?" Heuristics seeks to recognize such distinctions, Skoudis said.
Heuristics aren't just for antivirus software. Intrusion detection system makers are also using the technology, though AV companies are ahead, Skoudis said.
Analyst Peter Lindstrom likens signature-based antivirus software to a police officer having pictures of suspects. He protects by recognizing specific faces. Heuristics, by contrast, would be similar to a cop with a lot of experience who is able to spot a potential criminal just by their behavior, said Lindstrom, director of security strategies for Framingham, Mass.-based Hurwitz Group.
Yet, even companies that are vigilant about updating virus definitions will occasionally get a virus before an update is released, Lindstrom said. The surest way to keep systems updated is to install antivirus software at the gateway. "It's much easier to have it at the choke point than all the distribution points," he said.
Even this isn't enough protection. "Users shouldn't have to worry about clicking on an attachment. To heck with training people not to click on them as someone always will," Lindstrom said.
Lindstrom recommends the use of personal firewalls and application-layer security products, Lindstrom suggested. The latter monitors the behavior of applications for suspicious activity that a virus may try. In keeping with the police analogy, such an approach is like sitting in an armored truck, he said.
"You don't know who the bad guys are. You just wait for an attack to occur," Lindstrom said.