|
NOD32启发式技术分析要点翻译
Watching the Detectives
关于侦测
What does an AV program detect?
反病毒软件侦测的目标是什么?
Quite a lot as it happens, including some items that aren’t technically viruses. Most of what we see referred to as viruses might be better described as malware. The irony is that many specialist detection products (i.e. for detecting spyware or Trojans) are marketed as being necessary because AV only detects viruses.
业界广泛认同:侦测的目标应该包括那些非真正意义上的病毒。所有我们谈到的病毒其实应该被称为恶意软件才更为合适。然而,讽刺的是某些针对特定威胁的产品宣称自己是必要的,因为反病毒软件只侦测“病毒”。
In fact, commercial AV catches a far wider range of malware than most of these specialist services. A specialist program may detect more threats within its own specialty, but this depends not only on the program’s ability to catch specific threats and threat types, but also on other factors such as:
事实上,商业反病毒软件所侦测的恶意软件的范围远远超过那些针对特定威胁的产品。这些产品可以在自己的特定范围内检测尽可能多的威胁,但是这不仅依赖于程序识别特定威胁的能力,而且还依赖其他因素,如:
The program’s generic detection capabilities
The criteria used to differentiate between malware variants
The sample sharing mechanisms between vendors (AV vendors have particularly effective and well-established ways of doing this, compared to vendors in other areas of malware detection.)
1.程序的种群特征侦测能力
2.划分各种恶意软件的标准
3.厂商间样本的交换机制
The following sections consider three major types of malware :virus ,worm,Non-replicative Malware
主要的恶意程序可以分为三类:
病毒、蠕虫以及非复制型恶意软件
What Does Heuristic Really Mean?
什么是启发式扫描
Heuristic analysis uses a rule-based approach to diagnosing a potentially-offending file
启发式分析技术是一种基于规则的检测有潜在危险的文件的方法。
Signature Scanning
特征码扫描
In fact, many viruses cannot be identified by searching for a static string.
事实上,许多病毒无法通过搜索静态的“指纹”而被识别。
The advent of complex polymorphic viruses actually killed off some scanners that were unable to move to more advanced detection techniques.
复杂变形病毒的出现在使得许多杀软被病毒破坏的同时,并没有促成更先进的反病毒技术的产生。
The Opposite of Heuristics
非启发式
In a sense, the opposite of heuristic analysis in AV is not signature scanning, but algorithmic scanning, of which signature scanning is a special case.
在某种意义上,反病毒软件使用的非启发式分析方法并不是特征码扫描,而是基于算法的扫描,特征码扫描只是其中的特例。
Generic Anti-Virus
种群特征检测的反病毒技术
Generic solutions use heuristic rule-sets as part of the diagnostic process.
种群特征检测在只在检测过程的某一步使用启发式的规则设定
I’m Absolutely Positive
检测是绝对肯定的
Virus identification is a balance between two imperatives: the avoidance of false negatives (the scanner fails to detect an infection) and false positives (the scanner detects a virus where none exists).
病毒识别应该是一个在避免假阴性和避免假阳性这两种原则间的平衡。
“Generic detection” is a term applied when the scanner looks for a number of known variants, using a search string that can be used to detect all those variants.
“种群特征检测”的应用依靠于扫描器寻找一组已知的变量,这是通过使用一种能够被用来检测这些变量的搜索指纹实现的。
Sensitivity and Misdiagnosis
敏感度和误报
Accuracy in heuristic analysis depends on how aggressively the scoring criteria are set. If the target malware is new to the scanner, the accuracy of the analyzer output is not dependent on a simple binary decision.
启发式检测的精确程度取决于标准的侵略性。如果一个目标对于扫描器是新的威胁,正确的分析并不是依靠一个简单的二元判定。
The forcefulness of its response lies on a threshold continuum from high (keeping the number of false positives as low as possible) to low (detecting as many new viruses as possible).
对于此最有力的说明是一个从高(低误报,高精度)到低(高检测率,低精度)的极限连续函数。
Some vendors also distinguish between passive and active heuristics. In both cases, code is scanned for suspicious characteristics, but in active mode, the scanner uses an emulator environment to execute and trace the code. In passive mode, it simply statically inspects the code.
许多厂商将启发式分为静态和动态两种。他们都扫描可疑的特征,但是在动态模式中,扫描器使用虚拟机模拟执行代码。在静态模式,扫描器只是的简单的静态分析代码。
All levels of heuristic analysis add processing overhead to scanning time, and for some products, the slower performance can be all too obvious.
所有的启发式分析等级都占用多余的处理器时间,并且很多反病毒产品使用启发式分析时很明显的降低系统性能。
Conclusion: An Heuristic Paradox
结论:一个启发式的矛盾
Malware authors have developed a wide range of approaches to minimizing the susceptibility of their product to heuristic detection.
恶意软件作者已经发明了新的方法可以降低启发式检测对其作品的敏感性。 |
|