本帖最后由 zdshsls 于 2011-1-1 18:06 编辑
在官方博客看到的关于高级启发
原文地址
http://blog.eset.com/2010/12/29/what-are-heuristics
It is generally well-understood that antimalware programs—the software which detects computer viruses, worms, trojan horses and other threats to your system—work by scanning files using signatures they already have. A signature could be as simple as a string (like using the "find" command in your word processor to locate a particular piece of text) or as complex as a tiny macro or subroutine which tells the scanning engine what to look for and where to find it.
Signature scanning works very well for detecting threats which have already been identified but how do antimalware programs detect new, previously unseen threats? One of the methods used is heuristics. But what are heuristics, and how do they work? Randy Abrams, ESET's Director of Technical Education, finds the following definitions helpful in explaining heuristics:
Heuristic (from the Greek "Ε?ρ?σκω" for "find" or "discover") is an adjective for experience-based techniques that help in problem solving, learning and discovery.
Source: Wikipedia
heuristic – a commonsense rule (or set of rules) intended to increase the probability of solving some problem
Source: Princeton University Wordnet
And for computer science: Heuristic – In computer science, a heuristic algorithm, or simply a heuristic, is an algorithm that is able to produce an acceptable solution to a problem in many practical scenarios, in the fashion of a general heuristic, but for which there is no formal proof of its correctness.
Source: Wikipedia
The science of heuristics studies how information is discovered and learned. It explains how one looks at problems and finds solutions to them by induction (as opposed to deduction). Often, a heuristic is a "rule of thumb" one might have learned.
In computer science, a heuristic is an algorithm which consistently performs quickly and/or provides good results. But for antimalware software, heuristics can also have a more specialized meaning: Heuristics refers to a set of rules—as opposed to a specific set of program instructions—used to detect malicious behavior without having to uniquely identify the program responsible for it, which is how a classic signature-based "virus scanner" works, i.e. identifying the specific computer virus or other program.
The heuristic engine used by an antimalware program might include rules for the following:
a program which tries to copy itself into other programs (in other words, a classic computer virus)
a program which tries to write directly to the disk
a program which tries to remain resident in memory after it has finished executing
a program which decrypts itself when run (a method often used by malware to avoid signature scanners)
a program which binds to a TCP/IP port and listens for instructions over a network connection (this is pretty much what a bot—also sometimes called drones or zombies—do)
a program which attempts to manipulate (copy, delete, modify, rename, replace and so forth) files which are required by the operating system
a program which is similar to programs already known to be malicious
Some heuristic rules may have a heavier weight (and thus, score higher) than others, meaning that a match with one particular rule is more likely to indicate the presence of malicious software, as are multiple matches based on different rules.
Even more advanced heuristics might trace through the instructions in a program’s code before passing it to the computer’s processor for execution, allow the program to run in a virtual environment or "sandbox" to examine the behavior performed by and changes made to the virtual environment and so forth. In effect, antimalware software can contain specialized emulators that allow it to "trick" a program into thinking it is actually running on the computer, instead of being examined by the antimalware software for potential threats.
Keep in mind while the term "program" was used above, it does not necessarily mean executable programs such as .COM files or .EXE files. A heuristic engine could be examining processes and structures in memory, the data portion (or payload) of packets travelling over a network and so forth.
Likewise, a heuristic engine does not simply scan through files like a classic antivirus program looking for known patterns. It might trace through the instructions in a program before passing the code to the processor for execution, allow the program to run in a virtual environment or "sandbox" and examine the behavior performed in and changes made to the virtual environment and so forth.
The advantage of heuristic analysis of code is it can detect not just variants (modified forms) of existing malicious programs but new, previously-unknown malicious programs, as well. Combined with other ways of looking for malware, such as signature detection, behavioral monitoring and reputation analysis, heuristics can offer impressive accuracy. That is, correctly detecting a high proportion of real malware yet exhibiting a low false positive alarm rate as well, since misdiagnosing innocent files as malicious can cause severe problems.
Understanding how heuristics work can be something of a specialty in the antimalware field. If you are interested and would like to know more about this field, I would suggest the Heuristic Analysis—Detecting Unknown Viruses white paper written by David Harley and Andrew Lee. For more technical examination of anti-malware technology, Peter Szor’s book The Art of Computer Virus Research and Defense, though several years old, is still worth reading.
Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher
Google翻译
它通常是很好理解的反恶意程序,该软件可以检测电脑病毒,蠕虫,特洛伊木马和其他威胁到你的系统由扫描文件使用的签名,他们已经有了工作。签字还可以像一个简单的string [我](如使用文字处理软件中的“查找”命令来查找特定的文本块),或作为一个小宏或子例程,它讲述了扫描引擎寻找什么复杂以及在哪里找到它。
这非常好检测已经查明的威胁,但如何做反恶意软件特征码扫描工程检测新方案,以前看不见的威胁?所使用的方法之一是启发式。但什么是启发式,以及它们如何工作?兰迪艾布拉姆斯,ESET的技术教育署署长,在发现有助于解释启发式以下定义:
启发式(对于“发现”或“发现”从希腊“Ε?ρ?σκω”)是一个基于经验的技术,在解决问题的帮助,学习和发现的形容词。
资料来源:维基百科
启发式 - 一个常识性规则(或规则)旨在提高解决一些问题的可能性
来源:抓鸟普林斯顿大学
而电脑科学:启发式 - 在计算机科学中,启发式算法,或只是一个启发,是一种算法,它能够产生一个可以接受的解决问题的实际案例,在许多的一般启发式时尚,但是该没有正式证明它的正确性。
资料来源:维基百科
启发式研究的科学信息是如何发现和教训。它解释了一看,发现问题,通过归纳的解决办法(而不是扣)。通常,一个启发式是“经验法则”人们可能学到的东西。
在计算机科学中,启发式算法,始终是一个快速执行和/或提供了良好的效果。但对于反恶意软件,启发式也可以有一个更专业的意义:启发式是指一组规则,而不是一个程序指令,用于检测唯一标识,而不必为它的程序负责,这是恶意行为的具体设置如何一个经典的基于签名的“病毒扫描”工程,即确定具体的计算机病毒或其他程序。
启发式引擎反恶意软件程序中使用的可能包括下列规则:
一个计划,试图复制到其他程序本身(换句话说,一个典型的电脑病毒)
一个计划,试图直接写入到磁盘
一个计划,试图继续驻留在内存中执行完毕后,
一个程序运行时本身解密(通常用来避免被恶意签名扫描方法)
一个程序绑定到TCP / IP端口和通过网络连接的说明监听(这是几乎什么是机器人,无人驾驶飞机或有时也被称为僵尸待办事项)
一个计划,企图操纵(复制,删除,修改,重命名,替换等等),它们由操作系统所需的文件
一个类似的计划,是已知的恶意程序
一些启发式规则可能有一个更重的重量(因此,得分越高)比其他人,这意味着与一个特定的规则匹配更可能表明了恶意软件的存在,因为有多个不同的规则相匹配的基础。
更先进的启发式可能跟踪通过在程序代码的说明,然后通过对执行到电脑的处理器,允许该程序运行在虚拟环境或“沙箱”,审查,并向虚拟环境和改变执行的行为等等。实际上,反恶意软件可以包含,允许它“欺骗”,以为它实际上是在计算机上运行一个程序专门模拟器,而不是由反恶意软件的潜在威胁的研究。
请记住这个词,而“方案”是上面使用,这并不一定意味着可执行程序,例如。COM文件或。exe文件。一种启发式引擎可以在内存中检查过程和结构,部分数据在网络上行驶的数据包(或负载),等等。
同样,启发式扫描引擎不只是通过像一个典型的反病毒模式,寻找已知的程序文件。它可能通过跟踪在程序中的指令执行之前,通过对处理器的代码,让程序运行在虚拟环境或“沙箱”和审查,并提出到虚拟环境等的变化进行的行为。
对代码的启发式分析的优点是它不仅可以检测恶意程序变种,但现有的新的,以前未知的恶意程序(修改形式)以及。与为恶意软件,如签名检测,行为监控和信誉分析,寻找其他的方法相结合,启发式可以提供令人惊叹的准确。也就是说,正确地检测一个真正尚未表现出较低的假警报率,正恶意软件所占比例较高,因为误诊为恶意的问题可能会导致严重的无辜文件。
启发式的工作可以了解如何成为一个专业的反恶意软件领域的东西。如果你有兴趣,想了解更多这方面,我建议启发式分析,检测未知病毒白皮书哈雷大卫和安德鲁李写的。欲了解更多反恶意软件技术的技术审查,彼得Szor的书由于电脑病毒的研究和国防艺术虽然老了几年,仍然值得一读。
Aryeh Goretsky,最有价值球员,ZCSE
特聘研究员
|