|
| Detection techniques | Motivation or background | Description | Issues |
|
| Pattern-based [10–17] | To detect and analyze malicious codes incoming promptly from outside | After defining the specific pattern of existing malicious codes as their characteristics, malicious codes are detected and blocked by matching defined pattern with a pattern of incoming codes | (i) This technique can support fast detection by just comparing defined signatures
(ii) However, new and variant malicious codes are not defined in pattern and are not detected |
|
| Heuristic-based [18–24] | To detect and analyze new and variant malicious codes | This technique determines specific behavior of malicious codes, so this can check new and variant codes by analyzing abnormal behavior not signatures | (i) It is hard to define criteria for comparison of similarities of abnormal behavior
(ii) This causes false positive by detecting normal program as malicious code |
|
| Reputation-based [25–28] | To detect and analyze new and variant malicious codes | (i) This technique is similar to pattern-based technique
(ii) In particular, if new malicious codes are emerged, reliability is determined based on feedback for opinions of a large number of users
(iii) Reputation information is defined on the basis of number of users, manufacturer of codes, etc.
(iv) Accuracy and reliability depend on possession and analysis of a large amount of reputation information | (i) Accuracy and reliability are only dependent on user’s opinions
(ii) If reputation information is not enough, accuracy and reliability are decreased |
|
| Behavior-based [29–42] | (i) Signature, pattern, and reputation information are hard to analyze by malicious code analyst preferentially
(ii) There is a limitation to collect or analyze malicious codes when the number of codes increases exponentially
(iii) It is a difficult approach for analyzing malicious codes realistically because of reasons that the rate of malicious code generation is much faster than the speed of analysis | (i) This technique detects faulty behavior when malicious codes are executed
(ii) This is an improved version of heuristic-based technique
(iii) Malicious behavior is revealed not only in executable files, but also in document files, such as PDF, DOC, and HWP
(iv) This technique determines characteristics of malicious behavior based on file, registry, network, process, etc. | The system can be infected because behavior is analyzed during execution process in the actual system |
|
| Virtualization-based [43–48] | An environment to analyze malicious behavior in a separated space from actual system is required | (i) This approach is closely related to dynamic heuristic-based technique
(ii) Malicious codes are analyzed in virtual system | This does not detect attacks efficiently and takes a lot of time to penetrate the system, even after collecting various pieces of information and utilizing unknown attacks |
|
| Abnormal/irregular symptom-based [49–51] | To detect and analyze unknown and zero-day attacks | (i) To detect abnormal behavior, this technique collects and integrates logs, which are generated in the system, and analyzes the correlated information
(ii) In particular, this is required for detecting infected systems, with unknown new malicious code, and it helps to determine whether transmitted traffic is normal or abnormal | (i) In case of security system, if the system does not process information in real time, the system gets exposed to security threats
(ii) It is technically difficult to collect and analyze correlation for high-capacity and high-speed traffic from network |
|
