1

I understand the difference between the two as follows:

  • In the first ' the signature-based' the code of the malware will be examined to extract some sort of signature that identifies malware with similar code .. the signature thus can be a binary sequence or a hash .. etc.
  • In the behaviour-based malware detection the actual executable will be run to examine its behaviour instead of its code and then multiple techniques can be used such as statistical, machine learning .. etc.

The one thing that make unsure about these definitions is that I read in some papers as this one that 'dynamic analysis' can be used along with signature-based systems too ! is there any example for that .. will searching for a specific registry changes 'e.g. adding an executable to the autorun' will be considered as a signature-based detection system or behaviour-based detection system then ? an example is this in which category can it be classified ?

Ophilia
  • 717
  • 1
  • 10
  • 25

1 Answers1

0

A signature is a set of information which acts as a proof of identity of a given entity.

Whether it is the content of a file or its behaviour it does not matter.

For example, the fact that a given sample downloads a binary from a given URL, changes certain Windows registry keys and starts a process with a given name might be used as a behavioural signature to detect malware from a given family.

Moreover, you can extract artifacts during the sample execution which can easily act as an input for traditional scanning engines. For example you could dump the memory and scan it looking for certain strings which identify a malicious process. Same technique can be applied with the network transmission capture or the disk.

noxdafox
  • 14,439
  • 4
  • 33
  • 45