The efficiency of signature detection

13 Flares 13 Flares ×

It has been more than 20 years since the discovery of first efficient method for detecting and eliminating general threats or infections for regular computer users. This method uses signature detection, both in antivirus type software and in IPS systems (two resembling solutions but used in different environments).

The efficiency of signature detection

Old fashion signature protection

The biggest problem of antivirus software developing companies is convenience. Since the early 2000s there has been noticed a disturbing trend – all the companies measured the quality and efficiency of detecting viruses by the number of signatures they owned and apparently is still the same, although this software rather offers a fake feel of protection because you can’t protect a system from a new threat that doesn’t exist in their signature database.
Unfortunately, the number of signatures grows day by day increasing the resource usage (CPU, RAM, etc.) of the software even if they are trying to implement cloud solutions.

It’s interesting how nowadays, an era dominated by advanced technology, “the bad guys” have a big advantage over the security companies using well-known methods (see polymorphism) to bypass this old and outdated detection system. The time of those who created malware software for fame and respect in the underground world has passed and now became one of the most important ways of obtaining private information. This way the attackers may get substantial financial benefits. Some are building careers from malware software development and more, the majority of the attacks aren’t carried by one individual but by organized groups and sometimes by resourceful institutions.

signature detection

How IPS solutions protect your infrastructure, in numbers

Yet, I have bigger reserves in talking about IPS solutions manufacturers. Let’s take, for example, an IPS that gives 4500 signatures for protecting your network; from all of these signatures probably just about 20% are useful because it’s less likely to have this big number of solutions from companies like IBM, Sophos, Cisco, HP, Dell, Oracle, Symantec, AOL, etc. in one place (I read some names from the signature list). Theoretically they have cover most of the known problems and this is the reason why they give us this diversity. Now, from the ~1000 useful signatures, if you have a company with more than 3000 employees with high internet traffic, there are chances that only ~35% of that amount of signatures are usable. The danger of many signatures is marked as “critical” (60%), having an “High-performance impact” on the network and this is why they can’t even be placed in “Logging mode” because they will stop the system activity. The rest of 40% are marked like “Low-Medium performance impact” and they should reach first in “Logging mode”(because the information from the producer is not always 100% accurate) to see exactly the impact made on the network and after that you can put them in “Blocking mode”. So effectively how many of the 4500 signatures are really useful? Little to protect yourself in a real way and considering an investition of this type.

Case study

The future of online security stays in systems based on file behavior analysis, executed and observed in a controlled environment. I can give you an example from one of my personal research: from few thousands(~8000) of detections(only .exe files) for a period of 9 months by a firewall executing a behavior analysis, only ~17.5% were detected by antivirus software! And speaking of statistics, did you knew that 80% of Carberp infected computers ran daily updated antivirus software?


Of course this is a topic of bigger complexity, we can talk much more about it and get into deep branches of this field, but I only wanted to point your attention to this, in my opinion one of the biggest global issues right now.

One thought on “The efficiency of signature detection

  1. Signature detection much faster (really really much faster) then behavior analysis. Behavior recognition is used to detect “unknown” files, once file is considered malware will be create a classic signature for it.

    Behavior analysis – is almost as signature based detection easy to bypass

    “~17.5% were detected by antivirus software” that is scan detection, not run time, if you have a good antivirus installed and try to run a infected file is good chance that file will be blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *