Comparison of Signature-based Detection and Behavior-

based Detection for Effective Malware Detection

1ˢͭ Akbar Rosyidi, Magister SoCS, Nusa Putra University, Jakarta Indonesia akbar.rosyidi@nusaputra.ac.id

Abstract— Malware detection is a crucial aspect of are incorrectly detected as malware, while false negative
modern cybersecurity. With the increasing number of rates refer to the number of malware files that are not
cyber-attacks and the evolving nature of malware, it's detected. Overall accuracy is a measure of the total number
essential to have effective and efficient methods for of correct detections, and is an important factor in the
detecting and preventing malware infections. In this selection of a suitable method of detection.
article, we will explore various techniques used in
This paper will begin by discussing the different types of
malware detection, including signature-based detection,
malwares and their impact on individuals and organizations.
behavioral detection, and machine learning-based
Next, we will provide an overview of the most commonly
detection. We will also discuss the challenges and
used malware detection techniques, including signature-
limitations of each method and the future trends in
based methods, behaviour-based methods, and machine
malware detection. The goal of this paper is to provide a
learning-based methods. We will then examine the strengths
comprehensive overview of the state-of-the-art in
and weaknesses of each approach, and discuss the
malware detection with signature-based detection and
challenges and opportunities for future research in this field.
behavior-based detection.
Finally, we will provide some recommendations for
Keywords— Malware Detection, Security, signature-based organizations looking to implement a comprehensive
detection, behavior-based detection. malware detection strategy, including the importance of
I. INTRODUCTION regularly updating their systems, using multiple detection
techniques, and having a well-defined incident response
Malware detection is a crucial aspect of computer
plan. And we aims to provide a comprehensive overview of
security as malicious software can cause significant harm to
the current state-of-the-art in malware detection and
both individuals and organizations. With the rapid increase
analysis, and to highlight the importance of ongoing
in the number of cyber-attacks and the sophistication of
research and development in this field.
malicious software, the need for effective malware detection
has never been greater. The objective of this paper is to II. STUDY LITERATURE
provide a comprehensive overview of the current state-of- The study literature for the topic of malware detection and
the-art in malware detection and analysis. analysis is extensive, covering a wide range of techniques
Malware, or malicious software, has been a major threat to and approaches for detecting and mitigating the impact of
malicious software.
the security of digital systems for many years. With the
rapid growth of the internet and the increasing reliance on A. Signature-based detection
connected devices, the threat of malware continues to grow, One of the earliest forms of malware detection, signature-
making it increasingly important to develop effective based methods rely on the identification of specific,
methods of detection. In this paper, we will examine the previously-known patterns or "signatures" in malware code.
history of malware, the various types of malwares that exist Papers on this topic might analyze the efficiency and
accuracy of signature-based detection systems, and explore
today, and the methods used to detect and prevent it.
methods for improving the ability to detect new and
In recent years, various techniques have been developed to emerging threats.
detect malware, ranging from signature-based methods to In signature-based detection, the malware signature database
is regularly updated with information on new and emerging
behavior-based and machine learning-based approaches.
threats, allowing organizations to identify and respond to
Each of these methods has its own strengths and new threats in a timely manner. One of the key advantages
weaknesses, and the choice of approach depends on the of this approach is its ability to detect known malware,
specific requirements of the organization and the type of which makes it well suited for organizations that need to
malware that is being targeted. protect against known threats.
However, one of the major limitations of signature-based
The effectiveness of different methods of malware detection detection is its inability to detect new and unknown
is evaluated based on a number of factors, including false malware, which is becoming increasingly common as
positive rates, false negative rates, and overall accuracy. malware authors use increasingly sophisticated techniques to
False positive rates refer to the number of benign files that evade detection. In addition, signature-based detection can
be slow and resource-intensive, as it requires the analysis of Suppose there is a computer system that needs to be
each suspected file in detail to determine if it matches any of protected from malware. The system administrator decides
the signatures in the database. to use two methods for detection a malware on their system.
a. Signature-based detection
B. Behavior-based detection
Behavior-based detection is a technique used in malware The signature-based detection system works by comparing
detection that focuses on analyzing the behavior of a files on the system against a database of predefined
program or process to determine if it is malicious. This signatures of known malware. The database is updated
approach does not rely on pre-existing knowledge of the regularly to ensure that it contains the latest information on
malware, but instead, it uses various methods to observe and known malware.
identify unusual or suspicious behavior that may indicate the
One day, a user on the system downloads a file from the
presence of malware. Examples of behavior-based detection
internet that is suspected to be malware. The file is
methods include:
automatically scanned by the signature-based detection
a. Heuristics: A heuristic analysis uses general rules system, and its contents are compared against the signatures
or guidelines to identify potential malware. For in the database.
instance, the detection of a program that attempts to
modify system files or registry keys, or an The signature-based detection system determines that the
application that attempts to connect to an unknown file contains a signature that is associated with a known
IP address. piece of malware. The system generates an alert, and the
user is notified that the file is malicious and should not be
b. Sandboxing: This technique involves running the opened.
suspect program in a simulated environment, which
isolates it from the host system. The behavior of the The system administrator can then take appropriate action to
program can then be observed and analyzed to remove the malware from the system and prevent it from
determine if it is malicious. causing any damage.
c. Honeypots: This method involves setting up decoy In this case, the signature-based detection system was
systems that are designed to attract and trap effective in detecting the malware, but it was limited by the
malware. The behavior of the malware can then be fact that it could only detect known malware that had a
analyzed to identify its characteristics and
signature in the database. To provide more comprehensive
techniques.
protection, the system administrator may decide to use other
methods, such as heuristics-based detection or artificial
Behavior-based detection is a powerful approach that can be intelligence, in conjunction with signature-based detection.
used to detect new and unknown malware, which makes it
an important complement to signature-based methods. b. Behaviour-based detection
However, behavior-based detection can also be more
The behaviour-based detection system works by analysing
resource-intensive, and it may produce false positive results. the behaviour of software on the system to determine if it is
As a result, it is important for organizations to use a malicious. The system uses algorithms to monitor the
combination of both signature-based and behavior-based behaviour of software in real-time and look for signs of
detection techniques to ensure comprehensive protection malicious activity.
against malware.
One day, a user on the system downloads a new piece of
software from the internet. The behaviour-based detection
system begins monitoring the behaviour of the software as
III. RESEARCH METODHOLOGY soon as it is run.
The data collection technique is by conducting a
analyzing review of the case study where the research will The behaviour-based detection system determines that the
software is exhibiting behaviour that is associated with
be carried out.
malware. For example, the software may be attempting to
modify system files or communicate with external servers.
The behaviour-based detection system generates an alert,
IV. DISCUSSION and the user is notified that the software is potentially
malicious and should not be run.
In the need for observation and research on the ability of
malware detection, we user method of signature-based The system administrator can then take appropriate action to
detection and behavior-bases detection, and we well remove the malware from the system and prevent it from
compere both detection method at the end of analysis. causing any damage.
First for example case of signature-based detection as In this case, the behaviour-based detection system was
follows. effective in detecting the malware, even though it was a
previously unknown piece of malware. This demonstrates added to the database. As a result, signature-based detection
the flexibility of behaviour-based detection and its ability to has a relatively high false positive rate, as benign software
detect malware that is not recognized by other methods, that has similar signatures to known malware can be
such as signature-based detection. mistakenly identified as malicious.
Behavior-based detection, on the other hand, has a lower
c. Evaluation false positive rate, as it analyzes the behavior of software in
real-time to determine if it is malicious. This method is
After trying to do an analysis of the cases above, the effective against unknown malware and does not rely on a
evaluation obtained from the signature-based method and database of known malware signatures. However, it is more
behavior-based method is as follows: complex and resource-intensive, and it can generate false
positives if the behavior of a benign program is mistaken for
Signature-based detection: malware.
Pros: In summary, both signature-based detection and
 Simple and straightforward to implement. behavior-based detection have their strengths and
 Requires relatively few resources. weaknesses, and the accuracy and false positive rate of each
 Effective against known malware. method will depend on various factors, such as the quality of
the signature database and the behavior analysis algorithms
Cons: used. To achieve comprehensive protection against malware,
 Can be easily defeated by malware that has not yet it is recommended to use a combination of different
been identified and added to the signature database. methods.
 The signature database must be updated regularly
to ensure that it contains the latest information on V. ACKNOWLEDGMENT
known malware.
 Can generate false positives if the signature of a In conclusion, the detection of malware is a critical task
known benign file matches the signature of a for ensuring the security and stability of computer systems.
known piece of malware. There are several methods for detecting malware, including
signature-based detection and behavior-based detection.
Behaviour-based detection:
Pros: Signature-based detection is a simple and
 Effective against unknown malware. straightforward method that compares files against a
 Can detect malware that is designed to evade database of predefined signatures of known malware. While
signature-based detection. this method is effective against known malware, it can be
 Does not rely on a database of known malware easily defeated by malware that has not yet been identified
signatures. and added to the database, and it can generate false
Cons:
positives.
 More complex and resource-intensive than
signature-based detection. Behavior-based detection, on the other hand, analyzes
 Can generate false positives if the behavior of a the behavior of software in real-time to determine if it is
benign program is mistaken for malware. malicious. This method is effective against unknown
 May require more expertise to set up and maintain. malware and does not rely on a database of known malware
signatures. However, it is more complex and resource-
Both signature-based detection and behaviour-based
detection have their advantages and disadvantages. It is intensive, and it can generate false positives if the behavior
often recommended to use a combination of different of a benign program is mistaken for malware.
methods, such as signature-based detection and behaviour-
Given the advantages and disadvantages of each method,
based detection, to provide comprehensive protection
against malware. This allows the strengths of each method it is recommended to use a combination of different methods
to complement each other and provide more comprehensive for comprehensive protection against malware. This allows
protection. the strengths of each method to complement each other and
provide a more complete solution for detecting and
The accuracy of signature-based detection and behavior- preventing malware.
based detection can be compared by analyzing the number
of true positive and false positive detections made by each It is important to continue researching and developing
method. True positive detections refer to the number of new methods for detecting malware, as the threat landscape
instances where malware was correctly identified, while is constantly evolving, and new forms of malware are being
false positive detections refer to the number of instances developed all the time. By staying up to date with the latest
where benign software was mistaken for malware.
advancements in malware detection, we can ensure that our
In signature-based detection, the accuracy of detection is
directly related to the size and quality of the signature computer systems remain secure and protected against
database. The larger and more comprehensive the database, malicious attacks.
the more effective signature-based detection is at identifying
known malware. However, this method can be easily
defeated by malware that has not yet been identified and
 VI. REFERENCES signature-based network intrusion detection rules," in
Proceedings of the 2005 ACM SIGMOD International
Conference on Management of Data, pp. 511-522, June 2005.
1. K. Wang, Y. Zhang, and J. Li, "A survey on malware detection
4. C. Kruegel and E. Kirda, "Execution tracing for automatic
techniques," Journal of Network and Computer Applications,
generation of intrusion detection signatures," in Proceedings of
vol. 36, no. 1, pp. 1-14, Jan. 2013.
the 2004 ACM Conference on Computer and Communications
2. R. Karbowski, "Malware detection techniques: a review," Security, pp. 126-137, Oct. 2004.
Journal of Computer Virology and Hacking Techniques, vol. 7,
5. K. Levchenko, B. Enright, J. Klinedinst, and G. Voelker, "Click
no. 3, pp. 169-179, Sep. 2011.
clicks your heels: Detection and analysis of drive-by-download
3. X. Jiang, S. Kruegel, and F. Valeur, "Automated discovery of