9. The Application of Cybersecurity: Principles and Practices 245 should only change the default behavior of their antivirus programs if they are confident they know what they are doing and why a change is necessary. Any warning or alert that an antivirus program raises needs to be taken seriously and reviewed before proceeding. Antivirus software uses signature detection. Signature detection scans software looking for malware signatures—a specific sequence of 1s and 0s in known malware. False positives are rare due to the improbability of two different files having the same signature. Some users may install a program that triggers a match on purpose, maybe for the purpose of cybersecurity testing, but this does not really count as a false positive because the malware was accurately identified. In these instances, a user could ignore the warning if he is confident that he understands the risk. False negatives, on the other hand, are relatively common for signature detection. A false negative is when malware is able to slip past the antivirus program undetected. If a piece of malware has not been cataloged by the antivirus vendor, then it will evade detection. This is true of all novel malware, but is also true of known malware that has been modified. A best practice in hacking is to subtly transform malware so that its signature changes but not its functionality. This makes it more likely that antivirus programs will not identify it. Signature detection also suffers from the problem of an ever-increasing catalog of signatures. There is a limit to the number of samples that software can be compared against. Therefore, malware scanners prioritize some signatures over others, and this sometimes means that even known malware can evade detection. A more advanced type of protection system is called an intrusion detection and prevention system (IDPS). These systems can perform anomaly detection in addition to signature detection. Anomaly detection monitors the behavior of software looking for unusual or suspicious behavior. For example, if a program attempts to modify certain operating system settings or tries to create a network connection to a server, the IDPS program can detect and prevent the behavior and trigger an alert. It can also “learn” over time to identify normal behavior by monitoring the activity on a computer system. Once a baseline is established, it can more accurately identify unusual events. Anomaly detection is more likely than signature detection to suffer from false positives. Too many false alarms results in alert fatigue, so anomaly detection needs to be tuned down to an acceptable level. One of the big advantages of anomaly detection is that it could potentially identify and prevent never-before-seen malware—this is not possible for signature detection. These protection techniques are illustrative of the general arms race between cyber defenders and cyber attackers. As cyber defenders get better at identifying malicious software, hackers adapt and find new creative ways to evade detection. AI promises to improve both signature and anomaly detection, but it will also be used by hackers to improve evasion. AI could also be used to find vulnerabilities in software. This type of functionality could be used by both hackers to attack systems and defenders to patch systems. There is an ongoing debate whether AI will fundamentally change the balance
RkJQdWJsaXNoZXIy MTM4ODY=