(also heuristic evaluation)
Heuristic analysis definition
In cybersecurity, heuristic analysis is a technique for detecting unknown malware (or new variations of known malware) based on behavioral patterns. Heuristic analysis is used by many antivirus applications to protect against threats that cannot be caught by traditional signature-based methods.
How heuristic analysis works
- Established rules: Antivirus software may utilize predefined rules (or heuristics) to identify potentially malicious behaviors based on known attack patterns, common malware behaviors, or abnormal activities.
- New pattern identification: The antivirus evaluates whether a file or program is behaving suspiciously — for example, it may review actions such as unannounced file modifications, network communications, or system changes to determine if the user is under threat.
- Dynamic analysis: The antivirus may open the suspected file or program in a controlled environment (such as a sandbox or virtual machine) to observe its actions. This lets antivirus tools detect suspicious behavior without putting the system at risk.
- Detecting indicators of compromise (IOCs): Heuristic analysis often involves checking the system for indicators of compromise — signs that a cyberattack took place, such as leftover file hashes, network signatures, or malicious IP addresses.
- AI assistance: Advanced heuristic analysis tools use artificial intelligence (AI) algorithms trained on large datasets of known behaviors to predict how likely it is that a given file is acting maliciously.