Information Technology Reference
In-Depth Information
Prevention of Information Attacks by Run-Time
Detection of Self-replication in Computer Codes
Douglas Summerville, Victor Skormin, Alexander Volynkin,
and James Moronski
Binghamton University, Binghamton NY 13902, USA
{dsummer, vskormin}@binghamton.edu,
alex@volynkin.com, jim@moronski.com
Abstract.
This paper describes a novel approach for preventative protection
from both known and previously unknown malicious executable codes. It does
not rely on screening the code for signatures of known viruses, but instead it
detects attempts of the executable code in question to self-replicate during run
time. Self-replication is the common feather of most malicious codes, allowing
them to maximize their impact. This approach is an extension of the earlier
developed method for detecting previously unknown viruses in script based
computer codes. The paper presents a software tool implementing this
technique for behavior-based run-time detection and suspension of self-
replicating functionality in executable codes for Microsoft Windows operating
systems.
1 Introduction
Due to its high interconnectivity, global dimensions and very large number of entry
points, the Internet is increasingly vulnerable to information attacks of escalating
sophistication. Any biological system, being gigantic in terms of complexity,
interconnectivity and number of entry points, is also vulnerable to sabotage by foreign
microorganisms, which are, in many ways, similar to information attacks. The
proliferation of biological systems in spite of these attacks can be explained by their
very effective defense mechanisms capable of the detection, identification, and
destruction of most foreign entities that could have an adverse effect on the system.
The ability of immune mechanisms to reliably differentiate between “self” and “non-
self” at the protein level inspired the authors to utilize the concepts of genetic
composition and genetically-programmed behavior as the basis for the development
of a novel approach to the detection of malicious software [1].
Most information attacks are carried out via Internet transmission of files that
contain the code of a computer virus or worm. Upon receipt, the target computer
executes the malicious code resulting in the reproduction of the virus or worm and the
delivery of its potentially destructive payload. Self-replication, which is uncommon in
legitimate programs, is vital to the spread of computer viruses and worms allowing
them to create computer epidemics thus maximizing the effectiveness of the attack.
As with any function, self-replication is programmed; the sequence of operations
resulting in the self-replication is present in the computer code of the virus. The
