Prevention of Information Attacks by Run-Time Detection of Self-replication in Computer Codes - Computer Network Security

Information Technology Reference

In-Depth Information

blocks involved in malicious self-replication activity can individually be performed

by any piece software for a variety of legitimate reasons. Only when integrated into

larger structures and based on their inter-functional relationships, these building

blocks are indicative of attempts to self-replicate.

The GSR can be composed of such blocks in various ways. Therefore its structure

can be viewed as a regular sentence being built up by concatenating phrases, where

phrases are built up by concatenating words, and words are built up by concatenating

characters.

One of the major reasons for applying such a syntactic approach to describing the

GSR is to facilitate the recognition of sub-patterns. This implies the recognition of

smaller building blocks first, establishing their relevance and contribution to the

replication, and then considering the next sub-pattern. This process is consistent with

text analysis, which includes recognizing characters first, then concatenating them

into words, running a spell checker on an entire word to check for mistakes, then

continue concatenating words into phrases and sentences checking for correct

grammar and punctuation. The syntactic description of the GSR provides a capability

for describing and detecting large sets of complex patterns by using small subsets of

simple pattern primitives. It is also possible to apply such a description any number of

times to express the basic structures of a number of gene mutations in a very compact

way.

Following the concept of syntactic description the GSR structure could be

represented using the grammar definition notations [4]:

{

}

(1)

where,

G - gene of self-replication

V - non-terminal variable

V - terminal variable

P - finite set of rules

S - starting point of the gene

Assuming, that the GSR is represented by the pyramidal structure (Fig.1), the non-

terminal variable

in the expression above can be expressed as:

⎧

Gene_of_se

lf_replica

tion

File_

earch_Bloc

File_Copy_

lock

⎫

(2)

⎪

⎨

⎪

⎬

V N

Directory_

System_Cal

Open_File_

System_Cal

Create_Fil

e_System_C

all

⎪

⎩

⎪

⎭

Write_File

_System_Ca

V represents the GSR sequence:

The terminal variable

{

}

V T

ZwQueryDir

ectoryFile

(...),

ZwOpenFile

(...),

ZwCreateFi

(...),

ZwWriteFil

(...)

(3)

Computer Network Security

Search WWH ::

Custom Search

Home