Prevention of Information Attacks by Run-Time Detection of Self-replication in Computer Codes - Computer Network Security - page 63

Information Technology Reference

In-Depth Information

Our research shows, that sometimes the information a system call returns as a

result of its execution is even more important than incoming arguments for the

purpose of virus detection. Table 1 shows a typical system call layout as it goes

through our monitor.

Having the information, observed by the monitor, it is possible to conclude, that

Thread #1 that belongs to Process #1023 invoked a system call named NtCreateFile

for the purpose of opening a file named “virus.exe”. Upon completion of call

execution, the file was successfully opened and a unique handle,56, was assigned for

further access to that file.

In order to detect if such a call belongs to any parts of the virus' self replication,

we have to consider most of its input and output arguments. While obviously, any

system call by itself with all possible combinations of input/output arguments cannot

be considered as a threat, we believe that certain APIs called with certain arguments

when combined do present a clear pattern of self replication.

During the GSR detection process, every system call intercepted by our monitor

comes right into the Replication Detector, where it goes thought a complete range of

different detection and filtration mechanisms. Following the concept of decoupling of

Gene definition, presented in the previous part of this paper, the detection process is

also highly decoupled to ensure compatibility and to reduce false detections. Just like

the GSR is formed from many different building blocks, the detection mechanism

observes and makes decisions regarding every block separately, until it finally reaches

the top of the GPR pyramid structure and declares the alarm state. Below is a brief

diagram of detection algorithm for a single block:

Detector

History Tracer

Gene Structure

Lower Block

(system call)

Upper level

Lower level

Combiner

Upper Block

Fig. 4. Detection Algorithm for abnormal behavior

As soon as a system call is detected, the History Tracer communicates with the

database, where the GSP Structure is defined, to determine whether or not this system

call can be combined with any other lower level blocks to form a larger structure.

When such combination is possible, the Combiner takes two chosen lower level

blocks and forms a single upper level block so that its inputs are identical to the inputs

of the Lower Block taken from the history, and the outputs are inherited from the

Next Page

Computer Network Security

Search WWH ::

Custom Search

Home