Information Technology Reference
In-Depth Information
Similarly, not all computer viruses have to incorporate every possible mean of self-
replication in a single body. Companion virus W32.Bogus, for example, did not show
any signs of replication over the network or the Internet, neither it actually deals with
system memory object. However, the replication for this particular virus is proven by
other very strong arguments, such as host search and code injection.
The authors realize that no detection method is 100 % perfect and it is expected
that some viruses may express different behavior that are not yet described in terms of
the
GSR
. However, all viruses have to follow the most generic rules of replication. In
the case of a false positive detection of a block in the replication pyramid, provided
that other blocks are detected correctly, the protection system may conclude that the
replication rate for the given process is achieved to a certain degree, while it is still
lower than 100 %. In this case, the threshold can be set to suspend a suspicious
process from any further action and alarm the user. However, such a threshold should
not be set below 90 %, as it can be seen from the table, a high rate of false positives
will be generated under such conditions.
7 Conclusion
In this paper we proposed an advanced approach to software behavior recognition
with specific application to the detection of malicious behavior in computer viruses.
The reason for choosing the mechanism of self-replication as the detection criteria is
that non-malicious codes have no reason to disseminate themselves, while self-
replication is crucial for deploying widespread information attacks. One of the
primary strengths of the proposed approach is its ability to detect previously unknown
viruses with a very low false-positive rate. In addition, it is independent of the style of
the programmer, programming language, and compiler (assembler) used. Malicious
behavior detection is done at a very low level, in the operating system, where the most
important activities can be monitored. This prevents the detection system from getting
overflowed with useless calls that can be accomplished at a higher, more vulnerable
level, while still allowing for the monitoring all activities of processes accessing vital
operating system facilities. The detection is implemented as a runtime monitor - a
detector system allowing for immediate detection and termination of any number
suspicious of processes currently running on the system.
Of course, no method of detection is perfect. Although this paper presents an
attempt to detect and account for all existing methods of self-replication, there may be
some new techniques in virus writing that will thwart this effort. The authors are
aware of the feasibility of multi-processing self-replication that could be implemented
by a very sophisticated attacker and intend to address this threat in future research.
However, most information attacks require the use of less sophisticated programming
techniques to ensure successful execution on a wide range of computer systems,
assuring the success of the proposed technology.
Acknowledgement
The authors are grateful to the Air Force Office of Scientific Research for funding the
project “Recognition of Computer Viruses by Detecting Their Gene of Self
Replication” that has resulted in findings presented in this paper.
