Cryptography Reference
In-Depth Information
to decrypt after which the virus body is exposed to the GDE scanner, which
can identify the strain via a signature. If there is no virus to expose, the GDE
stops execution and drops the program, proceeding to the next file. Think of
the GDE as a rat and think of the files loaded to it as injections given to the
rat to detect the presence of a virus. If there is no adverse behaviour in the rat,
there is no virus in the injected substance, whereas if there is, then the rat is
observed for symptoms that will identify the virus.
A GDE scanner has five basic components: (1) a processes emulator; (2) a
memory emulator; (3) a system emulator; (4) a virus signature scanner; and (5)
a decision mechanism. The process emulator is an imitation of a CPU, which
reads the instructions in an executable file. This includes software versions of
all registers and other CPU hardware, so the actual processor is unaffected. The
memory emulator imitates the memory of the computer, where the emulated
memory is employed instead of real memory. The system emulator actually
imitates the OS and hardware of a computer. This should also include a virtual
drive that is capable of being read, formatted, and so on. The virus signature
scanner is a module that scans the program code of the loaded file for known
virus signatures. This module interrupts the GDE process to return it to the
scanner for it to look at the code for signatures. The decision as to when to
interrupt is given by the decision-making mechanism, which may be the most
vital part of the GDE since we want to ensure speed. Thus, proper decision
making must be made so that the optimum use of the GDE is ensured. The GDE
innovation seriously reduces the time taken to analyze polymorphic viruses, from
weeks to minutes.
The second type of antivirus device is a comprehensive virus protection
mechanism developed at IBM in the late 1990s. For more data on the origi-
nal research papers from IBM and related development go to the following site:
http://www.research.ibm.com/antivirus/
.
10.29
In 1999, Symantecentered into
a licensing agreement with IBM to market the idea as antivirus software for
business and personal computing, oHcially released as a commercial product in
October of 2000.
Digital Immune System (DIS)
: The idea is, as the title suggests, to
mimic the human immune system in a computer so that a virus is automatically
captured as it enters a system to be analyzed, removed, and ensure that the
system is updated with detection and protection mechanisms (if it is a new
virus). Essentially this builds on the emulation idea described above. The
central goal of the DIS is to drastically reduce the delay time between discovery
of a virus and when a remedy is transmitted to all vulnerable systems. What
we describe here is essentially the version designed by IBM and Symantec.
DIS Closed-Loop Process
We first describe this process, then illustrate the “closed-loop.”
10.29
The idea for a Digital Immune System began with David Chess of IBM in 1991 (see [55]),
then was developed by Kephart and others over a period of years (see [133] for the culmination
of much of that work).
Search WWH ::
Custom Search