Information Technology Reference
In-Depth Information
in a Disk Operating System (DOS) environment with diff erent viruses, includ-
ing fi le-infector and boot-sector virus samples, and the reported results showed
that the method could detect modifi cations in the data fi les due to virus infection.
When compared to other virus detection methods, this algorithm exhibits several
advantages over the existing change detection methods: it is probabilistic and tun-
able (the probability of detection can be traded off against central processing unit
[CPU] time), it can be distributed (providing high system-wide reliability at low
individual cost), and it can detect novel viruses that have not been identifi ed previ-
ously (Forrest et al., 1994).
However, because the stored information in a computer system is volatile in
nature, the defi nition of self in computer systems should be more dynamic than
the biological notion of self. For example, computer users routinely load in updated
software systems, edit fi les, or run new programs. h erefore, this implementation
seems to have limited use (only to protect static data fi les or software).
7.2.2
An Alternative Approach to Virus Detection
Kephart (1994) proposed a diff erent immunologically inspired approach (based
on instruction hypothesis) for virus detection. In this approach, known viruses are
detected by their computer-code sequences (signatures) and unknown viruses by their
unusual behavior within the computer system. h is virus detection system continually
scans a computer's software for typical signs of viral infection. h ese signs trigger the
release of “decoy programs”
whose sole purpose is to become infected by the virus.
Specifi cally, a diverse suit of decoy programs are kept at diff erent strategic areas
in the memory (e.g., home directory) to capture samples of viruses. According to
the author, decoys are designed to be as attractive as possible to trap those types
of viruses that spread most successfully. Each of the decoy programs is examined
from time to time to see if it has been modifi ed. If one or more have been modi-
fi ed, it is almost certain that an unknown virus is loose in the system, and each
of the modifi ed decoys contains a sample of that virus. Particularly, the infected
decoys are processed by “the signature extractor” to develop a recognizer for the
virus. It also extracts information from the infected decoys about how the virus
attaches to its host program (attachment pattern of the virus), so that infected
hosts can be repaired. h e signature extractor must select a virus signature (from
among the byte sequence produced by the attachment derivation step) such that
it can avoid both false-negatives and false-positives while in use. In other words,
the signature must be found in each instance of the virus, and it must be very
unlikely to be found in uninfected programs. Once the best possible signature
is selected from candidate signatures of the virus, it runs against a half-gigabyte
corpus of legitimate programs to make sure that they do not cause a false-positive.
h e repair information is checked by testing on samples of the virus, and further
by a human expert.
Search WWH ::
Custom Search