Upload
mukan-kuzey
View
217
Download
0
Embed Size (px)
Citation preview
8/11/2019 Analysis and Detection of Computer Viruses and Worms
1/7
8/11/2019 Analysis and Detection of Computer Viruses and Worms
2/7
output of the analysis phase. A br ief descr ip t ion
of a prototype tool i s al so g iven.
Mat t B i shop , An Overv i ew o f Com put er
Viruses in a Rese arch Envi ronm ent , Techn ical
Repor t b i shop92overview, 1992
h t tp : //www. j a .ne t/CERT/JANET -CERT/
This paper analyzes v i rus in a general
f r amework . A b r i e f h i s to ry o f com pu t er v iru ses
is presented and any presence of threat relevant
t o r esearch and deve l opmen t sys t ems has been
investigated. It exa min es severa l specific areas
on vulnerabi l i ty in research-or iented systems.
Vesse l in Bontchev, Vircing the Invi rcib le,
M ay 1995, Not publ i shed in pr in t, avai lable at
h t tp : / /www.claws-and-paws.com/vi rus/papers/
This i s a detai led technical ev aluat ion of an
exist in g antiviral softwa re, called Invircible. It
reflects on the degre e of responsibil ity, that an
ant iv i rus company needs to shoulder , whi le i t
provides i t s product informat ion to users . The
author has detai led on the test s and procedures
he has used to evaluate Invi rcib le product ' s
claimed features and proves that the claims are
far f rom real ity . The w ri te-up i s o ld in terms of
providing techniques for ant iv i rus sof tware
funct ional i ty but i s s t i l l informat ive on giving
ideas on d esigning ant iv i rus sof tware.
Vesse l in Bontchev, M acro Virus Ident i f icat ion
Problem s, 7 th In ternat ional Virus Bul let in .
Con ferenc e, pp. 175-196, 1997
This p aper d iscusses som e in terest ing theoret ical
problems to ant i -v i rus sof tware. Tw o viral set s of
macros can have comm on subse t s o r one o f the
sets could be a subset of the o ther . The paper
discusses the problems caused by th is . I t
emphasizes the d i f f icul t ies that could be
exploi ted by the v i rus wri ters and methods,
wh ich c ould be fo l lowed to tackle i t.
Vesse l i n Bon t chev , Met hodo l ogy o f Com put er
Ant i -Virus Research, Doc toral Thesis , Facul ty
of Informat ics , U niversi ty of Ham burg, 1998
This thesis i s a detai led wri t ing on computer
vi ruses. I t can be t reated as a def in i t ive text on
under s t and i ng and dea l i ng wi t h compu t er
vi ruses. The important topics d iscussed in th is
work include classi f icat ion and analysis of
computer v i ruses , s tate of ar t in ant i -v i rus
sof tware, possible at tacks against ant i -v i rus
sof tware, tes t methods for ant i -v i rus sof tware
systems and social aspects of v i rus problem. I t
al so discusses useful appl icat ions of sel f -
replicating software.
Vesse l in Bon t chev , Anal ys is and mai n t enance
of a clean virus l ibrary, Proc. 3 d Int . Virus Bull .
Conf., pp. 77-89, 1993
This provides the methods adopted to faci l i tate
t he mai n t enance o f l a rge am oun t s o f d i f fe r en t
vi rus sam ples for the sak e of ant i -v i rus research.
The paper p resen t s gu i de l i nes and p rocedures
used to maintain v i rus col lect ion at the universi ty
o f Hambu rg ' s Vi rus Te s t Cen ter .
Vesse l i n Bon t chev , The Pros and C ons o f
Wo rdBas i c Vi rus Upconver s i on , Vesse l i n
Bontchev, P roceed ings of the 8 th In ternat ional
Virus Bul let in Conference, pp. 153-172, 1998
Th i s paper d i scusses t he e t h i ca l p rob l em faced
by ant i -v i rus researchers due to the automat ic
Upconver s i on o f WordBas i c Vi ruses t o Vi sua l
Basic for Appl icat ions version 5 . Since a macro
v i rus wr i t t en i n one l anguage has be
automat ical ly conver ted to another language i t i s
yet another unique vi rus . Due to th is inherent
f ea t u re o f MS O f f ice 97 , v i ru s r esearchers have
to create new vi rus to prepare an ant idote. A side
effect of th i s act iv i ty has repor tedly been that
these upcon ver t s are created and off icial ly
l i s ted as exis t ing in some ant i -v i rus product
st imulates thei r creat ion and dis t r ibut ion by the
v i rus exchange peop l e . The au t ho r has g i ven
suggested solut ions for th i s problem.
Vesse l i n Bon t chev , Fu t u re Trends in Vi rus
W ri t ing, 4 th In ternat ional Virus Bul let in
Conference, pp. 65-82, 1994.
Th i s paper summ ar i zes som e i deas tha t a r e l i ke ly
t o be used by v i rus wr i t e r s i n t he fu t u re and
sugges ts t he k i nd o f measu res t ha t cou l d be t aken
against them.
Vessel in Bontch ev, Possible Virus At tacks
Agai ns t In t eg ri t y Prog rams And H ow t o Preven t
Them, Proceed i ngs o f t he 6 t h In t e rna t iona l
Virus Bul let in Conference , pp. 97-127, 1996.
Th i s paper d i scusses t he w ays o f a t t ack ing one o f
t he m os t power fu l met hods o f v iru s de t ec t ion on
integr i ty checking programs. I t demonst rates
wha t can be done a gainst these at tacks.
Dav i d M. Chess , V i rus Ver i fi ca t ion and
Rem oval Too l s and Techn i ques , H i gh In t eg ri ty
Comput i ng Lab , IBM T. J . Wat son Research
Center , Post Off ice Box 218, York town Heights ,
NY , USA, Novem ber 18 , 1991 .
ww w. research, ibm. com/ant iv i rus/SciPapers/Che
ss/CHESS/chess .h tml
A C M S I G P L A N N o ti c es
30
V . 3 7 ( 2 ) F e b r u a r y 2 2
8/11/2019 Analysis and Detection of Computer Viruses and Worms
3/7
This paper describes VERV, A Prototype Virus
Verifier and Remover, and a Virus Description
Language for VERV.
David Chess, Future of Viruses on the
Internet, Virus Bulletin Conference, San
Francisco, California, October 1-3, 1997.
This paper discusses the role of the Internet in
the Virus problem. It reasons for the availability
of better-equipped crisis teams that may arise
due to the continued growth of the Internet.
Integrated mail systems and the rise in mobile
program systems on the Internet have impacted
the trends in virus spread. The deployment of
network aware software systems on the Internet
has contributed positively to the spread of
network-aware virus. The paper briefly lists
some generic features of the software, which aid
in virus spread.
David M Chess and Steve R. White, An
Undetectable Computer Virus, Virus Bulletin
Conference, September 2000
This paper extends Fred Cohen's demonstration
on computer Viruses that there is no algorithm
that can perfectly detect all possible viruses. This
paper points out that there are computer viruses,
which no algorithm can detect, even under
somewhat more liberal definition of detection.
Fred Cohen, A Formal Definition of Computer
Worms and some related Results, Computers
and Security, Vol. 11, pp. 641-652 (1992)
A formal definition for computer worms has
been presented. The definition is based on
Turing's model of computation.
Fred Cohen, Computational Aspects of
Computer Viruses, Computers and Security,
Vol. 8, No. 4., page 325, 1 June 1989.
It presents a model for defining computer
viruses. It formally defines a class of sets of
transitive integrity-corrupting mechanisms called
viral-sets and explores some of their
computational properties.
Fred Cohen, Computer Viruses-Theory and
Experiments, Computers and Security, Volume
6 (1987), Number 1, pp. 22-35.
This paper brought the term computer viruses
to general attention. It describes computer
viruses and also describes several experiments in
each of which all system rights were granted to
an attacker in under an hour.
Fred Cohen, Computer Viruses, Ph.D. thesis,
University of Southern California, 1985.
This is the first formal work in the field of
computer viruses.
Fred Cohen, Models of Practical Defenses
Against Computer Viruses , Computers and
Security, Vol. 8, pp. 149-160 (1989)
This paper models complexity based virus
detection mechanisms, that detect modifications
and thereby prevent computer viruses from
causing secondary infections. These models are
then used to show how to protect information in
both trusted and untrusted computing bases,
show the optimality of these mechanisms, and
discuss some of their features. The models
indicate that we can cover changes at all levels of
interpretation with a unified mechanism for
describing interdependencies of information in a
system and discuss the ramifications of this
unification in some depth.
George I. Davida, Yvo G. Desmedt, and Brian J.
Matt, Defending Systems Against Viruses
through Cryptographic Authentication,
Proceedings of the 1989 IEEE Symposium on
Computer Security and Privacy, pp. 312-318,
1989
This paper describes the use of cryptographic
authentication for controlling computer viruses.
The objective is to protect against viruses
infecting software distributions, updates, and
programs stored or executed on a system. The
authentication scheme determines the source and
integrity of an executable, relying on the source
to produce virus-free software. The scheme
presented relies on a trusted device, the
authenticator, used to authenticate and update
programs and convert programs between the
various formats. In addition, each user' s machine
uses a similar device to perform run-time
checking.
M. Debbabi et al., Dynamic Monitoring of
Malicious Activity in Software Systems,
Symposium on Requirements Engineering for
Information Security (SREIS'01), Indianapolis,
Indiana, USA, March 5-6, 2001.
The authors discuss a dynamic monitoring
mechanism, comprising of a watchdog system,
which dynamically enforces a security policy.
The authors reason this approach by stating that
static analysis technique will not be able to
detect malicious code inserted after the analysis
has been completed. This paper discusses a
dynamic monitor called DaMon. This is capable
ACM SIGPLAN Notices 31 V. 37(2) February 2002
8/11/2019 Analysis and Detection of Computer Viruses and Worms
4/7
of s topping cer tain mal icious act ions based on
the com bined ac cesses to cr i t ical resources ( f i les ,
com mun icat ion por t s , regis try , processes and
threads) according to rudimentary specifications.
Denning, P. , The Science of Comput ing: T he
Internet W orm, Am erican Scient is t , Vol. 77 ,
No. 2 , Pages 126-128, March 1989.
A wri te-up on the November 1988 Internet
W orm incident . This pa per g ives a br ief note on
how the In ternet W orm w orked. I t al so d iscusses
the concerns ar i s ing due to the worm incident on
the n etworks o n wh ich com merce , t ransportation,
uti li t ies, defen se, space fl ight and other cri t ical
act iv i ties depended.
Ma rk W. Ei ch i n and Jon A. Roch l i s
W i t h Mi croscope and Tweezer s : An Anal ys i s o f
the In ternet Vi rus of No vem ber 1988,
Ma ssachuse t t s Inst itu te of Techno logy,
Cambridge, MA , February 9, 1989
This paper def ines the In ternet W orm as a
Virus. Rea soning has been presented to
substan tiate this classification. It discus ses the
goals of the teams w orking on the Virus, an d the
met hods t hey empl oyed , and summar i zes what
the vi rus d id and did not actual ly do. The paper
discusses in more detai l the s t rategies i t
employed, the speci f ic at tacks i t used, and the
effect ive and ineffect ive defenses proposed by
the communi ty against i t . I t descr ibes how the
g roup a t MIT found ou t and r eac t ed t o t he
Virus cr i s i s of 1988. It d iscusses the f laws that
were exploi ted to at tack systems and propagate
across the In ternet. I t al so enumerates m ethods
of prevent ing future at tacks a nd problems.
Gl e i s sner W, A Mat hemat i ca l Theory fo r t he
Spread o f Com put er Vi ruses , Comput er s and
Security, V ol. 8, No. 1, Pag e 35, 1 Feb ruary
1989.
No description available.
J . D. Howard. An Analysis of Secur i ty Incidents
on the In ternet 1989-1995, Ph.D. Disser tation,
Carnegie Mel lon Universi ty : Carnegie Inst i tu te
of Technology, April 1997
This d isser tat ion analyses the t rends in the
Internet Secu rity by investiga ting 4,299 securi ty-
related incidents on the In ternet repor ted to the
CERT Coord i na t i on Cen t er (CERT/CC) f rom
1989 to 1995.
C. Ko, G. Fink, and K. Levi tt . Autom ated
detect ion of vulnerabi l i t i es in pr iv i leged
program s by execut ion moni tor ing, In Proc. 10 h
Annual Computer Secur i ty Appl icat ion Conf . ,
pp. 134-144, Orlando, FL, December 1994.
This paper uses concepts of solving Int rusion
Detect ion Problems to detect vulnerabi l i t i es in
programs dur ing execut ion. Since the in tended
behav i o r s o f p r i v il eged p rog rams are ben i gn , a
p rog ram po l i cy has been deve l oped t o descr i be
this behavior , using a program pol icy
speci f icat ion language. Speci f icat ions of
p r i v i l eged p rog rams i n Un i x have been
presented, along wi th a prototype execut ion
moni tor , to analyze the audi t t rai l s wi th respect
to this specification.
Jeff rey O K ephar t and Steve R. Whi te,
Measu r i ng and Model i ng Comput er Vi rus
Preva l ence , P roceed i ngs o f t he 1999 IEEE
Comput er Soc i e t y Sympos i um on Research i n
Secu rity and Privac y, Oa kland , California, pp. 2-
14, M ay 24-25, 1993
Th i s paper i n t roduces t wo new ep i demi o l og i ca l
mod els of com puter v i rus spread. Only a smal l
f r ac ti on o f a l l w el l -known v i ruses have appeared
in real incidents , par t ly beca use ma ny vi ruses are
below the theoret ical epidem ic threshold . Mod els
o f l oca l i zed so f t ware exchange can exp l a i n t he
observed sub-ex ponent ial rate of v i ral spread.
Jeff rey O. Kepha r t , G regory B. Sorkin, M orton
Swi mm er , and S t eve R . W hi t e B l uep r i n t fo r a
Com put er Imm une Sys t em, Vi rus Bu l l e ti n
Internat ional Conference San Francisco,
California, October 1-3, 1997
Since the in ternet wi l l provide a fer t i le medium
for new b reeds o f compu t er v i ru ses, t he au t ho rs
have descr i bed a i mmune sys t em fo r compu t er s
t ha t senses t he p resence o f a p rev i ous l y unknown
pathogen that wi th in minutes , automat ical ly
der ives and deploys a prescr ip t ion for detect ing
and r emov i ng t he pa t hogen
Jeff rey O. Kephar t and Steve R. Whi te,
Di rec t ed -Graph Ep i demi o l og i ca l Model s o f
Com put er Vi ruses, P roceed i ngs o f t he 1991
IEEE Comput er Soc i e t y Sympos i um on
Research i n Secu r i t y and Pr i vacy , Oak l and ,
California, M ay 20-22, 1991
Th i s paper p resen t s a de t a il ed s t udy o f compu t er
vi rus epidemics. I t presents a theoret ical v iew of
the vi ral propagat ion using determinist ic and
stochast ic approaches. I t s tudies the condi t ions
under which vi ral epidemics are l ikely to occur .
I t argues that an imperfect defense against a
com puter v i rus ca n s t il l be h ighly ef fect ive in
p reven t ing wi desp read p ropagat i on p rov i ded t ha t
A C M S I G P L A N N o t i c e s 3 2 V . 3 7 ( 2 ) F e b r u a r y 2 0 0 2
8/11/2019 Analysis and Detection of Computer Viruses and Worms
5/7
infect ion rate does not exceed a wel l -def ined
threshold.
Jeff rey O. Kephar t , Bi l l Arnold , Autom at ic
Ext ract ion of Computer Virus Signatures ,
Proceedings of the 4 th V irus Bul let in
Internat ional Conference, R. Ford, ed . , Vi rus
Bullet in Ltd., Abingdon, England, pp. 178-184,
1994
This p aper d iscusses the idea of automat ical ly
ident i fy ing vi ral s ignatures f rom machine code
using statistical methods.
Paul Kerchen, Raymond Lo, John Crossley ,
Grigory Elkinbard, Karl Levit t , Ronald Olsson,
Stat ic Analysis Virus Detect ion Tools For Unix
Systems, Proceed ings of the 13th Nat ional
Com puter Secur i ty Conference, pages 350-- 365,
1990.
This paper proposes two heur is t ic tools the use
stat ic analysis and ver i f icat ion techniques for
de t ec t i ng compu t er v i ru ses i n a UNIX
environment. The tools should be used to detect
infected programs be fore thei r instal lat ion. The
first tool , detec tor , searc hes for duplic ate
system cal ls in the com pi led and l inked program,
the secon d tool, Fil ter , uses stat ic analys is to
determine al l of the f iles, w hich a program m ay
wri te to . By f inding out the f i les to which the
p rog ram can o r canno t w r it e , the p rog ram can be
ident i fied as a mal icious or benign.
Sandeep Kum ar , Euge ne Spafford , Gen er ic
Virus Sca nner in C++, Proceedings of the 8 h
Com puter Secur i ty Appl icat ions Conference, pp.
210-219, Coast TR 92-01, 2-4 Dec 1992
This paper d iscusses a gener ic v i rus detect ion
tool designed for recognizing vi ruses across
different platforms. The pa per ini tial ly discuss es
var ious me thods of v i rus detect ion and then
descr ibes a gener ic s ignature scanner as an ant i -
virus tool.
Bu t l e r W. Lampson , A No t e on t he
Confinem ent Problem, Xerox, Palo Al to Center ,
Comm uni ca ti ons o f the AC M, Vo l . 16, No 10 . ,
1973
This pa per explores the problem of conf ining a
program dur ing i t s execut ion so that i t cannot
leak informat ion to any other program e xcept i t ' s
cal ler . A few ways of the above ment ioned
i n fo rmat i on l eakage p rob l em have been g i ven
wi th solut ions to prev ent i t .
W enke Lee and Salvatore J . Stolfo Da ta
Mining Approaches for In t rusion Detect ion,
Proceed i ngs o f the 7 t h USE NIX Secur it y
Sympos i um, 2000
This paper d iscusses research in developing
general and systemat ic methods for In t rusion
Detect ion. Ideas f rom pat tern recogni t ion and
mach i ne l earn i ng have been used t o d i scover
p rog ram and user behav i o r . D i scovered sys t em
features have been used to compute induct ively
learned classi f iers that can ident i fy anomal ies
and known intrusions.
R. W. Lo, K. N. Levit t , and R. A. Olsson. MC F:
A M al icious Code Fi l ter , Com puters and
Security, 14(6): 541-566, 1995.
This paper d iscusses a programmable s tat ic
Analysis tool cal led Ma l icious Code Fil ter ,
MCF, to detect mal icious code and secur i ty
related vulnerabi l i t i es in system programs. The
M C F u s e s
t e l l t a l e
signs to determine whether a
program is mal icious wi thout requi r ing a
programmer to provide a formal speci f icat ion.
Program sl icing techniques are used to reason
about
t e l l t a l e
m aliciou s properties. By
combi n i ng t he t e l l t a l e s i gn app roach wi t h
program slicing, a sm al l subset of a large
p rog ram can be exami ned fo r mal i c i ous
behav i o r . The paper a l so d i scusses how t he
approach can be defea t ed and t hen d i scusses a
countermeasure.
John P. McDermot t and Wil l iam S. Choi ,
Taxonomy o f Comput er P rog ram Secur i t y
Flaws, AC M Com put ing Surveys, 26(3) : 211-
254, 1994.
This paper def ines secur i ty f laws as any
condi t ions or ci rcumstances that can resul t in
denial o f service, unau thoriz ed disclosure,
unauthor ized dest ruct ion of data, or unauthor ized
mod i f i ca ti on o f da t a . The t axonomy def i ned i n
this paper organizes informat ion about f laws so
t ha t as new f l aws a re added user s wi l l ga i n a
fu l l e r under s t and i ng o f wh i ch par t s o f sys t ems
and which par t s of the system l i fe cycle are
generat ing more secur i ty f laws than others . The
me thodology i s s imi lar to the one developed by
Research i n Secu red Opera t ing Sys t ems (RISOS)
project and Protect ion Analysis project
conducted by Informat ion Sciences Inst i tu te of
the Universi ty of Southern Cal i fornia, both of
whom a t t empt ed t o charac t e r i ze opera t i ng
system securi ty flaws.
John F. Mo rar , Da vid M Chess, Can
Cryp t og raphy Preven t Comput er Vi ruses? Vi rus
Bul let in Conference, September 2000
A C M S I G P L A N N o t i c e s 3 3 V . 3 7 ( 2 ) F e b r u a r y 2 0 0 2
8/11/2019 Analysis and Detection of Computer Viruses and Worms
6/7
The relationship between cryptography and virus
prevention is complex. Solutions to the virus
prevention problem involving cryptography have
been proposed, though these solutions do not
contribute much to the prevention techniques
prevalent at present. This paper discusses the
role of encryption in the field of virus authoring
and in the field of Anti-Virus research.
Maria M. Pozzo and Terence E. Gray, An
Approach to Containing Computer Viruses,
Computers and Security, Volume 6 (1987), No.
4, pp. 321-331.
This paper presents a mechanism for containing
the spread of computer viruses by detecting at
run-time whether or not an executable has been
modified since its installation. The detection
strategy uses encryption and is held to be better
for virus containment than conventional
computer security mechanisms, which are based
on the incorrect assumption that preventing
modification of executables by unauthorized
users is sufficient. Although this detection
mechanism is most effective when all the
executable on a system are encrypted, a scheme
is presented that shows the usefulness of the
encryption approach when this is not the case.
J. Reynolds, The Helminthiasis of the Internet,
RFC1135, Information Systems Institute,
University of Southern California, Dec 1989
This RFC summarizes the infection and cure of
the Internet Worm. It discusses the impact of the
worm on the Internet community, ethics
statements, role of the news media, rime in the
computer world, and filture prevention of such
incidents. This RFC also reviews four
publications that describe in detail, the computer
program (a.k.a. Internet Worm or Internet Virus)
that infected the Internet in the evening of
November 2, 1988
Fred Schneider. Enforceable Security Policies.
Cornell University,
http://cstr , cs. co rn ell , edu: 80/Dienst/U1/1. O/Displ
_qy_/ncstrLc o r n e l l / T R 9 9 - 1 7 5 9
A precise characterization is given for the class
of security policies enforceable with mechanisms
that work by monitoring system execution.
Security automata are introduced for specifying
exactly the class of security policies discussed.
Techniques to enforce security policies specified
by such automata are also discussed.
Mathew G. Schultz, Eleazar Eskin, Erez Zadok
and Salvatore J. Stolfo, Data Mining Methods
for Detection of New Malicious Executables,
Computer Science Department, Columbia
University, New York, USA.
This paper presents a framework for detection of
malicious executables with viral characteristics.
The motivation for this work is that signatures
for new viruses are not known and hence the data
mining technique presented in this work will be
able to solve this problem in a better way than
the current signature-based methods of virus
detection. The paper compares results of
traditional signature based methods with the
other learning algorithms. The Multi-Naive
Bayes method had the highest accuracy and
detection rate over unknown programs and had
double the detection rates of signature-based
methods.
John F. Shoch and Jon A. Hupp, The Worm
Programs-Early Experience with a Distributed
Computation, CACM, 25(3): 172-180, 1982
This is an exploratory paper for its time. This
paper discusses issues found in the early
exploration of distributed computing. Authors
talk about the motivations and definitions for a
worm program from the distributed computation
perspective. Not much work had been done in
building distributed systems in 1982. The
authors wanted to obtain real experience (similar
to Arpanet routing and Grapevine). The worm is
a computation that lives on one or more
machines. The piece on an individual computer
is a segment. The segments maintain
communications, so that if one fails another can
be started in its place on another machine.
They also talk about the protocols and problems
in controlling the growth of worm programs.
Multi-casting is used to maintain
communication. If a host is not heard for a
period of time it is assumed dead and removed
from the worm. A specified segment is given the
responsibility for finding a new idle machine.
The biggest problem is controlling growth while
maintaining stable behavior. A few applications
of the worm programs are also discussed.
Eugene H. Spafford, The Internet Worm
Program: A n Analysis, ACM Computer
communication review, 19(1), pp. 17-57, Jan
1989
This paper is an analytical commentary on the
Internet Worm program, which infected the
Internet on the evening of November 2na1988.
The paper defines Worms and Viruses. It
discusses the flaws in computer systems that
were exploited by the Worm to spread across the
ACM SIGPLAN Notices 34 V. 37(2) February 2002
8/11/2019 Analysis and Detection of Computer Viruses and Worms
7/7
Internet. Patches to these flaws are also
discussed. A high level description of the
functioning of the Worm program is also
provided. The paper then carries a detailed
analysis of the Worm.
Eugene H. Spafford, Computer Viruses as
Artificial Life, Department of Computer
Sciences, Purdue University, West Lafayette, IN
47907-1398, COAST TR 94-02, 1994
This paper talks about how computer viruses
operate, their history, and the various ways
computer viruses are structured. It then examines
how viruses meet properties associated with life
as defined by some researchers in the area of
artificial life and self-organizing systems. The
paper concludes with some comments directed
towards the definition of artificially alive
systems and related experiments.
Gerald Tesauro, Jeffrey O. Kephart, Gregory B.
Sorkin, Neural Network for Computer Virus
Recognition, IEEE Expert, vol. 11, no. 4, pp. 5-
6, Aug 1996
This paper describes a neural network for generic
detection of boot sector viruses that infect the
boot sector of a floppy disk or a hard drive.
K Thompson, Reflections on Trusting Trust,
Comm. ACM 27(8), 761-763 (August 1984)
This ACM classic highlights the issues of
trusting a third party. Thompson explains how a
b a c k d o o r can be inserted in a C compiler, which
in turn will insert a
b a c k d o o r
in the Unix login
program. The
b a c k d o o r
may give unauthorized
access into a system.
David Wagner, Drew Dean, Intrusion Detection
via Static Analysis, IEEE Symposium on
Security and Privacy, May 2001
This paper describes static analysis methods for
host based intrusion detection using program
specification for its internal behavior. The
specification is automatically derived for the
program under analysis. It involves a
combination of dynamic monitoring and static
analysis to reduce false alarms during detection.
Ian Whalley, Bill Arnold, David Chess, John
Morar, Alia Segal, Nortan Swimmer, An
Environment for controlled Worm Replication
and Analysis or: Internet-inna-Box, Virus
Bulletin Conference, September 2000
The paper outlines a functional prototype of a
worm replication system. Techniques and
mechanisms for constructing and utilizing an
environment enabling the automatic examination
of worms and network bases viruses have been
described. The paper involves a very brief
description of some well-known worms from the
past and the present. It elaborates on techniques
used by worms to spread across networks.
Finally an anatomy of the worm replicator
system is presented.
Steve R. White, Open Problems in Computer
Virus Research, Virus Bulletin Conference,
Munich, Germany, October 1998
This paper identifies some challenging open
issues on computer virus detection and
protection. It lists out five problems in this field,
namely, Development of New Heuristics for
virus detection, the study of viral spread and
epidemiology, deploying distributed digital
immune system for detecting new viruses,
detection of worm programs and proactive
approaches towards detection of virus programs.
Tarkan Yetiser, Polymorphic Viruses,
Implementation, Detection and Protection,
VDS Advanced Research Group, P.O. Box 9393,
Baltimore, MD 21228, USA.
http://www.bocklabs.wisc.edu/-janda/polymorph
.html
Discusses Polymorphic viruses and engines. It
looks at general characteristics of polymorphism
as currently implemented.
ACM SIGPLAN Notices 35 V. 37(2) February 2002