ANTI-VIRUS
BRIEF INTRODUCTION
Antivirus
software has existed since shortly after computer viruses first appeared.
Generic virus-detection programs can monitor a computer system for virus-like
behaviour, and they can periodically check programs for suspicious modifications.
Such software can even detect hitherto unknown viruses, but it can also be
prone to false alarms because some legitimate activities resemble viruses
at work.
Scanning programs,
in contrast, can search files, boot records and memory for specific patterns
of bytes indicative of known viruses. To stay current, they must be updated
when new viral strains arise, but they only rarely raise false alarms. The
viral signatures these programs recognize are quite short: typically 16 to
30 bytes out of the several thousand that make up a complete virus.
IDENTIFYING VIRUSES
It
is more efficient to recognize a small fragment than to verify the presence
of an entire virus, and a single signature may be common to many different
viruses. Most computer-virus scanners use pattern-matching algorithms that
can scan for many different signatures at the same time: the best can check
for 10,000 signatures in 10,000 programs in under 10 minutes.Once
a virus has been detected, it must be removed. One brutal but effective technique
is simply to erase the infected program, but computer programs and documents
are not so expendable. As a result, antivirus programs do their best to repair
infected files rather than destroy them.
PROCESS
If
a virus-specific scanning program detects an infected file, it can usually
follow a detailed prescription, supplied by its programmers, for deleting
viral code and reassembling a working copy of the original. There are also
generic disinfection techniques that work equally well for known and unknown
viruses. One method we developed gathers a mathematical fingerprint for each
program on the system. If a program subsequently becomes infected, our method
can reconstitute a copy of the original.
Virus-specific detection and removal techniques require detailed analysis of each new virus as it is discovered. Experts must identify unusual sequences of instructions that appear in the viral code but not in conventional programs--a process that relies on carefully developed knowledge and intuition. They also must develop a prescription for verifying and removing the virus from any infected host. To keep up with the influx of half a dozen new viruses a day, anti-virus technologists have developed automated tools and procedures to assist human virus experts or even replace them.
In another twist
on the biological metaphor, virus hunters have learned to exploit the fact
that programmers often make new computer viruses from key parts of existing
ones. These viral "genes" enable us to trace the evolutionary history of computer
viruses, in the same way that biologists determine the family trees of related
species. By processing large collections of viral code, we can automatically
derive a set of family signatures that catches all the different members of
a viral family, including previously unknown variants. This technique reduces
signature storage requirements substantially: a single 20-byte family signature
can recognize dozens of distinct viruses.
FUTURE METHODS OF SCANNING FOR VIRUSES?
There
is also a neural-network technique to recognize viruses by scanning for several,
very short patterns, each only three to five bytes long. These tiny fragments
represent computer instructions that carry out tasks specific to viral infection.
Although conventional software might occasionally contain one of these fragments,
the presence of many of them is an almost certain viral hallmark. Antiviral
software can check for such short sequences very quickly; even more important,
because these patterns of data are directly linked to the virus's function,
antiviral software can now recognize a wide variety of viruses without ever
having seen them before.
.......................................................................................
