Computer VirusesOverviewComputers and VirusesSlide 4Slide 5Slide 6History of Computer VirusesSlide 8Slide 9How Viruses WorkSlide 11Slide 12Slide 13Virus DetectionRemovalAnalysisSlide 15Slide 16Slide 17Alternative Detection methodAlternative Detection MethodSlide 20Computer Immune SystemComputer Immune SystemSlide 23Slide 24Slide 25Miscellaneous Other TopicsSlide 27Slide 28Slide 29Slide 30Slide 31Slide 32QuestionsSlide 34COMPUTER VIRUSESChristopher MotlFebruary 21, 2008OVERVIEWComputers & VirusesHistory of Computer VirusesHow Viruses WorkVirus Detection\Removal\AnalysisAlternative Detection MethodComputer Immune SystemMiscellaneous Other TopicsCOMPUTERS AND VIRUSESCOMPUTERS AND VIRUSES“A computer is a machine that manipulates data according to a list of instructions.”“A computer is, at its most basic, a machine which can take instructions, and perform computations based on those instructions.”“Computers are not very intelligent devices, but they handle instructions flawlessly and fast.”“A computer is an electronic device that executes the instructions in a program.”What is a Computer?COMPUTERS AND VIRUSES“A virus is a sub-microscopic infectious agent that is unable to grow or reproduce outside a host cell.”“A virus is not strictly alive.. nor is it strictly dead... A virus has some fundamental information which allows it to make copies of itself. However, the virus must be inside a living cell of some kind before the information can be used.”“Viruses are not living cells, but efficient parasites that commandeer living cells and turn them into virus factories.”“an ultramicroscopic, metabolically inert, infectious agent that replicates only within the cells of living hosts, mainly bacteria, plants, and animals: composed of an RNA or DNA core, a protein coat, and, in more complex types, a surrounding envelope.”What is a Virus?COMPUTERS AND VIRUSES“Computer Viruses are self replicating software entities that attach themselves parasitically to existing programs.”“We define a computer 'virus' as a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself.”“A computer virus is a self-replicating computer program that spreads by attaching itself to executable files or system areas on diskettes.”“Computer viruses are small software programs that are designed to spread from one computer to another and to interfere with computer operation.”What is a Computer Virus?HISTORY OF COMPUTER VIRUSESHISTORY OF COMPUTER VIRUSESEarly 1980’s - University of Southern CaliforniaLeonard Adleman•Computer Science & Molecular Biology•Famous for work with Rivest and Shamir on RSA•DNA Computing•Coined the term “Computer Virus”Fred Cohen•PhD student under Adleman•Created the first ‘real’ computer virus November 10, 1983•Parasitic application that seized control of computer operationThe BeginningsHISTORY OF COMPUTER VIRUSESOSX Linux MS-DOS Windows? 30 4000 >200,000StatisticsHOW VIRUSES WORKHOW VIRUSES WORK1.Attachment2.Penetration3.Uncoating4.Replication5.Assembly6.ReleaseVirus Life CycleHOW VIRUSES WORKComputer Virus Life CycleHOW VIRUSES WORKInfection of a ProgramVIRUS DETECTION\REMOVAL\ANALYSISVIRUS DETECTION\REMOVAL\ANALYSISThe goal of anti-virus software is to detect all viral infections on a given computer system and to restore each infected program to its original uninfected state. If possible.Activity MonitorsAlert user to system activity that is indicative of a virus.Integrity Management SystemsWarn user of suspicious changes to files.These methods can detect presence of unknown viruses, but they are not often able to pinpoint the nature or even location of the infecting agent. Normal, legitimate activity can also be flagged, causing a nuisance and disrupting normal work. This can lead to the warnings being completely ignored. Virus DetectionVIRUS DETECTION\REMOVAL\ANALYSISVirus Scanners scour the file system, searching through files, boot records, memory, and anywhere else executable code can be stored, searching for characteristic byte patterns (Signatures) that are identifying portions of viruses.Scanners provide much more specific detection than activity monitors and integrity management systems, and are essential for establishing the identity and location of a virus.Disinfectors use the identity and location information to restore programs to their original states. Scanning and repairing can only be applied to known viruses and variantsEvery Virus strain must be examined individually to extract signatures and information on how to remove it. Virus Detection & RemovalVIRUS DETECTION\REMOVAL\ANALYSISOnce a new virus is discovered, it is passed around a group of anti-virus experts. A human expert disassembles the virus and then analyzes the code to determine both behavior and the method it uses to attach itself to host programs. The expert than extracts a signature that is guaranteed to be found in each instance of the virus, but which is unlikely to be found in normal programs.The new signature is added to the database so that this virus can be detected and removed in the wild.This is a very time consuming process, taking anywhere from hours to days to complete, and it is possible that a bad signature can be chosen.Virus AnalysisALTERNATIVE DETECTION METHODALTERNATIVE DETECTION METHODIn the middle of Scanners and Activity Monitors/Integrity Management Systems, lies the generic detector. A Generic Detector takes a programs code as input and determines whether or not the program is viral or non-viral.Perfect Generic Detection is an NP-Complete problem, which is reducible to the Halting ProblemImperfect Generic Detection, however, is possible, and turns out to be a problem in pattern classification. Generic Detection of VirusesALTERNATIVE DETECTION METHODThe basic concept of machine learning is applied to virus detection. Very similar to concepts in Robot Vision for face/object detection.Features are selected, and then classifiers are trained. 85% detection rate. Other 15% escape detection due to code obscuring techniques.This method works well for boot sector viruses, but has a few drawbacks1. New viruses can be detected only if they have a sufficient amount of code in common with known viruses.2. The method is appropriate for viral detection only, and is incapable of aiding in removal of a virus from an infected boot sector or file.Imperfect Generic DetectionCOMPUTER IMMUNE
View Full Document
Unlocking...