MadSci Network: Computer Science
Query:

Re: What are the methods or techniques to detect viruses used by an anti-virus?

Date: Sat Dec 30 16:20:00 2000
Posted By: David B. Hull, Ph.D., Faculty, CIS/TCM, DeVry Institute of Technology
Area of science: Computer Science
ID: 974969746.Cs
Message:

Hi,

As with any detection scheme, there are more than
one way of detecting an event.  First, we need to
discuss false positives and false negatives. An
anti-viral detection scheme can fail by flaging
a file as infected with a computer viruses, when
it isn't - this is a false positive. It can also
fail by not detecting a virus in a file which is
infected - this is a false negative.  Both of these
failures can have disasterous consequences by either
deleting a file which is no threat, or not deleting
a file which is!
So how do anti-virus programs detect viruses.  Basically
in three ways:
Scanners - this part of the anti-virus program examines
the actual executable code (machine code) looking for
a pattern unique to a given virus.  Even if the
virus has been encrypted or mutates its code, there
will often be a tell-tale pattern in the encryption
or mutation engine itself. This approach can be
very effective because it not only flags a file as
infected but allows the program to identify the
exact virus and then repair the file based on this
knowledge.
Heuristices - this means flag suspicious behavior,
such as writes to the boot sector or changes to the
executable, as opposed to the data, files. This is prone
to both false-positive and false-negatives.  But it
will catch new viruses not in the anti-virus databanks.
Integrity checkers - these at a mathematically created
"magic number" called a checksum to every file.  Any
changes to the machine code will be detected when the
file is checked against this number before running it.
This is extremely effective, except that modern programs
often self modify in the course of use. 

These techniques are still being developed.  Check out
IBM's anti-virus research.  Particularly look at the
papers on IBM's "Immunity system" based on the
biological analogy inherent in the use of the term virus.
 
http://www.research.ibm.com/antivirus/SciPapers.htm

Here are some other interesting sites developing this
answer further.

 
http://www.labmice.net/security/antivirus.htm
 
http://www.europe.dla.mil/TasoHandbook/tab7/VIRUS101.html
 
http://www.bocklabs.wisc.edu/~janda/av_cookbook.html

Have fun; but I strongly advise against writing or
otherwise creating computer viruses.  It is illegal!!
Understanding how the programs identify computer viruses
is however an important part of pattern recognition software
in general.  Voice recognition, military targeting and
even protein and DNA maching use many of the same
principles. I use it to classify animals such as
_Colobus_ monkeys!

Try using "pattern recognition" on the search engine http://www.northernlight.com 
for even more references on the topic.


David

Current Queue | Current Queue for Computer Science | Computer Science archives

Try the links in the MadSci Library for more information on Computer Science.

MadSci Home | Information | Search | Random Knowledge Generator | MadSci Archives | Mad Library | MAD Labs | MAD FAQs | Ask a ? | Join Us! | Help Support MadSci

MadSci Network, webadmin@www.madsci.org
© 1995-2000. All rights reserved.