Introduction
Each day, an army of perhaps a few hundred virus writers around
the world produces three or more new computer
viruses. Currently, the battle is roughly even. Our statistics, based on observation of a sample population of several hundred thousand machines for several years [Kephart and White1993, Kephart et al. 1993], suggest that in medium to large businesses roughly 1% of all computers become infected during any given year. The world's computer population has been inconvenienced, but despite dire predictions [Tippett1991] it has not been incapacitated. Most of the anti-virus products in common usage have been reasonably effective in detecting and removing viruses. Within our sample population, only 10% of all known viruses (about 360 of 4000 at the time of writing) have been observed ``in the wild'' -- in real incidents. Several viruses that used to be relatively common now qualify for inclusion on an endangered species list. Today, computer viruses are a manageable nuisance. Several worrisome trends threaten to turn the balance in the favor of computer virus authors. First, the rate at which new viruses are created, already on the verge of overwhelming human experts, has the potential to increase substantially. Second, continued increases in interconnectivity and interoperability among the world's computers, designed to benefit computer users, are likely to be a boon to DOS and Macintosh viruses as well. Theoretical epidemiological studies indicate that the rate at which computer viruses spread on a global scale can be very sensitive to the rate and the degree of promiscuity of software exchange [Kephart and White1991, Kephart and White1993, Kephart et al. 1993, Kephart1994b]. Anticipated increases in both factors threaten to increase substantially the speed of spread and the pervasiveness of these traditional types of virus. In addition, mobile intelligent agents [Chess et al. 1995, Harrison et al. 1994] will soon navigate the global network, potentially serving as a fertile medium for a new breed of rapidly-spreading virus that exploits the itinerancy of its host by leaving behind copies of itself wherever its host goes. Traditional methods of detecting and removing viruses, which rely upon expert analysis by humans and subsequent distribution of the cure to users, would be orders of magnitude too slow to deal with viruses that spread globally within days or hours. To address these problems, we have developed a variety of biologically inspired anti-virus algorithms and techniques that replace many of the tasks traditionally performed by human virus experts, thus permitting much faster, automatic response to new viruses.
The term ``computer virus'', coined by
Adleman in the early 1980's [Cohen1987], is
suggestive of strong analogies
between computer viruses and their biological namesakes.
Both attach themselves to a small
functional unit (cell or program) of the host individual
(organism or computer), and co-opt the resources of that unit
for the purpose of creating more copies of the virus.
By using up materials (memory It is therefore natural to seek inspiration from defense mechanisms that biological organisms have evolved against diseases. The idea that biological analogies might be helpful in defending computers from computer viruses is not original to us [Murray1988]. But to our knowledge we are the first to take these analogies seriously, to deliberately design and implement anti-virus technology that is inspired by biology, and incorporate it into a commercial anti-virus product. First, we will briefly describe what computer viruses are, how they replicate themselves, and why their presence in a system is undesirable. Then, we shall describe the typical procedures used by human experts to analyze computer viruses, and explain why these methods are unlikely to remain viable a few years from now. Then, we shall discuss two complementary anti-virus techniques that are inspired by biological systems that learn: a neural-network virus detector and a computer immune system.
|
