Virus removalIn the biological immune system, if an antibody encounters antigen, they bind together, and the antigen is effectively neutralized. Thus recognition and neutralization of the intruder occur simultaneously. Alternatively, a killer T cell may encounter a cell that exhibits signs of being infected with a particular infecting agent, whereupon it kills the host cell. This is a perfectly sensible course of action, because an infected host cell is slated to die anyway, and its assassination by the killer T cell prevents the viral particles from reaching maturation. A computer immune system can take the same basic approach to virus removal: it can erase or otherwise inactivate an infected program. However, an important difference between computer viruses and biological viruses raises the possibility of a much gentler alternative.
In biological organisms,
most infected cells would not be worth the trouble of
saving even if this were possible, because cells
are an easily-replenished
resource. In contrast, each of the applications run by a typical computer user is unique in function and irreplaceable (unless backups have been kept, of course). Since a user would be likely to notice any malfunction, all but the most ill-conceived computer viruses attach themselves to their host in such a way that they do not destroy its function. Viruses tend to merely rearrange or reversibly transform their hosts. Thus an infected program is usually expressible as a reversible transformation of the uninfected original. When the scanner identifies a particular program as being infected with a particular virus, the first step in our removal procedure is to verify that the virus is identical to a known strain. Verification is based upon checksums of regions of viral code that are known to be invariant (perhaps after an appropriate decryption operation) across different instances of the virus. The exact location and structure of the virus must have been derived beforehand, and expressed in terms of a language understood by the verification algorithm. If the verification does not succeed, an attempt to remove the virus by this means is considered too risky, and another more generic virus removal method (beyond the scope of this paper) is brought into play. If the verification succeeds, a repair algorithm carries out the appropriate sequence of steps required for removing that virus, expressed in a simple repair language. The sequence of steps is easily derived from an analysis of the locations (and transformations, if any) of all of the portions of the original host. Although the analysis required to extract verification and removal information has traditionally been performed by human experts, we shall discuss in a later subsection an automated technique for obtaining this information.
|
