Decoys
Suppose that the anomaly detector has found
evidence of a virus, but that the scanner cannot
identify it as any of the known strains. Most
current anti-virus software will not be able
to recover the host program unless it was
deliberately stored or analyzed In the computer immune system, the presence of a previously unknown virus in the system can be established with much greater certainty than can be provided by the anomaly detector. The idea is to lure the virus into infecting one or more members of a diverse suite of ``decoy'' programs. Decoys are designed to be as attractive as possible to those types of viruses that spread most successfully. A good strategy for a virus to follow is to infect programs that are touched by the operating system in some way. Such programs are most likely to be executed by the user, and thus serve as the most successful vehicle for further spread. Therefore, the immune system entices a putative virus to infect the decoy programs by executing, reading, writing to, copying, or otherwise manipulating them. Such activity attracts the attention of many viruses that remain active in memory even after they have returned control to their host. To catch viruses that do not remain active in memory, the decoys are placed in places where the most commonly used programs in the system are typically located, such as the root directory, the current directory, and other directories in the path. The next time the infected file is run, it is likely to select one of the decoys as its victim. From time to time, each of the decoy programs is examined to see if it has been modified. If any have been modified, it is almost certain that an unknown virus is loose in the system, and each of the modified decoys contains a sample of that virus. These virus samples are stored in such a way that they will not be executed accidentally. Now they are ready to be analyzed by other components of the immune system. The capture of a virus sample by the decoy programs is somewhat analogous to the ingestion of antigen by macrophages [Paul1991]. Macrophages and other types of cells break antigen into small peptide fragments and present them on their surfaces, where they are subsequently bound by T cells with matching receptors. A variety of further events can ensue from this act of binding, which in one way or another play essential roles in recognizing and removing the pathogen. Capture of an intruder by computer decoys or biological macrophages allows it to be processed into a standard format that can be interpreted by other components of the immune system, provides a standard location where those components can obtain information about the intruder, and primes other parts of the immune system for action.
|
