Next	Automatic signature extraction
Previous	Decoys
Up	A Computer Immune System

Automatic virus analysis

Typically, a human expert applies a deep understanding of machine instruction sequences to virus analysis. Sometimes, this is combined with observation of the effects of the virus on a program.

Our automatic virus analysis algorithm is much less sophisticated in its knowledge of machine code, but makes up for this deficiency by making use of more data: specifically, several samples of the virus. Once a few samples of the virus have been captured, the algorithm compares the infected decoys with one another and with the uninfected decoys to yield a precise description of how the virus attaches to any host. The description is completely independent of the length and contents of the host, and to some extent can accommodate self-encrypting viruses. A pictorial representation of one particularly simple infection pattern is presented in Fig. 4.

  

Figure: Pictorial representation of attachment pattern and structure of the TASH490 virus, derived completely automatically.

Automatic virus analysis provides several useful types of information:

1. The location of all of the pieces of the original host within an infected file, independent of the content and length of the original host. This information is automatically converted into the repair language used by the virus removal component of IBM AntiVirus.
2. The location and structure of all components of the virus. Structural information includes the contents of all regions of the virus that are invariant across different samples. This information has two purposes:
   1. It is automatically converted into the verification language used by the verification component of IBM AntiVirus.
   2. It is passed to the automatic signature extraction component for further processing.

Next	Automatic signature extraction
Previous	Decoys
Up	A Computer Immune System

 

  back to index