Next	Anomaly detection
Previous	Classifier training and performance
Up	Biologically Inspired Defenses Against Computer Viruses

A Computer Immune System

Although generic virus detection works well for boot-sector viruses, and may eventually prove useful for file infectors as well, at least two drawbacks are inherent in the technique:

1. New viruses can be detected only if they have a sufficient amount of code in common with known viruses.
2. The method is appropriate for viral detection only; it is incapable of aiding in the removal of a virus from an infected boot sector or file. The only way to eliminate the infection is to erase or replace the infected boot sector or file.

The generic classifier could be viewed as an analog of the ``innate'', or non-adaptive, non-specific immune system that is present in both vertebrates and lower animals. One important component of this innate immunity can be viewed as a sort of generic classifier system, in which the features on which recognition is based include:

1. the presence of certain proteins that are always present on self-cells, but usually not on foreign cells,
2. the presence of double-strand RNA, which appears in much larger concentrations in a particular class of viruses than it does in mammalian cells [Marrack1993], and
3. the presence of a peptide that begins with an unusual amino acid (formyl methionine) that is produced copiously by bacteria, but only in minute amounts by mammals [Marrack1993].

This generic classification is coupled with a generic response to a pathogen that either disables it or kills it.

However, vertebrates have evolved a more sophisticated, adaptive immune system that works in concert with the innate immune system, and is based on recognition of specific pathogens. It exhibits the remarkable ability to detect and respond to previously unencountered pathogens, regardless of their degree of similarity to known pathogens. This is precisely the sort of defensive capability that we seek against computer viruses.

 

 

Figure: The main components of the proposed immune system for computers and their relationship to one another.

Figure 3 provides an overview of our design for an adaptive computer immune system. The immune system responds to virus-like anomalies (as identified by various activity and integrity monitors) by capturing and analyzing viral samples. From its analysis, it derives the means for detecting and removing the virus. Many components of the computer immune system are working in the laboratory, and are providing useful data that is incorporated into IBM AntiVirus, IBM's commercial anti-virus product.

The remainder of this section will be devoted to a discussion of the various components of the immune system design, along with their relationship to analogous biological principles. Further exploration of some biological analogies can be found in [Kephart1994a]. First, we shall consider the set of components that are labeled as being currently in IBM AntiVirus: anomaly detection, scanning for known viruses, and removal of known viruses. Then, we shall discuss some of the components that are labeled as being currently in the virus lab: sample capture using decoys, algorithmic virus analysis, and signature extraction. These components are all functioning prototypes. Finally, we shall discuss a mechanism by which one machine can inform its neighbors about viral infections.

• Anomaly detection
• Scanning for known viruses
• Virus removal
• Decoys
• Automatic virus analysis
• Automatic signature extraction
• Immunological memory
• Fighting self-replication with self-replication

Next	Anomaly detection
Previous	Classifier training and performance
Up	Biologically Inspired Defenses Against Computer Viruses

 

  back to index