Detecting shape-shifting computer viruses

Researchers at a software company which makes antivirus and security products have developed a computer tool that can create shape-shifting viruses that elude detection by commercial virus scanners. The aim of the research, published in the current issue of the International Journal of Multimedia Intelligence and Security, is to try to stay one step ahead of the people creating viruses with malicious and criminal intent. If an antivirus company can create an undetectable virus then it is, the reasoning goes, only a matter of time before a virus writer will do the same.
Priti Desai of Symantec Corporation, in Mountain View, California, working with alleged former National Security Agency cryptanalyst Mark Stamp now at San Jose State University, have focused on so-called metamorphic viruses. These self-replicating pieces of computer code are modified when an infected computer makes a copy so that the code still carries out the same malicious function but is different enough from the parent virus to avoid detection.
Without a common “signature” of duplicated code, each generation of a metamorphic virus can elude detection by antivirus software that relies on identifying the presence of that signature. Unfortunately, computer viruses, as with their counterparts in biology, represent a continual game of catch up. Each new generation of virus created attempts to evade detection and the providers of antivirus software attempt to detect and eradicate each new generation, just as one’s immune system must constantly adapt to each new generation of the common cold virus, for instance.
In order to stay one step ahead of this game of catch-up, researchers have devised their own computer virus generator that can produce generation after generation of metamorphic viruses that are very diverse and so different from the original parent virus. In tests, this new metamorphic virus generator easily defeats conventional antivirus software. But, despite the diversity of the code across generations of viruses, the researchers have demonstrated that machine-learning tools such as Hidden Markov Models (HMMs) are nevertheless effective at detecting even metamorphic viruses.
The team assumes that by now virus writers will be fully aware of this problem and will be working on ways to defeat even powerful HMMs. As such, the team is tweaking their metamorphic generator to see if they can defeat the statistical-based detection methods of HMMs and so find ways to improve the detection prowess of HMMs to get a step ahead of even those viruses.
Research Blogging IconPriti Desai, & Mark Stamp (2011). A highly metamorphic virus generator Int. J. Multimedia Intelligence and Security, 1 (4), 402-407

. Bookmark the permalink.

Leave a Reply

Umanda Jayobandara. Powered by Blogger.