Detecting previously unseen computer viruses
Detecting previously unseen computer viruses
Computer viruses are a form of self-replicating code that copy themselves into other executables. The persistence of the computer virus threat is demonstrated by regular reports of new viruses. In recent years the Code Red, LOVEBUG, Concept and Remote Explorer outbreaks have all been highly publicised. The detection of viruses is becoming more difficult with more incidents being reported and the impact of those incidents increasing. Viruses are a well-established method of conducting Information Warfare; an emerging discipline that describes methods of attacking information assets using a whole range of techniques. The emergence of Information Warfare as a professional discipline signals a change in the motivation and resources available to virus authors. In the past viruses were developed by lone hackers who were actively looking for publicity. Modern virus authors may be members of a criminal, terrorist or even state sponsored organisation. These authors are highly likely to design viruses that are not detected by existing virus detection systems. As such new methods of detecting previously unseen viruses are required.
This thesis details research into the detection of previously unseen computer viruses. A fundamental aspect of this research was the specification and implementation of a synthetic research environment aimed at providing complete and representative research data. The provision of such data, instead of relying on incomplete real-world data, enabled a more thorough analysis of the problem space and evaluation of alternative detection systems. Research into alternative detection systems investigated the detection of unseen viruses by detecting the replication of a code sentence, the use of mobile agents analogous to white blood cells and the application of intelligent classification techniques in the analysis of code sentences.
It was found that the detection of replication profiles is an effective method of detecting previously unseen viruses. The use of mobile agents was found to offer no improvement in the probability of a virus being detected. Similarly, the use of autonomous agents was found to reduce the overall effectiveness of the detection system; distributed agents were effective when a centralised reporting mechanism was in place. Furthermore, the investigation into intelligent classification techniques demonstrated the effectiveness of Hidden Markov Models in the classification of code sentences. The improved effectiveness was most noticeable in a reduction in the number of false positives generated by the classifier.
University of Southampton
Luke, James Steven
77c70807-4193-48d9-9801-957d85be46e6
2002
Luke, James Steven
77c70807-4193-48d9-9801-957d85be46e6
Luke, James Steven
(2002)
Detecting previously unseen computer viruses.
University of Southampton, Doctoral Thesis.
Record type:
Thesis
(Doctoral)
Abstract
Computer viruses are a form of self-replicating code that copy themselves into other executables. The persistence of the computer virus threat is demonstrated by regular reports of new viruses. In recent years the Code Red, LOVEBUG, Concept and Remote Explorer outbreaks have all been highly publicised. The detection of viruses is becoming more difficult with more incidents being reported and the impact of those incidents increasing. Viruses are a well-established method of conducting Information Warfare; an emerging discipline that describes methods of attacking information assets using a whole range of techniques. The emergence of Information Warfare as a professional discipline signals a change in the motivation and resources available to virus authors. In the past viruses were developed by lone hackers who were actively looking for publicity. Modern virus authors may be members of a criminal, terrorist or even state sponsored organisation. These authors are highly likely to design viruses that are not detected by existing virus detection systems. As such new methods of detecting previously unseen viruses are required.
This thesis details research into the detection of previously unseen computer viruses. A fundamental aspect of this research was the specification and implementation of a synthetic research environment aimed at providing complete and representative research data. The provision of such data, instead of relying on incomplete real-world data, enabled a more thorough analysis of the problem space and evaluation of alternative detection systems. Research into alternative detection systems investigated the detection of unseen viruses by detecting the replication of a code sentence, the use of mobile agents analogous to white blood cells and the application of intelligent classification techniques in the analysis of code sentences.
It was found that the detection of replication profiles is an effective method of detecting previously unseen viruses. The use of mobile agents was found to offer no improvement in the probability of a virus being detected. Similarly, the use of autonomous agents was found to reduce the overall effectiveness of the detection system; distributed agents were effective when a centralised reporting mechanism was in place. Furthermore, the investigation into intelligent classification techniques demonstrated the effectiveness of Hidden Markov Models in the classification of code sentences. The improved effectiveness was most noticeable in a reduction in the number of false positives generated by the classifier.
This record has no associated files available for download.
More information
Published date: 2002
Identifiers
Local EPrints ID: 464997
URI: http://eprints.soton.ac.uk/id/eprint/464997
PURE UUID: 5f7b9097-34a9-4e04-a6a9-653de2992bcd
Catalogue record
Date deposited: 05 Jul 2022 00:15
Last modified: 23 Jul 2022 01:12
Export record
Contributors
Author:
James Steven Luke
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics