How do you find a identifier in a virus source code (part of the codee
that could be used to identify it during a anti virus scanning
operation) and then put it in a genetic alogrithm??? How does anti
virus software work???

---

Request for Question Clarification by alienintelligence-ga on 03 Aug 2002 06:22 PDT

Hi crook...

Here is the info on how antivirus
programs work:
[ http://www.stiller.com/avsw.htm ]

[ http://www.ucs.ed.ac.uk/usd/iss/ol/issues/viruses/anti-virus/anti_virus_guidelines.html
]

A reiteration at the end of this page
[ http://www.uksecurityonline.com/threat/viruses.php ]

More of the same info
[ http://www3.wcu.edu/~lm14353/more_on_antivirus_software.htm ]

What all these pages will tell you
is that the basics of virus software
is pattern matching. Analyzing viruses
to find snippets of recognized code
patterns. Beyond that, some programs
monitor system processes and alerts
to aberrant actions caused by suspect
code.

For viruses the identifier would 
be a part of code that is a unique 
signature to the particular virus.
This would vary according to the payload,
launchtime and date, etc of the virus.
By how do you find it, are you asking
how do you determine what the string
you are looking for, is... or how is
the string found in an operating
system?

You can capture the string from
the data stream in real time, and then
parse it to a handler for the Genetic
Algorithm.

Can you tell me how are you interested in
having the Genetic Algorithms interact
with the virus scanning? GA's seem more
suited to working to a goal or solution
rather than serving as a guard. Unless 
you want your "guard" to recognize a
"new attacker" based on old attackers.


Well I hope I have answered how a 
virus scanner works for you... I'd be
glad to go into more detail if you like.

When you can clarify the interaction of the 
GA, I should be able to give a formal
answer.

thanks,
-AI

---

Clarification of Question by crook-ga on 06 Aug 2002 11:04 PDT

Hi
Well i am trying to write a program (software) that will identify
viruses on a computer. I want to do this by using artificial
intelligence. I have lengths of virus source codes but from each code
how do i find the identifier.Is there anywhere on the internet that
has virus signitures derived from source codes (to my knowledge this
what the anti virus scanner looks for). Once this has been found i
want to put it into an alogrithm of some sort. I purpose a genetic
alogrithm.Are there any other alogrithms that i can use if so what and
how can i put the set virus signitures in to it???How do i code the
alogrithm??

Thanks

There is a race between virus writers and anti virus writers.

Let me break down your question into two parts

1. How virus tries to avoid detection/identificaion?
2. How antivirus writers try to detect/identify virus? (I am assuming
you are not interested in removal)

1. Basically a virus attaches to normal program executes it's own code
(to infect/attach to other programs usually checks if it is not
already attached and then harms and finally returns to original
program. Usually infection phase is so fast it is hardly noticable.
(Easiest way to detect this check file size)

a) Virus employ stealth techniques to avoid detection
eg. take a program of size P and virus of size V compress P to P-V
attach V.
another could be when we do disk IO such as read directory with "dir"
or "ls" or read copy the infected file intercept I/O and return
original program.

b) Virus employ polymorphic technique to avoid identification
Hide the "signature"/"identifier"
e.g. randomly add superfluous instructions e.g. "nop"
A more advanced e.g. 
encrypt itself using a random key and store it when virus invokes
decrypt and then execute make new infections with new random keys
store them and so on.

2. Antivirus

a) for detection there are heuristic rules such as updation of files,
access to system components scanning logs. Having checksums for
programs etc. Virus can change checksum also.
Store checksum seperately in another location such that we can detect
infection.

b) for identification with encrypted virus advanced antivirus software
are like CPU emulators. A software based virtual computer. Remeber the
virus needs to decrypt itself to run. Allow the virus to run in a safe
emulator environment. Let it decrypt and run scanners to identify.

Genetic Algorithms are used to optimize complex functions
probabilistically to best of my knowledge. (I have limited knowledge
here). Let us see where there application could be in an advanced
immune system.

An advanced immune system can be broken down into following parts.

a) A monitoring program based on heuristics
b) On susspicion it triggers virus analysis. Run the program on
emulator for analysis. Try identifying signature.
c) Send signature to clients worldwide update there database of
viruses. For cleanup and prevention.

GA can be used for optimizing heuristics, For matching signatures I
guess

wow, good answer by tne..

Another little heuristic method is to monitor the behaviour (in
emulation) of a virus - how it interacts with the host's kernel or
low-level APIs and trigger alarms if you don't like what you're
seeing. This is rarely done cause it's very hard not to trigger false
alarms.