WÄ…tki
 
[ Pobierz całość w formacie PDF ]

power. Therefore, instead of attempting a futile rationalization of our clas-
sification versus the many interesting and insightful classifications of others,
such as those presented Section 1, we will delineate the explanatory power
of our approach, pointing out any relevant similarities to other approaches.
Intuitively, computer viruses that are classified as unassisted within our
classification are those that are reproductively isolated, i.e., those that do
not require the help of external entities during their reproductive process.
Consequently, those are classified as assisted require help of external entities
for their reproduction. Here our approach is similar to the work of Taylor [32],
who makes the distinction between unassisted and assisted reproduction with
respect to artificial life.
Many other formal descriptions of computer viruses are based on descrip-
tions of functionality and behaviour. For example, Cohen describes viral
33
behaviour using Turing machines [8], Adleman uses first-order logic [1] and
Bonfante et al [3, 4] base their approach on recursion theorems. Our ap-
proach differs in that the focus is not the virus s behaviour, but rather on
the ecology of the virus, i.e., the environment in which reproduction takes
place. For example, we might consider an operating system or a network to
be essential parts of the virus s environment which facilitate reproduction,
and by casting them as external entities we can then classify as (un)assisted,
or by using metrics as given in Section 3.6.
Our approach bears some similarities to the work of Filiol et al [12] on
their formal theoretical model of behaviour-based detection, which uses ab-
stract actions (similar to those used in Section 2.5) to form behavioural de-
scriptions of computer viruses. The emphasis on behaviour-based detection
is complementary to the approach to automated computer virus classification
presented in Section 3, in which the affordance of actions by external enti-
ties is directly related to the behaviours observable by behaviour monitoring
software of a computer virus, and the resulting classification is tailored the
behaviour monitoring capabilities of a particular anti-virus software.
Our classification of computer viruses is a special case of the construction
and classification of reproduction models from our earlier work [38, 35], which
places computer viruses within the broader class of natural and artificial life
forms. This relationship between computer viruses and other forms of life
has been explored by Spafford [30] in his description of computer viruses as
artificial life, and by Cohen s treatise [9] on living computer programs. The
comparison between computer viruses and other reproductive systems has
resulted in interesting techniques for anti-virus software such as computer
immune systems [22, 29, 19], and in that sense we hope that the formal re-
lationship between computer viruses and other life forms has been further
demonstrated by this paper, and could assist in the application of concepts
from the study of natural and artificial life to problems in the field of com-
puter virology. In addition, we believe our description of computer viruses
within a formal theoretical framework also capable of describing natural and
artificial life systems further supports the ideas of Spafford and Cohen: that
computer viruses are not merely a dangerous annoyance or a computational
curiosity, but a life form in their own right.
4.2 Future Work
In Section 3.6 we showed how using a simple metric we could compare the
reliance on external entities of two viruses written in Visual Basic Script.
It should also be possible to develop more advanced metrics for comparing
viruses with assisted classification. For example, a certain sequence of ac-
34
tions which require external entities may flag with a certain level of certainty
a given viral behaviour. Therefore it would seem logical to incorporate this
into a weighted metric that reflects the particular characteristics of these
viruses. Different metrics could be employed for different languages, if dif-
ferent methods of behaviour monitoring are used for Visual Basic Script and
Win32 executables, for example.
In Section 3 we described some methods for automatic classification by
static and dynamic analysis. A natural extension of this work would be
to describe these methods formally, perhaps by using the formal definition
of reproduction models as a starting point. A useful application would be
formal proofs of the assertions made informally in Section 3.1, e.g., that all
computer virus reproduction models are classified as unassisted when that
model describes a computer virus executed within a sandbox.
Following on from the discussion above, another possible application of
our approach is towards the assessment of anti-virus behaviour monitoring
software via affordance-based models. As mentioned before, there are some
similarities between our approach and the recent work by Filiol et al [12]
on the evaluation of behavioural detection strategies, particularly in the use
of abstract actions in reasoning about viral behaviour. Also, the use of be-
havioural detection hypotheses bears a resemblance to our proposed antivirus
ontologies. In future we would like to explore this relationship further, per-
haps by generating a set of benchmarks based on our formal reproduction
models and classifications, similar to those given in [12].
Recent work by Bonfante et al [3] discusses classification of computer
viruses using recursion theorems, in which a notion of externality is given
through formal definitions of different types of viral behaviour, e.g., compan-
ion viruses and ecto-symbiotes that require the help of a external entities,
such as the files they infect. An obvious extension of this work would be
to work towards a description of affordance-based classification of computer
viruses using recursion theorems, and conversely, a description of recursion-
based classification in terms of formal affordance theory.
Following on from earlier work [35, 38], it might also be possible to further
sub-classify the space of computer viruses using notions of abstract actions
such as the sets of actions corresponding to the self-description or reproduc-
tive mechanism of the computer virus. We might formalise this by defining
predicates on the actions in a reproduction model; e.g., one predicate might
hold for all actions which are part of the payload, i.e., that part of the virus
that does not cause the virus to reproduce, but instead produces some side- [ Pobierz całość w formacie PDF ]
  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • bialaorchidea.pev.pl
    •  
    Copyright © 2006 MySite. Designed by Web Page Templates