14-03-2011, 09:23 PM
ARTIFICIAL INTELLIGENCE IN VIRUS DETECTION AND RECOGNITION
Parvathy Nair & Parvathy.R.Nair
S8-Computer Science Department
Mohandas College of Engineering and Technology
Trivandrum.
Parvathy Nair & Parvathy.R.Nair
S8-Computer Science Department
Mohandas College of Engineering and Technology
Trivandrum.
[attachment=10140]
Abstract
Artificial intelligence (AI) techniques have played increasingly important role in virus detection. At present, some
principal artificial intelligence techniques applied in virus detection are proposed, including heuristic technique,
data mining, agent technique, artificial immune, and artificial neural network. It believes that it will improve the
performance of virus detection systems, and promote the production of new artificial intelligence algorithm. This
paper introduces the main artificial intelligence technologies, which have been applied in antivirus system
(Heuristics scanning).Virus detection is based on recognition of a signature or string of code which identifies a
certain virus. Similar to how investigators use characteristics to identify criminals; antivirus look for ‘digital
footprints’ in order to recognize a virus .Nevertheless, to detect an unknown virus, a particular signature or
recognized code does not yet exist. For this reason a heuristic scan is used.Heuristic methods are based on the
piece-by-piece examination of a virus, looking for a sequence or sequences of instructions that differentiate the
virus from ‘normal’ programs.
Introduction To Heuristic Scanning
Malware
Malware, short for malicious software, is software
designed to infiltrate a computer system without the
owner's informed consent. The expression is a
general term used by computer professionals to mean
a variety of forms of hostile, intrusive, or annoying
software or program code. Software is considered to
be malware based on the perceived intent of the
creator rather than any particular features. Malware
includes computer viruses, worms, trojan horses,
spyware, dishonest adware, crimeware, most rootkits,
and other malicious and unwanted software.
Types Of Malware
A computer virus is a computer program that can
copy itself and infect a computer. The term "virus" is
also commonly but erroneously used to refer to other
types of malware, including but not limited to adware
and spyware programs that do not have the
reproductive ability. A true virus can spread from one
computer to another (in some form of executable
code) when its host is taken to the target computer. A
computer worm is a self-replicating malware
computer program. It uses a computer network to
send copies of itself to other nodes (computers on the
network) and it may do so without any user
intervention. Trojan horses are created for the
purpose of running code on the user's computer that
he otherwise would not have consented to, allowing
the author of the Trojan access to a number of
personally-desired purposes.Adware is a Trojan horse
may modify the user's computer to display
advertisements in undesirable places, such as the
desktop or in uncontrollable pop-ups, or it may be
less notorious, such as installing a toolbar on to the
user's Web browser without prior mentioning. A
backdoor in a computer system is a method of
bypassing normal authentication, securing remote
access to a computer, obtaining access to plaintext,
and so on, while attempting to remain undetected.
Keystroke logging (often called keylogging) is the
action of tracking (or logging) the keys struck on a
keyboard, typically in a covert manner so that the
person using the keyboard is unaware that their
actions are being monitored .A typical hoax is an
email message warning recipients of a non-existent
threat, usually quoting spurious authorities such as
Microsoft and IBM.
Malware! =Virus
Due to different behavior, each malware group uses
alternative ways of being undetected. This forces
anti-virus software producers to develop numerous
solutions and countermeasures for computer
protection. This presentation focuses on methods
used especially for virus detection, not necessarily
effective against other types ofmalicious software.
Infection Strategies
Nonresident viruses
Nonresident viruses can be thought of as consisting
of a finder module and a replication module. The
finder module is responsible for finding new files to
infect. For each new executable file the finder
module encounters, it calls the replication module to
infect that file.
Resident viruses
Resident viruses contain a replication module that is
similar to the one that is employed by nonresident
viruses. The virus loads the replication module into
memory when it is executed instead and ensures that
this module is executed each time the operating
system is called to perform a certain operation.
Resident viruses are sometimes subdivided into a
category of fast infectors and a category of slow
infectors. Fast infectors are designed to infect as
many files as possible. A fast infector, for instance,
can infect every potential host file that is accessed.
This poses a special problem when using anti-virus
software, since a virus scanner will access every
potential host file on a computer when it performs a
system-wide scan. If the virus scanner fails to notice
that such a virus is present in memory the virus can
"piggy-back" on the virus scanner and in this way
infect all files that are scanned. Slow infectors, on the
other hand, are designed to infect hosts infrequently.
Some slow infectors, for instance, only infect files
when they are copied. Slow infectors are designed to
avoid detection by limiting their actions: they are less
likely to slow down a computer noticeably and will,
at most, infrequently trigger anti-virus software that
detects suspicious behavior by programs.
Metaheuristics and Heuristics
Metaheuristic is a heuristic method for solving a very
general class of computational problems by
combining user-given black-box procedures
in a hopefully efficient way. Metaheuristics are
generally applied to problems for which there is no
satisfactory problem specific algorithm
or heuristic. In computer science, a heuristic is a
technique designed to solve a problem that ignores
whether the solution can be proven to be correct, but
which usually produces a good solution or solves a
simpler problem that contains or intersects with the
solution of the more complex problem. Most real-
time, and even some on-demand, anti-virus scanners
use heuristic signatures to look for specific attributes
General Meta Heuristics
In computer science, pattern matching is the act of
checking some sequence of tokens for the presence of
the constituents of some pattern. In contrast to pattern
recognition, the match usually has to be exact. The
patterns generally have the form of either sequences
or tree structures. The process of emulation is just
like hitchhiking. The emulator convinces the viral
code that it is actually executing, and it hitchhikes to
the point where the virus passes control to the
original program.
Lacks In Specific
Generally speaking, there are two basic methods to
detect viruses - specific and generic. Specific virus
detection requires the anti-virus program to have
some pre-defined information about a specific virus
(like a scan string). The anti-virus program must be
frequently updated in order to make it detect new
viruses as they appear. Generic detection methods
however are based on generic characteristics of the
virus, so theoretically they are able to detect every
virus, including the new and unknown ones.
Why is generic detection gaining importance? There
are four reasons:
1) The number of viruses increases rapidly.
Studies indicate that the total number of viruses
doubles roughly every nine months. The amount of
work for the virus researcher increases, and the
chances that someone will be hit by one of these
unrecognizable new viruses increases too.
2) The number of virus mutants increases. Virus
source codes are widely spread and many people
can't resist the temptation to experiment with them,
creating many slightly modified viruses. These
modified viruses may or may not be recognized by
the anti-virus product. Sometimes they are, but
unfortunately often they are not.
3) The development of polymorphic viruses.
polymorphic viruses like MtE and TPE are more
difficult to detect with virus scanners. It is often
months after a polymorphic virus has been
discovered before a reliable detection algorithm has
been developed. In the meantime many users have an
increased chance of being infected by that virus.
4) Viruses directed at a specific organization or
company. It is possible for individuals to utilize
viruses as weapons. By creating a virus that only
works on machines owned by a specific organization
or company it is very unlikely that the virus will
[attachment=10140]
