[svlug] Viruses (was: virus FUD)

Karen Shaeffer shaeffer at best.com
Sat May 6 02:30:20 PDT 2000

On Sat, May 06, 2000 at 12:47:32AM -0700, Rick Moen wrote:

As always Rick, nicely put.


> Arrgh.  There _is_ no algorithmic way to distinguish safe from unsafe
> files.  
---end quoted text---

This is not entirely true anymore. There are numerous projects under
development (at IBM and HP, to name a few) whereby adaptive algorithms
are implemented which characterize a process during _runtime_. The
characterization detects process behavior that indicates the system is
under attack. IBM has some patents and has published papers concerning
these systems.

So how does it work?

Take a process and run the hell out of it in a lab, capturing data vectors
that characterize normal operation patterns. These vectors could be as
simple as function calls or more interestingly the CPU execution time
environment parameters such as the register pointers for example. Once you
collect all this data, process it with classification algorithms to
map out a safe operational execution vector space. Now, utilize these
classification bounds as a form of runtime configuration matrix for
a particular process such as a MUA or sendmail, or Bind, etc... Now develop
a runtime intrusion detection system that is runtime configurable for a
given process. Each process has a unique configuration vector that is also
dependent on operational environmental parameters. When your system comes
under attack, you'll detect it in real-time and preclude any serious

Of course, these concepts are extensible vertically as well as horizontally
with respect to process group behavior or session behavior at a node or
distributed over a subnet. Look for this class of run-time intrusion
detection system to become ubiquitous within 4 to 8 years.

  Karen Shaeffer
  Neuralscape; Santa Cruz, Ca. 95060
  shaeffer at neuralscape.com  http://www.neuralscape.com

More information about the svlug mailing list