Computer virus analysis
Computer Viruses
Fig 1. The infected hosts of the SQL Slammer virus after 30 minutes.
The size of the circles denotes the relative number of the infected hosts.
(source: CAIDA).
Computer viruses (hereafter called viruses) are programs that have some bad effects on a computer. Originally viruses were spread slowly through the likes of floppy disks and erased computer datas on a certain date. Because computers were not as ubiquitous as they are today this was not a widespread problem in society.
However the damage caused by viruses is now a problem confronting society that cannot be ignored. Today computer networks have become an essential part of our infrastructure. Almost all computer viruses today are able to spread through networks and thus their infection speed is on a different scale. Strongly infectious viruses can now spread throughout the world in a matter of minutes. This is causing economic damage to a lot of countries around the world.
For example in January 2003 the SQL Slammer virus spread throughout the world in thirty minutes as shown in Figure 1. It was one of the most damaging viruses in recent times. This virus did worldwide damage that is estimated at 8 billion dollars (about 960 billion yen).
- In America 13,000 bank ATMs went down
- In America airline company booking systems went down
- In Korea the internet network almost completely went down
- The worldwide internet system slowed down
These days viruses that spread personal informations are increasing. For example they can send passwords for internet banking to criminals. Malicious viruses are rapidly increasing and in Japan they are targeting banks.
Standard virus detection methods
In order to defend against and destroy viruses they must first be detected. The most popular method for detecting viruses is pattern-matching. This relies on virus definition files that contain many signatures or definition informations and match the informations with the suspect file.
Pattern matching requires the actual analysis of a specimen virus and results in very few mistakes in identification. It was thus very effective in stopping viruses when their spread was at a slow rate. However the creation of signatures is always after the discovery that a virus exists and thus is always running behind the actual spread of viruses. Recently viruses appear at the rate of one per hour and thus pattern-matching cannot effectively keep up.
The most important point in anti-virus defense is to be able to identify a virus as soon as it appears and defend against it. In our laboratory we are aiming to develop methods of virus detection that don’t rely too heavily on signatures.
