Detecting unknown computer viruses
PhD Student Tom Lysemose is the world’s first to have developed software that is able to effectively detect attacks by an unknown computer virus.
Possible customers include the large anti-virus companies. A problem with today’s anti-virus software is that they can only protect from known viruses. Unknown viruses are not stopped.
A great number of viruses exist. Some of these viruses need active handling by the user in order to infect a computer, such as when someone is tricked into opening an infected e-mail attachment. Other viruses are more crafty. Without a user being aware that he has made a single mistake, the virus can attack software and take control of the computer, resulting in, for example, all documents being deleted.
The explanation for how these unpleasant events are possible is that very many computer programmes contain programming errors. The most common is called Buffer Overflow.
-Embarrassingly enough, this programming error is also made by those who write anti-virus software, such as Symantec, explains Tom Lysemose. But he points out that such programming mistakes are common for all programmers who write in C, one of the world’s most common programming languages.
-The web browser Internet Explorer is one such example. Programming errors can also be found in the IP-telephony system Skype and database software from Microsoft called SQL Server. In 2003 things went terribly wrong. That’s when the virus Slammer automatically took control over a great deal of database servers. These are super-fast machines, so the virus could spread extremely fast. Although the virus was not especially destructive, it spread so widely that it slowed down the entire Internet. Systems over the entire world were affected, and even some banks’ automated teller machines were shut down,” says Tom Lysemose.
To understand Lysemose’s software, one needs a quick introduction to how Buffer Overflow is a unfortunate programming error.
Within a computer’s internal memory are a series of containers called buffers. When running a programme that communicates over the Internet, such as a web browser, the technology functions so that the contents in the buffers of the network server are transferred to the buffers in the computer.
One example is when a password is entered on a web page. The password is stored in its own buffer on the local computer. Consider, for example, that this buffer could only have enough space for eight characters. If the programmer forgets to check the buffer size, the buffer runs over if someone enters more than eight characters.
Unfortunately, not all programmers are aware of this. If those who write software have not included a routine that checks if enough room exists in the buffer, the areas that are physically next to the buffer will be overwritten. This is extremely regrettable. The computer gives no warning and continues to run as if nothing has happened.
Unfortunately, the overwritten areas can hold important instructions for the software that’s running, such as “Please provide an overview of all my documents”.
This is exactly the type of weakness that virus creators exploit. They can make a virus that sends a larger data packet than the computer’s buffer capacity. If the hacker discovers exactly where the most important instructions are located, the virus can be programmed so that it overwrites these instructions with completely different commands, such as “Delete all of my documents now”. And then the user is out of luck.
This is exactly when Tom Lysemose’s innovation comes in. His programme, which is named ProMon, cannot prevent an unknown virus from attacking a buffer and the areas around it, but ProMon monitors programmes to ensure that they do not do things that they are not programmed to do. This means that ProMon will stop a programme if the programme suddenly begins to do another thing.
This solution is a new way of thinking about virus prevention. All modern software is built up of modules. Modules communicate with each over and with the operating system on the computer. Between the modules are well defined transaction limits.
-The point is that ProMon works within a programme, such as the web browser Internet Explorer, in order to monitor the interaction between the programme’s modules. As long as the programme performs legitimate transactions between its modules, ProMon does nothing. But if an illegal transaction occurs, ProMon decides a virus has attacked and promptly stops the programme,” explains Tom Lysemose.
He stresses that his anti-virus software can monitor any programme. His programme is not alone on the market, but all the tests that Tom Lysemose has performed have shown that his programme is 30 times faster than his competition from Massachusetts Institute of Technology.
The product will be introduced to the large anti-virus companies in March
Media Contact
All latest news from the category: Information Technology
Here you can find a summary of innovations in the fields of information and data processing and up-to-date developments on IT equipment and hardware.
This area covers topics such as IT services, IT architectures, IT management and telecommunications.
Newest articles
Compact LCOS Microdisplay with Fast CMOS Backplane
…for High-Speed Light Modulation. Researchers from the Fraunhofer Institute for Photonic Microsystems IPMS, in collaboration with HOLOEYE Photonics AG, have developed a compact LCOS microdisplay with high refresh rates that…
New perspectives for material detection
CRC MARIE enters third funding period: A major success for terahertz research: Scientists at the University of Duisburg-Essen and the Ruhr University Bochum have been researching mobile material detection since…
CD Laboratory at TU Graz Researches New Semiconductor Materials
Using energy- and resource-saving methods, a research team at the Institute of Inorganic Chemistry at TU Graz aims to produce high-quality doped silicon layers for the electronics and solar industries….