新普京娱乐网址

Watching virus behaviour could keep PCs healthy

作者:宋镪    发布时间:2019-03-01 08:16:03    

By Tom Simonite Letting computer viruses loose on a quarantined computer and recording their pattern of activity could lead to a better way of spotting them in the “wild”. A prototype system developed at the University of Michigan uses the “fingerprint” of virus activity to identify them more effectively than existing anti-virus software. The designers of programs that damage, take over or steal data from computers – called malware – are locked in an arms race with companies that make anti-virus (AV) software to prevent and fix malware damage. Conventional AV software looks for suspicious behaviour and then tries to determine what’s causing it. It does this by looking for virus “signatures” – chunks of computer code from known viruses. But identifying previously unknown malware is difficult, and keeping track of different variants of existing viruses makes it harder. For example, a virus called Agobot has split into more than 580 variants since its release in 2002. In tests, Michael Bailey and colleagues at the University of Michigan, US, showed that five leading AV programs could identify only between 50 and 80 per cent of a large sample of malware. And the programs struggled to agree on what they had found – the identifications often did not match. Bailey and his team say their approach is superior and have used it to develop a prototype AV system that is significantly better at identifying viruses once they are detected. The team set loose the malicious software on a quarantined computer, recording all the files and strings of instructions (processes) created and modified by the malware. They then created software that uses a database of these “fingerprints” to identify malware. It can also define clusters of malware that operate in similar ways, and generate a kind of family tree showing how superficially different programs have similar modi operandi. In tests on the same malware, the new software could identify at least 10 per cent more of the sample than any of the other AV software. It also always correctly linked different pieces of malware that behave in the same way – the best AV program spotted only 68 per cent of such doubles. “What they’re doing here is quite viable,” says Richard Overill, a researcher at Kings College London, UK. “In principle this should work very well at identifying different viruses, and grouping those that may appear different but work in the same way.” The new approach could reduce the number of updates needed for conventional AV systems, suggests Overill. “Instead of having separate patches for each virus, this could be more efficient and reduce the size of updates that must be downloaded.” Grant Malcom researches computer security at Liverpool University, UK. Recording activities like files created and modified is a novel approach to the problem, he told New Scientist. Adding that: “It would be interesting to see whether this approach to categorising malware could [work] without giving false positives.” More on these topics:

 

Copyright © 网站地图