Yesterday, as I was preparing for a Communication Networks lesson for a City and Guilds Diploma class, I found a bloggable issue (the bloggability of an issue matters in the blogosphere) in the area of Internet Security. I am sure all of us have been affected by computer viruses in one way or another. A virus is computer program that can copy itself and infect a computer without permission or knowledge of the user. Wikipedia points out that

Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk.Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.

In order to counteract the effects of viruses, anti-viral software has been created. This software detects and removes viruses after a computer downloads or runs the executable. There are two common methods that an anti-virus software application uses to detect viruses:

  • The virus signature method: This is by far the most common method. Most of the popular anti-viral software packages are based on this method. This method works by examining the content on a computer’s memory and removable disks, and comparing those files against a database of known virus “signatures”. The obvious disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update. But the advantage of this method is speed. It takes fewer CPU cycles to compare malicious code to known signatures.
  • The heuristic algorithm based method: This method is not common because it is still being worked on in the labs. It detects viruses based on common behaviors. Therefore, it has the ability to detect viruses that anti-virus security firms have yet to create a signature for. The major disadvantage of this method is that it can blame innocent programs for being contaminated by a virus. This is called a false positive or False Alarm.

In spite of the issue of false positives, it is easy to observe that signature-based anti-viral software is primitive, archaic and less scalable. Can an anti virus company manage to successfully create signatures for all viruses on the Internet all the time? This is a joke!!! As if that is not enough, the database consumes valuable memory that should have been put to good use. With the continuous updates of virus signatures, it can surely become very big. It can even contain lots of virus definitions which the user will never encounter in the lifetime of their PCs. Frans Veldman , an Internet Security expert, presents following exciting reasons for the growing interest in heuristic anti-viral software:

  • The number of viruses increases rapidly. Studies indicate that the total number of viruses doubles roughly every nine months. The amount of work for the virus researcher increases, and the chances that someone will be hit by one of these unrecognizable new viruses increases too.
  • The number of virus mutants increases. Virus source codes are widely spread and many people can’t resist the temptation to experiment with them, creating many slightly modified viruses. These modified viruses may or may not be recognized by the anti-virus product. Sometimes they are, but unfortunately often they are not.
  • The development of polymorphic viruses. Polymorphic viruses like MtE and TPE are more difficult to detect with virus scanners. It is often months after a polymorphic virus has been discovered before a reliable detection algorithm has been developed. In the meantime many users have an increased chance of being infected by that virus.
  • Viruses directed at a specific organization or company. It is possible for individuals to utilize viruses as weapons. By creating a virus that only works on machines owned by a specific organization or company it is very unlikely that the virus will spread outside of the organization. Thus it is very unlikely that any virus scanner will be able to detect the virus before the payload of the virus does its destructive work and reveals itself.

Therefore, heuristic anti-viral programs are here to stay. The term heuristic relates to the ability to discover and to possess the ability to determine something in a methodical way. As the complexities facing mankind keep on increasing heuristic algorithms are on the increase because of their capability to solve problems which traditional algorithms are failing to solve. That is why some of us are in the Computational Intelligence field. In this field, heuristic algorithms are implemented by mimicking nature in order to solve the complex problems of this world. It has been pointed out that the issue of false positives is the major stumbling block to the ubiquitous deployment of heuristic anti-viral software. But Markus Schmall, who works in the IT Security department of T-Mobile Germany, has answer to this problem. He points out that with some tweaking, a heuristics-based system can have virtually no false positives. Frans Veldman outlines a number of intuitive ways of avoiding and dealing with these false positives.

In order to achieve a meaningful progress in heuristic anti-viral software, there is a need for researchers from the Internet Security and Computational Intelligence fields to work together because this issue is interdisciplinary. If you are an Internet Security researcher and you need to work with some Computational Intelligence experts in the area of heuristic anti-viral software, you can contact me at clement at nthambazale.com so that I should link you up with some of the most exciting researchers in this area. As I wind up, let me point out that the future for heuristic antiviral software looks rosy. I foresee that, not long from now, heuristic anti-viral software will be very common. All the citizens of the world will enjoy better protection from the bad boys (virus writers). The arms race between malicious code writers in the black hat community and the teams working in anti-virus vendor labs will always be there. But I am of the view that with heuristic anti-viral software in place, the bad boys will be ones playing catch-up.