Detecting unknown computer viruses

PhD Student Tom Lysemose is the world’s first to have developed software that is able to effectively detect attacks by an unknown computer virus.

Possible customers include the large anti-virus companies. A problem with today’s anti-virus software is that they can only protect from known viruses. Unknown viruses are not stopped.

A great number of viruses exist. Some of these viruses need active handling by the user in order to infect a computer, such as when someone is tricked into opening an infected e-mail attachment. Other viruses are more crafty. Without a user being aware that he has made a single mistake, the virus can attack software and take control of the computer, resulting in, for example, all documents being deleted.

The explanation for how these unpleasant events are possible is that very many computer programmes contain programming errors. The most common is called Buffer Overflow.

-Embarrassingly enough, this programming error is also made by those who write anti-virus software, such as Symantec, explains Tom Lysemose. But he points out that such programming mistakes are common for all programmers who write in C, one of the world’s most common programming languages.

-The web browser Internet Explorer is one such example. Programming errors can also be found in the IP-telephony system Skype and database software from Microsoft called SQL Server. In 2003 things went terribly wrong. That’s when the virus Slammer automatically took control over a great deal of database servers. These are super-fast machines, so the virus could spread extremely fast. Although the virus was not especially destructive, it spread so widely that it slowed down the entire Internet. Systems over the entire world were affected, and even some banks’ automated teller machines were shut down,” says Tom Lysemose.

To understand Lysemose’s software, one needs a quick introduction to how Buffer Overflow is a unfortunate programming error.

Within a computer’s internal memory are a series of containers called buffers. When running a programme that communicates over the Internet, such as a web browser, the technology functions so that the contents in the buffers of the network server are transferred to the buffers in the computer.

One example is when a password is entered on a web page. The password is stored in its own buffer on the local computer. Consider, for example, that this buffer could only have enough space for eight characters. If the programmer forgets to check the buffer size, the buffer runs over if someone enters more than eight characters.

Unfortunately, not all programmers are aware of this. If those who write software have not included a routine that checks if enough room exists in the buffer, the areas that are physically next to the buffer will be overwritten. This is extremely regrettable. The computer gives no warning and continues to run as if nothing has happened.

Unfortunately, the overwritten areas can hold important instructions for the software that’s running, such as “Please provide an overview of all my documents”.

This is exactly the type of weakness that virus creators exploit. They can make a virus that sends a larger data packet than the computer’s buffer capacity. If the hacker discovers exactly where the most important instructions are located, the virus can be programmed so that it overwrites these instructions with completely different commands, such as “Delete all of my documents now”. And then the user is out of luck.

This is exactly when Tom Lysemose’s innovation comes in. His programme, which is named ProMon, cannot prevent an unknown virus from attacking a buffer and the areas around it, but ProMon monitors programmes to ensure that they do not do things that they are not programmed to do. This means that ProMon will stop a programme if the programme suddenly begins to do another thing.

This solution is a new way of thinking about virus prevention. All modern software is built up of modules. Modules communicate with each over and with the operating system on the computer. Between the modules are well defined transaction limits.

-The point is that ProMon works within a programme, such as the web browser Internet Explorer, in order to monitor the interaction between the programme’s modules. As long as the programme performs legitimate transactions between its modules, ProMon does nothing. But if an illegal transaction occurs, ProMon decides a virus has attacked and promptly stops the programme,” explains Tom Lysemose.

He stresses that his anti-virus software can monitor any programme. His programme is not alone on the market, but all the tests that Tom Lysemose has performed have shown that his programme is 30 times faster than his competition from Massachusetts Institute of Technology.

The product will be introduced to the large anti-virus companies in March

Media Contact

Thomas Evensen alfa

All latest news from the category: Information Technology

Here you can find a summary of innovations in the fields of information and data processing and up-to-date developments on IT equipment and hardware.

This area covers topics such as IT services, IT architectures, IT management and telecommunications.

Back to home

Comments (0)

Write a comment

Newest articles

Targeting failure with new polymer technology to enhance sustainability

Sustainability is a complex problem with many different players and influenced by policies, society, and technical perspective. We are reminded every day in the media of the unnecessary amount of…

Solar-powered desalination system requires no extra batteries

Because it doesn’t need expensive energy storage for times without sunshine, the technology could provide communities with drinking water at low costs. MIT engineers have built a new desalination system that…

What we can learn from hungry yeast cells

EMBL Heidelberg and University of Virginia scientists have discovered a curious way in which cells adapt to starvation – a mechanism with potential cancer implications. What can stressed yeast teach…

Partners & Sponsors