Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!usc!jarthur!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: wilkins@jarthur.Claremont.edu (Mark Wilkins)
Newsgroups: comp.virus
Subject: Re: Universal virus detector / Biological analogy
Message-ID: <0008.9002131641.AA18689@ge.sei.cmu.edu>
Date: 13 Feb 90 04:20:25 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 50
Approved: krvw@sei.cmu.edu

XPUM01@prime-a.central-services.umist.ac.uk (Dr. A. Wood) writes:

>        there have been a few 'biological analogy' articles
>in Virus-L before. This analogy will not work - biological immune
>systems are set up in a different way.

[stuff deleted]

>Also, any two bodies' cells (except identical twins) have different
                                                      ^^^^^^^^^^^^^^
>immunotypes, and attempted grafting fails, thus any bacterium that
 ^^^^^^^^^^^
>learns to masquerade as a legal cell of body A, is rejected on trying
>to invade body B. The computer analogy of this would be for each
>individual microcomputer's copy of each authorized program to be
>different.

   First, identical twins are not the only humans with identical
immunotypes.  Any individual's full brother or sister has a 1/4 chance
of having an exactly identical immunotype, or rather just slightly
less because of crossing-over.  But that doesn't belong in this group.

  This, however, does: It is true that tissue typing analogies are
poor for computerized anti-invasive agents.  However, the body's
system might provide some clues regarding possibilities for such
things.

  Suppose one wants to implement a system which, like the human body,
is adaptive.  How about this: Each low level write call causes a
checksum of the data written to be computed, or, better, the checksum
is computed 12 hours of uptime later, to avoid some shrewdly-done
virus from writing the data out in some randomized fashion.

  This checksum is then stored and indexed with the program or
programs which made the alterations leading to them. If the same
checksum starts cropping up repeatedly in calls from several different
programs which have never before exhibited such behavior then that
indicates that some uniform, self-replicating piece of code MIGHT have
infected those programs.

  Of course, there are likely to be cases where changes in system
configuration will cause this to happen, but all this routine would do
is produce a log from which a reasonably technically competent
individual could detect the infection.

  There might, also, be ways to improve it to actually prevent
spreading under certain circumstances.

- -- Mark Wilkins
   wilkins@jarthur.claremont.edu