Вы находитесь на странице: 1из 6

84 (IJCNS) International Journal of Computer and Network Security,

Vol. 2, No. 8, August 2010

Mathematical Models on Interaction between


Computer Virus and Antivirus Software inside a
Computer System
Bimal Kumar Mishra1 and Gholam Mursalin Ansari2

1
Department of Applied Mathematics
Birla Institute of Technology, Mersa, Ranchi, India – 835 215
Email: drbimalmishra@gmail.com
2
Department of Computer Science
University Polytechnic, Birla Institute of Technology, Mesra, Ranchi, India- 835 215
Email: rajasofti@gmail.com

Abstract: In this paper an attempt has been made to develop codes such as: Worm, Virus, Trojan etc., which differ
mathematical models on interaction between computer virus according to the way they attack computer systems and the
and antivirus software inside a computer system. The basic malicious actions they perform. Some of them erase hard
reproductive ratio in the absence and presence of the immune
disks; some others clog the network, while some others
system has been found and the criterion of spreading the
computer virus is analyzed in Models 1 and 2. An analysis is
sneak into the computer systems to steal away confidential
also made for the immune response to clear the infection. Effect and valuable information.
of new or updated antivirus software on such viruses which are A virus, worm or Trojan horse can (like HIV) be latent, only
suppressed (quarantine) or not completely recovered by the to become active after a certain period. This is called a 'logic
lower version of installed antivirus software in the system is bomb'. These three classes of computer malware can also
studied in model 3 and it has been shown that the number of have hundreds of variants or several slightly modified
infected files falls exponentially when new or updated antivirus
versions, with parallel microbial diversity [2, 9].
software is run. Reactivation of computer virus when they are in
the latent class is mathematically formulated and basic The study of computer malware may help to control
reproductive ratio is obtained in Model 4. A mathematical model infectious disease emergence. Among the two main
has also been developed to understand the recent attack of the approaches: behavioral and content-based to automate the
malicious object Backdoor.Haxdoor.S and Trojan. Schoeberl.E detection of malicious executable, a knowledge-based
and its removal by newly available tool FixSchoeb-Haxdoor in approach will be more appropriate, because we use the
Model 5. knowledge acquired from the disassembly of executables to
Keywords: Prey-predator model; Computer virus; antivirus
extract useful features like common instruction sequences,
software; quarantine; latency time; self-replication.
DLL calls etc. [11].
Conventional antivirus systems are knowledge-based, so if
1. Introduction
the system doesn't recognize a piece of code as malware, it
A year or two ago, most malware was spread via e-mail won't block it. If you let in a virus or a piece of malware, it
attachments, which resulted in mass outbreaks like Bagle, can run amok.
Mydoom and Warezov. Nowadays sending .EXE The vast majority of computer viruses have been designed
attachments in e-mail doesn't work so well for the criminals specifically for IBM-based PCs running the DOS and
because almost every company and organization is filtering Windows operating systems. The malicious code (machine
out such risky attachments from their e-mail traffic. language program) which has the ability to spread through
The criminals’ new preferred way of spreading malware is various sources may spread in any one or all of the
by drive-by downloads on the Web. These attacks often still following ways:
start with an e-mail spam run but the attachment in the e- • The spreading medium may be a malicious attachment
mail has been replaced by a web link, which takes you to the to an email
malicious web site. So instead of getting infected over • Malware medium may constitute a USB pen drive, a
SMTP, you get infected over HTTP. It is important to be floppy disk, a CD or any secondary media which is
aware of this shift from SMTP to HTTP infections, which commonly used by almost all computer professionals.
can be exploited by the criminals in many ways. It is An acute epidemic occurs due to infectious malcode
predicted that the total number of viruses and Trojans will designed to actively spread from host to host over a network.
pass the one million mark by the end of 2008 [12]. When the user executes an infected program, the virus may
Transmission of malicious objects in computer network is take control of the computer and infect additional files.
epidemic in nature. Malicious object is a code that infects After the virus completed its mischief, it would transfer
computer systems. There are different kinds of malicious control to the host program and allow it to function
(IJCNS) International Journal of Computer and Network Security, 85
Vol. 2, No. 8, August 2010

normally. This type of virus is called a “parasitic” computer models on the transmission of malicious objects in computer
virus, since it does not kill its host; instead, the host acts. network as per the spreading behaviors and nature of the
This malicious code when tries to enter into a protected malicious objects. Predicting virus outbreaks is extremely
(secured system) system installed with an Intrusion difficult due to human nature of the attacks but more
Detection System (IDS), it analyzes the unknown binary importantly, detecting outbreaks early with a low probability
code whether it is malicious or not. An IDS, enabled with of false alarms seems quiet difficult . By developing models
signature analysis and an ad-on security alarm is deployed it is possible to characterize essential properties of the
to monitor the network and host system activities [5, 6]. attacks [1].
IDS’s are supported by a knowledge-based evaluation
system to focus on real threatening alerts and assist in post 2. Basic Terminologies
attack forensics. The job done by such knowledge-based
i. Computer virus is a program that can "infect" other
systems is to filter out false positives and rank the severity of
programs by modifying them to include a possibly evolved
attacks. The Knowledge base stores all well known exploits
version of it. With this infection property, a virus can spread
and system vulnerability information together with the
to the transitive closure of information flow, corrupting the
corresponding security solutions. It tunes the IDS with the
integrity of information as it spreads. Additionally most
known signatures and sends the proper action to the
computer viruses have a destructive payload that is activated
Artificial Immune system (AIS). This AIS attempts to
under certain conditions [1]. Self replicating virus may be
classify network traffic as either self (normal file or
defined as “A software program capable of reproducing
uninfected file) or non-self (malicious or infected file) and
itself and usually capable of causing great harm to files or
provide a proactive protection via negative selection [7].
other programs on the same computer; "a true virus cannot
All the above information along with vulnerability
spread to another computer without human assistance.
knowledge is stored in an information asset database or
ii. Antivirus (or "anti-virus") software is a class of program
knowledge base. The intelligent host with proper anti-
that searches your hard drive and floppy disks for any
malicious installed on it then characterizes this vulnerability
known or potential viruses. This is also known as a "virus
identifications based on the evaluation process or actions.
scanner." As new viruses are discovered by the antivirus
The immune system dynamically looks for the security
vendor, their binary patterns are added to a signature
reference into the knowledge base. If the referred signature
database that is downloaded periodically to the user's
is found to be unknown or a high priority alert an associated
antivirus program via the web.
action is fired on the target system on the demand of its
iii. Quarantine: To move an undesired file such as a virus-
expert system engine. With great insight into the virus
infected file or spyware to a folder that is not easily
signature, the immune system disinfects the infected files
accessible by regular file management utilities. The
verifying the occurrence of the attack, or otherwise it issues
quarantine option is available in antivirus software so that
an isolated alert and quarantines the infected data into its
companies can keep a record of which users have been
blind spots. Therefore, by correlating these alerts, the
infected, where the file came from and to possibly send the
quarentined data is kept under a latency period. During this
virus to the antivirus vendor for inspection. Spyware
period the antivirus update is incorporated and finally, the
blockers quarantine files so that they can be restored.
data kept under latency is recovered to its original normal
form. Figure 1 describes a generic conceptual framework of
malware transmission through various sources and its 3. Development of the model
interaction with the Intrusion Detection System. As we know an instruction on its own does absolutely
nothing, it’s the set of instructions (program) developed by
software personnel intensely written to harm the computer
system said to be virus which plays an active role to attack
the files in the computer node. Some of the viruses have the
characteristic of self-replicating and some of them get enter
in the latent class and reactivate after certain duration.
When a system gets attacked by the virus, antivirus software
is run to immune the system. During this process some of
the infected files get fully recovered, whereas, some of them
are quarentined (or suppressed), may be due to the lower
version of the antivirus software installed. Then for this
situation a higher version or new antivirus software is run to
get a full recovery. We try to develop Mathematical models
for these situations [8].
Assumptions:
1. Virus is replicated by the infected files.
Figure 1. Virus attack cyber defense analysis 2. Viruses die at a specific rate b. Death of a virus
Mishra et al [1, 2, 9] has developed various epidemic equivalently mean to say the complete recovery of
86 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 8, August 2010

infected files from virus when antivirus software is run The non-dimensionalisation for X arises from its steady
in the computer node for a specific session. state in the absence of infection, that for Y is chosen to be
3. The uninfected files are constantly being produced or the same, and that for V arises from its steady state value
developed by the users at a rate c. We choose one of the time scales τ to non-dimensionalise
4. Uninfected files die at a constant rate d (natural death). with d. The system (1) thus becomes
Death of a file equivalently mean to say that the file dv
become irrelevant (garbage) after a certain interval of ε = αy − v
time. dt
5. Infected files die at a specific rate f = e + d , where d dx
= 1 − x − R0 xv (4)
is natural death rate and e the death rate of the file (files dt
get damaged and unable to be recovered after the run of dy
antivirus software)due to infection from the virus. = R0 xv − αy
6. Death of antivirus software equivalently mean to say the dt
present version of the software is incapable of d f
Where ε = , α = (5)
identifying the attack of new viruses. b d
3.8 Model 1: Primary phase of an Infection For typical parameter values ε << 1.
Viruses get entry to the computer node via various means The steady states of the non-dimensionalised system (4)
(emails, infected disks etc.) and hijack various files are S0 = (0,1,0) , the uninfected steady state, and
(command files, executable files, kernel.dll, etc.) in the node S* = (v*, x*, y*) , where
for its own replication. It then leaves a specific file and the
1 1 1 1
process is repeated. Viruses may be of different nature and v* = 1 − , x* = , y* = (1 − )
as per their mode of propagation; they target different file R0 R0 α R0
types of the attacked computer for this purpose. (6)
As per the assumptions, the model is described by the
For R0 > 1 , the normal situation,
system
dV (v(t ), x(t ), y(t )) → (v*, x*, y*) as t → ∞ . The
= aY − bV
dτ susceptible population X (uninfected files) is reduced by the
attack until each virus is expected to give rise to exactly one
dX
= c − dX − βXV (1) new virus, R0 x* = 1 .
dτ This we assume as the primary phase of an infection.
dY
= βXV − fY 3.9 Model II: Secondary Phase of Infection (Effect of
dτ Immune system)
The relationship between the computer virus and uninfected
We assume the response of the immune in the computer
file is analogous to the relationship between predator and
system due to antivirus software Z which are run at a
prey as given in the classical work of Lotka-Volterra [3, 4].
constant rate g and h being the death rate of antivirus
Let X be the number of uninfected files (prey) and V be the
software (which mean to say that the antivirus software is
number of computer virus (predators) [8]. Then,
incapable to identify the attack of new viruses). The
{Rate of change of X}= {net rate of growth of X without
predation}-{rate of loss due of X to predation, and antivirus software cleans the infected files at a rate γYZ .
{Rate of change of V}= {net rate of growth of V due to There is an analogy here of Z antivirus software as predators
predation}-{net rate of loss of V without prey} and Y infected files as prey. We take linear functional
Let, R0 be the basic reproductive ratio for the computer response of Z to Y.
virus; defined to be the expected number of viruses that one Our system thus becomes
virus gives rise to an uninfected file population. A virus dV
= aY − bV
gives rise to infected files at a rate βX for a time 1 , and dτ
b
dX
each infected file gives rise to a virus(self-replication) at a = c − dX − βXV
rate a for a time 1 . Since X = c for an uninfected dτ
f d (7)
dY
population, = βXV − fY − γYZ

βca
R0 = (2) dZ
dbf = g − hZ

The criterion for the spread of the computer virus is R0 > 1 . The non-dimensionalisation of the system is done as what
We non-dimensionalise the system (1) by defining hZ
d d bf we have done in Model 1, with z = in addition, we get,
x = X , y = Y, v = V, t = dτ (3) g
c c ac
(IJCNS) International Journal of Computer and Network Security, 87
Vol. 2, No. 8, August 2010

dv We further assume that the half-life of the virus is much less


ε = αy − v than that of the virus producing files. Then,
dt
Y = Y0 e − ft
dx
= 1 − x − R0 xv
dt V0 (be − ft − fe −bt ) (14)
(8) V=
dy (b − f )
= R0 xv − αy − κyz From equation (14) we are able to say that the number of
dt
infected files falls exponentially. The behavior of V follows
dz
= λ (1 − z) from the assumption on half-lives, so that f << b , that is,
dt the amount of free virus falls exponentially after a shoulder
h γg phase.
Where λ = , κ = (9)
d dh 3.11 Model IV: Reactivation of computer virus after
The steady states of the non-dimensionalised system (8) they are in latent class
are S0 = (0,1,0,1) , the uninfected steady state, and When computer virus attacks the computer node, some of
S* = (v*, x*, y*, z*) , where them enter a latent class on their infection. While in this
class they do not produce new viruses, but may later be
α 1
v* = (1 − ' ) reactivated to do so. Only the files in the productive infected
α +κ R0 class Y1 produce viruses, and files at latent infected class Y2
1 leave for Y1 at a per capita rate δ. Thus our system becomes:
x* = dV
R0' (10) = aY1 − bV

1 1
y* = (1 − ' ) dX
= c − dX − βXV
α +κ R0 dτ
z* = 1 dY1
(15)
'
Let R0 be the basic reproductive ratio in the presence of the = q1 βXV − f1Y1 + δY2

immune system defined by
dY2
α = q 2 βXV − f 2Y2 − δY2
R0' = R0 (11) dτ
α +κ Infected files at class Y2 produce viruses in class Y1 at a rate
Then we observe that if the infection persists then R0 x = 1
'
1
δ for a time .Thus adding the contribution of both
and the infection persists as long as R > 1 . δ + f2
'
0
In order for the immune response to clear the infection we the classes, the reproductive ratio R0 is expressed as
need the immune response parameter κ to satisfy βc δ a
κ > α ( R0 − 1) (12) R0 = (q1 + q 2 ) (16)
db δ + f 2 f1
3.10 Model III: Effect of new antivirus software on
3.12 Model V: Recent Attack by malicious object
such viruses which are suppressed (quarantine)
Backdoor.Haxdoor.S and Trojan.Schoeberl.E
We assume a case where the viruses are not completely and its Mathematical approach
cleaned (quarantine) from the infected files on run of On January 9, 2007 Backdoor.Haxdoor.S and
installed antivirus software on the computer node. For the Trojan.Schoeberl.E malicious object of type Trojan Horse
complete recovery of infected files from viruses, updated having infection length of 56,058 bytes affected Windows
version of antivirus has to be run. Further we assume that 2000, Windows 95, Windows 98, Windows Me, Windows
such updated antivirus software is available and is 100% NT, Windows Server 2003, Windows XP.
efficient. This antivirus software switches β to zero and thus Backdoor.Haxdoor.S is a Trojan horse program that opens a
the equations for the subsequent dynamics of the infected back door on the compromised computer and allows a
files and free virus from equation (1) is expressed as remote attacker to have unauthorized access. It also logs
dV
= aY − bV keystrokes, steals passwords, and drops rootkits that run in
dτ safe mode.
It has been reported that the Trojan has been spammed
dX
= c − dX through email as an email attachment. The tool FixSchoeb-
dτ (13) Haxdoor.exe is designed to remove the infections of
dY Backdoor.Haxdoor.S and Trojan.Schoeberl.E. [10].
= − fY FixSchoeb-Haxdoor.exe tool meant to remove the deadly
dτ Backdoor.Haxdoor.S and Trojan.Schoeberl.E prevent
infected files from producing infectious virus. We assume
that W are the un- infectious virus which start to be
88 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 8, August 2010

produced from the infected files Y after the tool FixSchoeb- a: Replicating factor
Haxdoor.exe is run. Infectious virus are still present, and die b: Death rate of a virus
as before, but are no longer produced. Under this c: Birth of uninfected files by users
assumption the system can be modeled as d: Natural Death of an uninfected file
dV e: Death rate of infected files
= −bV f=e+d
dτ β: Infectious contact rate, i.e., the rate of infection per
dX susceptible and per infective
= c − dX
dτ R0: Threshold parameter
(17) Z: Response of antivirus software, which immunes the
dY
= − fY system
dτ g: Rate at which antivirus software is run, which is constant
dW h: Death rate of antivirus software
= aY − bW γYZ : Rate at which antivirus software cleans the infected

We assume that the uninfected file population X remains files
roughly constant for a given time-scale, that is, κ : Immune response parameter
Y1: productive infected class
bf
X = X* = and that f << b System (17) becomes a Y2: latent infected class
aβ q1: Probability of entering productive infected class
linear system which is integrated to have q2: Probability of entering latent infected class
V=V0e−bτ
fe−bτ −be−fτ (18) References
Y=Y0 ,when f <<b
f −b [1] Bimal Kumar Mishra, D.K Saini, SEIRS epidemic
b b −fτ −bτ model with delay for transmission of malicious
W=W0 ( (e −e )− fτe−bτ ) objects in computer network, Applied Mathematics
b− f b− f
and Computation, 188 (2007) 1476-1482
From (18) it is clear that the total amount V + W of free [2] Bimal Kumar Mishra, Dinesh Saini, Mathematical
virus falls exponentially after a shoulder phase. models on computer viruses, Applied Mathematics and
Computation, 187 (2007) 929-936
4. Discussion and Conclusion [3] Lotka, A. J., Elements of Physical Biology, Williams
and Wilkins, Baltimore, 1925; Reissued as Elements of
The threshold parameter obtained in (2) for primary phase
Mathematical Biology, Dover, New York, 1956.
of infection discusses the criterion for the spread of the
[4] Volterra, V., Variazioni e fluttazioni del numero
computer virus, that is, R0 > 1 . The susceptible population d’individui in specie animali conviventi, Mem. Acad.
X (uninfected files) is reduced by the attack until each virus Sci. Lincei, 1926, 2:31-13
is expected to give rise to exactly one new virus, R0 x* = 1 . [5] Jones, A.K. and Sielken, R.S., Computer System
Intrusion detection: a survey, Technical report,
The basic reproductive ratio in the presence of the immune
Computer Science Department, University of Virginia,
system is defined by (11) and in order for the immune
2000
response to clear the infection we need the immune response
[6] Yu, J., Reddy, R., Selliah, S., Reddy, S., Bharadwaj, V.
parameter κ to satisfy κ > α ( R0 − 1) . For the viruses and Kankanahalli S., TRINETR: An Architecture for
which are quarentined by the installed antivirus software, Collaborative Intrusion Detection and Knowledge-
we assume that updated antivirus software is available and Based Alert Evaluation, In Advanced Engineering
is 100% efficient. When this updated antivirus software is Informatics Journal, Special Issue on Collaborative
run, from equation (14) we are able to say that the number Environments for Design and Manufacturing. Editor:
of infected files falls exponentially. The behavior of V Weiming Shen. Volume 19, Issue 2, April 2005.
follows from the assumption on half-lives, so that f << b , Elsevier Science, 93-101
that is, the amount of free virus falls exponentially after a [7] Jinqiao Yu, Y.V.Ramana Reddy , Sentil Selliah,
shoulder phase. Discussion is also made for those viruses Srinivas Kankanahalli, Sumitra Reddy and Vijayanand
which enter a latent class on their infection and in this class Bhardwaj, A Collaborative Architecture for Intrusion
they do not produce new viruses, but may later be Detection Systems with Intelligent Agents and
reactivated to do so. Infected files at class Y2 produce viruses Knowledge based alert Evaluation, In the Proceedings
of IEEE 8th International Conference on Computer
1
in class Y1 at a rate δ for a time and the Supported Cooperative work in Design, 2004, 2: 271-
δ + f2 276
reproductive ratio is also obtained. [8] Nicholas F. Britton, Essential Mathematical Biology,
Nomenclature Springer-Verlag, London, 2003
V: number of viruses in the computer [9] Bimal Kumar Mishra , Navnit Jha, Fixed period of
X: number of uninfected target files temporary immunity after run of anti-malicious objects
Y: number of infected files
(IJCNS) International Journal of Computer and Network Security, 89
Vol. 2, No. 8, August 2010

software on computer nodes, Applied Mathematics and


Computation, 190 (2007) 1207-1212
[10] http://www.symantec.com/smb/security_response/write
up.jsp?docid=2007-011109-2557-99
[11] Masud, Mohammad M., Khan, Latifur and
Thuraisingham, Bhavani, A Knowledge-based
Approach to detect new Malicious Executables. In the
proceedings of the Second Secure Knowledge
Management Workshop (SKM) 2006, Brooklyn, NY,
USA
[12] http://www.f-secure.com/f-
secure/pressroom/news/fsnews_20080331_1_eng.html,
March 31, 2008

Authors Profile

Bimal Kumar Mishra is a faculty member in the


Department of Applied Mathematics, Birla
Institute of Technology, Mesra, Ranchi, India –
835215. He received his Master degree in
Operational Research from University of Delhi,
Delhi and Masters in Mathematics also. He
earned his Ph. D. degree from Vinoba Bhave
University, Hazaribag, Jharkhand, India and D.Sc. degree from
Berhampur University, Berhampur, Orissa, India. His research
area is in the field of population dynamics and flow of blood in
human body. He is presently working in the area of Mathematical
models and Simulation on Cyber attack and Defense.

Gholam Mursalin Ansari is the faculty member


of University Polytechnic, BIT Mesra, Ranchi.
He had his MCA degree from BIT, Mesra Ranchi.
He is pursuing his PhD degree from BIT, Mesra
Ranchi and his research topic is " Cyber attack
and defense ".

Вам также может понравиться