Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching...
Transcript of Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching...
![Page 1: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/1.jpg)
Mathematical modelof computer virusesMathematical modelMathematical modelofof computercomputer virusesviruses
FerencFerenc LeitoldLeitold,,Hunix LtdHunix Ltd., Hungary., Hungary
fleitoldfleitold@@hunixhunix.hu.hu
![Page 2: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/2.jpg)
Table of contentsTable of contents
• Models of computation• Operating system• Virus definition• What can we do with this
mathematical model ?
![Page 3: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/3.jpg)
Turing MachineTuring Machine
![Page 4: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/4.jpg)
Turing MachineTuring Machine
![Page 5: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/5.jpg)
Turing MachineTuring Machine
![Page 6: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/6.jpg)
Turing MachineTuring Machine
![Page 7: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/7.jpg)
Turing MachineTuring MachineT ,S,I, ,b,q ,q >0 f=<=<=<=< Q δδδδ
qq00
qqff
S: tape symbolsI: input symbols,b: blank symbol,
: move function,δδδδ
I S⊂⊂⊂⊂b S I∈∈∈∈ \
{{{{ }}}}δδδδ: , ,Q S Q S l r s×××× →→→→ ×××× ××××
![Page 8: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/8.jpg)
RandomAccessMachine
RandomRandomAccessAccessMachineMachine
![Page 9: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/9.jpg)
RandomAccessMachine
RandomRandomAccessAccessMachineMachine mm00
mm11
mm22
mm33
mm44
......
AccumulatorAccumulator
![Page 10: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/10.jpg)
RASPMRASPMRASPM
![Page 11: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/11.jpg)
RASPM with ABSRASPMRASPM withwith ABSABS
![Page 12: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/12.jpg)
RASPM with SABSRASPMRASPM withwith SABSSABS
![Page 13: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/13.jpg)
RASPMRASPM withwith ABSABSdefinitiondefinition
M: initial memory contentq: initial value of the IP
T: set of processor’s activitiesU: operation codes,
V: set of symbols
G = <V,U,T,f,q,M>G = <V,U,T,f,q,M>G = <V,U,T,f,q,M>
U V⊆⊆⊆⊆
f U T: →→→→
![Page 14: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/14.jpg)
Instruction setInstruction set• move (LOAD, STORE)• logical (AND, OR, XOR)• arithmetic (ADD, SUB, MULT, DIV)• branch (JUMP, JGTZ, JZERO)• input/output tape handling
(READ, WRITE)• background tape handling
(GET, PUT, SEEK, SETDRIVE)
![Page 15: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/15.jpg)
Operating SystemOperating System
• system of programs• able to handle separate program
or data files• able to make a specified program
to run.
![Page 16: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/16.jpg)
Operating SystemsOperating Systemsunderunder RASPMRASPM withwith ABSABS
![Page 17: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/17.jpg)
Operating SystemsOperating Systemsunderunder RASPMRASPM withwith ABSABS
• The OS is in the initial memory (M)
![Page 18: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/18.jpg)
Operating SystemsOperating Systemsunderunder RASPMRASPM withwith ABSABS
• The OS is in the initial memory (M)� OS specific machine
![Page 19: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/19.jpg)
Operating SystemsOperating Systemsunderunder RASPMRASPM withwith ABSABS
• The OS is in the initial memory (M)� OS specific machine
• The OS is in the background tape
![Page 20: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/20.jpg)
Operating SystemsOperating Systemsunderunder RASPMRASPM withwith ABSABS
• The OS is in the initial memory (M)� OS specific machine
• The OS is in the background tape� OS independent machine
![Page 21: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/21.jpg)
Operating SystemsOperating Systemsunderunder RASPMRASPM withwith ABSABS
• The OS is in the initial memory (M)� OS specific machine
• The OS is in the background tape� OS independent machine
• The OS is in the input tape
![Page 22: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/22.jpg)
Operating SystemsOperating Systemsunderunder RASPMRASPM withwith ABSABS
• The OS is in the initial memory (M)� OS specific machine
• The OS is in the background tape� OS independent machine
• The OS is in the input tape� unusable
![Page 23: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/23.jpg)
ComparingComparingRASPMRASPM withwith ABSABS--eses
GGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
![Page 24: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/24.jpg)
ComparingComparingRASPMRASPM withwith ABSABS--eses
GGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
{q{q{q111 ,M,M,M111} {q} {q} {q222 ,M,M,M222}}}≠≠≠≠
![Page 25: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/25.jpg)
ComparingComparingRASPMRASPM withwith ABSABS--eses
GGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
{q{q{q111 ,M,M,M111} {q} {q} {q222 ,M,M,M222}}}≠≠≠≠
•• different operating systemsdifferent operating systems•• different loaderdifferent loader programprogram
![Page 26: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/26.jpg)
ComparingComparingRASPMRASPM withwith ABSABS--eses
GGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
![Page 27: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/27.jpg)
ComparingComparingRASPMRASPM withwith ABSABS--eses
GGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
{f{f{f111 ,T,T,T111 ,U,U,U111} {f} {f} {f222 ,T,T,T222 ,U,U,U222}}}≠≠≠≠
![Page 28: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/28.jpg)
ComparingComparingRASPMRASPM withwith ABSABS--eses
GGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
{f{f{f111 ,T,T,T111 ,U,U,U111} {f} {f} {f222 ,T,T,T222 ,U,U,U222}}}≠≠≠≠
•• different instruction setsdifferent instruction sets ((activitiesactivities))•• different sets of operation codesdifferent sets of operation codes•• different operation codesdifferent operation codes
![Page 29: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/29.jpg)
ComparingComparingRASPMRASPM withwith ABSABS--eses
GGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
![Page 30: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/30.jpg)
ComparingComparingRASPMRASPM withwith ABSABS--eses
GGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
VVV111 VVV222≠≠≠≠
![Page 31: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/31.jpg)
ComparingComparingRASPMRASPM withwith ABSABS--eses
GGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
VVV111 VVV222≠≠≠≠
•• different symbolsdifferent symbols•• different tape formatsdifferent tape formats
![Page 32: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/32.jpg)
ComputerComputer virusvirus
![Page 33: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/33.jpg)
ComputerComputer virusvirus
• a (part of) program
![Page 34: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/34.jpg)
ComputerComputer virusvirus
• a (part of) program• it is attached to a program area
![Page 35: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/35.jpg)
ComputerComputer virusvirus
• a (part of) program• it is attached to a program area• it is able to link itself to other
program areas
![Page 36: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/36.jpg)
ComputerComputer virusvirus
• a (part of) program• it is attached to a program area• it is able to link itself to other
program areas• it is executed when the host
program area is to be executed
![Page 37: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/37.jpg)
Virus spreading modesVirus spreading modes
![Page 38: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/38.jpg)
Virus spreading modesVirus spreading modes
• machine specific
![Page 39: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/39.jpg)
Virus spreading modesVirus spreading modes
• machine specific• machine independent
![Page 40: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/40.jpg)
Virus spreading modesVirus spreading modes
• machine specific• machine independent• operating system specific
![Page 41: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/41.jpg)
Virus spreading modesVirus spreading modes
• machine specific• machine independent• operating system specific• operating system independent
![Page 42: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/42.jpg)
Virus spreading modesVirus spreading modes
• machine specific• machine independent• operating system specific• operating system independent• direct
![Page 43: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/43.jpg)
Virus spreading modesVirus spreading modes
• machine specific• machine independent• operating system specific• operating system independent• direct• indirect
![Page 44: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/44.jpg)
What can we do with thisWhat can we do with thismathematical modelmathematical model ??
![Page 45: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/45.jpg)
What can we do with thisWhat can we do with thismathematical modelmathematical model ??
• Examining virus detection problem
![Page 46: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/46.jpg)
What can we do with thisWhat can we do with thismathematical modelmathematical model ??
• Examining virus detection problem• Examining searching techniques
![Page 47: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/47.jpg)
What can we do with thisWhat can we do with thismathematical modelmathematical model ??
• Examining virus detection problem• Examining searching techniques• Examining polymorphic viruses
![Page 48: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/48.jpg)
What can we do with thisWhat can we do with thismathematical modelmathematical model ??
• Examining virus detection problem• Examining searching techniques• Examining polymorphic viruses• Examining multiplatform viruses
![Page 49: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/49.jpg)
General virusGeneral virusdetection problemdetection problem
It is impossible to build a TuringMachine which could decide if anexecutable file in a RASPM withABS contains a virus or not.
TheoremTheorem::
![Page 50: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/50.jpg)
General virusGeneral virusdetection problemdetection problem
ProofProof::
Host program Virus
![Page 51: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/51.jpg)
General virusGeneral virusdetection problemdetection problem
ProofProof::
Host program Virus TM prg
![Page 52: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/52.jpg)
General virusGeneral virusdetection problemdetection problem
ProofProof::
Host program Virus TM prg TM input
![Page 53: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/53.jpg)
General virusGeneral virusdetection problemdetection problem
ProofProof::
Host program Virus TM prg TM input
![Page 54: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/54.jpg)
General virusGeneral virusdetection problemdetection problem
ProofProof::
Host program Virus TM prg TM input
![Page 55: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/55.jpg)
General virusGeneral virusdetection problemdetection problem
ProofProof::
Host program Virus TM prg TM input
Virus detection problemVirus detection problem TMTM halting problemhalting problem
![Page 56: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/56.jpg)
““An antiAn anti--virusvirus hashas itsits limit,limit,thanks to Turingthanks to Turing,,
andand aa virus can find those limitsvirus can find those limits,,exploit themexploit them,,
thanks tothanks to Darwin.”Darwin.”
from the Giant Black Book offrom the Giant Black Book of ComputerComputer VirusesViruses
![Page 57: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/57.jpg)
Searching techniqueSearching techniquequestionsquestions
![Page 58: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/58.jpg)
Searching techniqueSearching techniquequestionsquestions
•• For what kind of viruses canFor what kind of viruses can bebeusedused ??
![Page 59: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/59.jpg)
Searching techniqueSearching techniquequestionsquestions
•• For what kind of viruses canFor what kind of viruses can bebeusedused ??
•• WhatWhat isis the probability of falsethe probability of falsealarmsalarms ??
![Page 60: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/60.jpg)
Searching techniqueSearching techniquequestionsquestions
•• For what kind of viruses canFor what kind of viruses can bebeusedused ??
•• WhatWhat isis the probability of falsethe probability of falsealarmsalarms ??
•• WhatWhat isis the expense criteriathe expense criteria ??
![Page 61: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/61.jpg)
Sequence searching algorithmSequence searching algorithm
![Page 62: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/62.jpg)
Sequence searching algorithmSequence searching algorithm
• for non-polymorphic known viruses
![Page 63: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/63.jpg)
Sequence searching algorithmSequence searching algorithm
• for non-polymorphic known viruses
• false alarms: p L MNn
≈≈≈≈⋅⋅⋅⋅
L:L: size of suspicious areasize of suspicious areaM:M: number of sequencesnumber of sequencesN:N: size ofsize of aa sequencesequencen:n: number of values in one cellnumber of values in one cell
![Page 64: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/64.jpg)
Sequence searching algorithmSequence searching algorithm
• for non-polymorphic known viruses
• false alarms:
• expense criteria: P, polynomial
p L MNn
≈≈≈≈⋅⋅⋅⋅
≤≤≤≤ ⋅⋅⋅⋅ ⋅⋅⋅⋅L M N comparisions
L:L: size of suspicious areasize of suspicious areaM:M: number of sequencesnumber of sequencesN:N: size ofsize of aa sequencesequencen:n: number of values in one cellnumber of values in one cell
![Page 65: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/65.jpg)
““HeuristicHeuristic”” algorithmalgorithm
![Page 66: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/66.jpg)
““HeuristicHeuristic”” algorithmalgorithm
• for known viruses
![Page 67: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/67.jpg)
““HeuristicHeuristic”” algorithmalgorithm
• for known viruses
• expense criteria:
Host program Decoder (cycle) Body
![Page 68: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/68.jpg)
““HeuristicHeuristic”” algorithmalgorithm
• for known viruses
• expense criteria: NP
Host program Decoder (cycle) Body
Executes 2n cycle !
n
![Page 69: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/69.jpg)
How can we measure theHow can we measure thepower of polymorphismpower of polymorphism ??
![Page 70: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/70.jpg)
How can we measure theHow can we measure thepower of polymorphismpower of polymorphism ??
Host program Decoder Body
![Page 71: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/71.jpg)
How can we measure theHow can we measure thepower of polymorphismpower of polymorphism ??
Host program Decoder Body
size of variable parts of the virusfull size of the virusαααα ====
![Page 72: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/72.jpg)
How can we measure theHow can we measure thepower of polymorphismpower of polymorphism ??
Host program Decoder Body
size of variable parts of the virusfull size of the virusαααα ====
ββββ ==== number of variants of the decoders
![Page 73: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/73.jpg)
Flowchart ofFlowchart of aa virusvirus
![Page 74: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/74.jpg)
Flowchart ofFlowchart of aa virusvirussearch for an
uninfected program
![Page 75: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/75.jpg)
Flowchart ofFlowchart of aa virusvirussearch for an
uninfected program
append virus
![Page 76: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/76.jpg)
Flowchart ofFlowchart of aa virusvirussearch for an
uninfected program
append virus
choose a randominstruction in the virus
![Page 77: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/77.jpg)
Flowchart ofFlowchart of aa virusvirussearch for an
uninfected program
append virus
choose a randominstruction in the virus
swap with the nextinstruction
![Page 78: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/78.jpg)
Flowchart ofFlowchart of aa virusvirussearch for an
uninfected program
append virus
swap with the nextinstruction
choose a randominstruction in the virus
repeat100 times
![Page 79: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/79.jpg)
Flowchart ofFlowchart of aa virusvirussearch for an
uninfected program
append virus
swap with the nextinstruction
choose a randominstruction in the virus
repeat100 times
![Page 80: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/80.jpg)
Flowchart ofFlowchart of aa virusvirussearch for an
uninfected program
append virus
swap with the nextinstruction
choose a randominstruction in the virus
repeat100 times
DISKDISK
![Page 81: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/81.jpg)
Name: RIPPERAliases: Jack RipperStatus: CommonOrigin: NorwayLength: 1024 bytes (2 sectors)Infect: MBR, Boot sectorOther: Resident, Stealth,
Disk corruption
![Page 82: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/82.jpg)
Name: RIPPERAliases: Jack RipperStatus: CommonOrigin: NorwayLength: 1024 bytes (2 sectors)Infect: MBR, Boot sectorOther: Resident, Stealth,
Disk corruption
The virus swaps two words in the DOSwrite buffer. It occurs on a random basisof approximately 1 write in 1024 cases.
![Page 83: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/83.jpg)
Multiplatform virusesMultiplatform virusesGGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
![Page 84: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/84.jpg)
Multiplatform virusesMultiplatform virusesGGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
Conditions:
VVV111 UUU222 000UUU111 VVV222 000
� ≠≠≠≠� ≠≠≠≠
G1 has to know some operation codes of G2
G2 has to know some operation codes of G1
![Page 85: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/85.jpg)
Multiplatform virusesMultiplatform virusesGGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
Conditions:
UUU111 UUU222 000� ≠≠≠≠- The virus code can be the same..
![Page 86: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/86.jpg)
Multiplatform virusesMultiplatform virusesGGG111=<V=<V=<V111 ,U,U,U111 ,T,T,T111 ,f,f,f111 ,q,q,q111 ,M,M,M111>>>GGG222=<V=<V=<V222 ,U,U,U222 ,T,T,T222 ,f,f,f222 ,q,q,q222 ,M,M,M222>>>
Conditions:
UUU111 UUU222 000
UUU111 UUU222 = 0= 0= 0
� ≠≠≠≠
�
- The virus code can be the same..
- The virus code must be different..
![Page 87: Mathematical model of computer viruses · from the Giant Black Book of Computer Viruses. Searching technique questions. Searching technique questions](https://reader030.fdocuments.in/reader030/viewer/2022013003/5f9fd9f38faf6b25b336c049/html5/thumbnails/87.jpg)