Virologie informatique

Nous nous intéressons à l'aspect théorique des virus informatiques. Pour cela nous proposons une définition fondée sur les théorèmes d'itération et de récursion. Nous montrons qu'elle capture naturellement les définitions antérieures et en particulier celle de L.~Adleman. Nous établissons une méthode générique de construction de virus et nous l'illustrons par quelques exemples. Nous mettons en avant les liens qu'entretiennent la spécialisation de programme et la propagation de virus. Finalement, nous étudions des stratégies de détection et de protection en nous appuyant sur les théories de la calculabilité et de l'information

An Investigation of IBM PC Computer Viruses Infection Rates and Types in a Western Australian Environment

In recent years computer viruses have become increasingly significant as a form of computer abuse. By virtue of their reproductive capability, computer viruses can have cumulative and potentially catastrophic effects to the many people who use those affected computers. There is a growing concern in the computing community about these forms of electronic vandalism. This concern arises from the possible damage to stored information on which the work depends and the ensuing disruption of the work-place. Although the vandalism or purposeful abuse by introducing computer viruses to computer systems was originally mainly an American experience, research reports published by the Australian Computer Abuse Research Bureau (ACARB) support the claim that computer viruses have become increasingly significant as a form of computer abuse in Australia in recent years. Apart from ACARB\u27s figures, there is minimal empirical research of a similar nature being conducted to investigate computer viruses as a form of computer abuse in Australia. In this study, an attempt has been made to investigate the problem, albeit on a limited scope. In this study, the infection types and rates of IBM PC viruses in limited government IT organizations in Western Australia were investigated. In addition, this study has made an attempt to validate Spafford\u27s speculation that less than 10 viruses (out of a minimum of 374) account for 90% of infections in the Western Australian environment. This study was descriptive in nature in that a fact-finding survey based on questionnaires and standardized interviews was conducted in State Government IT organizations in Western Australia in order to obtain data on which the research findings can be based. The data gathering instrument for this study was a standardized questionnaire which comprised limited choice questions directed at obtaining such information as infection rates of various types of computer viruses. The questionnaire was field tested to eliminate ambiguous or biased items and to improve format, both for ease of understanding and facility in analyzing results. The questionnaire was used by the interviewer as a basis for the interview so that the potential for subjectivity and bias can be reduced. Before the commencement of this study, a letter of transmittal was sent to the prospective participants in order to request their participations. Confirmation of participation was sought through telephone calls. A very high response rate (87.5%, n = 42) for this study was achieved. This is taken as an assurance that reasonable representation of the state government sector for the study is achieved. Prior to commencement of this study, approval was sought from the University Committee for the Conduct of Ethical Research since this study will involve human subjects. During the interview, subjects were informed of the purpose of the study, that there will be no compulsion to participate in the study and that they will be free to withdraw from further participation in the study at any time they desire. The results of the survey and its implications are provided in chapters 5 and 6. In conclusion, the research ratifies the proposition that currently very few of the IBM PC viruses contribute to the vast majority of infections in the Western Australian work-place

Improved Detection for Advanced Polymorphic Malware

Malicious Software (malware) attacks across the internet are increasing at an alarming rate. Cyber-attacks have become increasingly more sophisticated and targeted. These targeted attacks are aimed at compromising networks, stealing personal financial information and removing sensitive data or disrupting operations. Current malware detection approaches work well for previously known signatures. However, malware developers utilize techniques to mutate and change software properties (signatures) to avoid and evade detection. Polymorphic malware is practically undetectable with signature-based defensive technologies. Today’s effective detection rate for polymorphic malware detection ranges from 68.75% to 81.25%. New techniques are needed to improve malware detection rates. Improved detection of polymorphic malware can only be accomplished by extracting features beyond the signature realm. Targeted detection for polymorphic malware must rely upon extracting key features and characteristics for advanced analysis. Traditionally, malware researchers have relied on limited dimensional features such as behavior (dynamic) or source/execution code analysis (static). This study’s focus was to extract and evaluate a limited set of multidimensional topological data in order to improve detection for polymorphic malware. This study used multidimensional analysis (file properties, static and dynamic analysis) with machine learning algorithms to improve malware detection. This research demonstrated improved polymorphic malware detection can be achieved with machine learning. This study conducted a number of experiments using a standard experimental testing protocol. This study utilized three advanced algorithms (Metabagging (MB), Instance Based k-Means (IBk) and Deep Learning Multi-Layer Perceptron) with a limited set of multidimensional data. Experimental results delivered detection results above 99.43%. In addition, the experiments delivered near zero false positives. The study’s approach was based on single case experimental design, a well-accepted protocol for progressive testing. The study constructed a prototype to automate feature extraction, assemble files for analysis, and analyze results through multiple clustering algorithms. The study performed an evaluation of large malware sample datasets to understand effectiveness across a wide range of malware. The study developed an integrated framework which automated feature extraction for multidimensional analysis. The feature extraction framework consisted of four modules: 1) a pre-process module that extracts and generates topological features based on static analysis of machine code and file characteristics, 2) a behavioral analysis module that extracts behavioral characteristics based on file execution (dynamic analysis), 3) an input file construction and submission module, and 4) a machine learning module that employs various advanced algorithms. As with most studies, careful attention was paid to false positive and false negative rates which reduce their overall detection accuracy and effectiveness. This study provided a novel approach to expand the malware body of knowledge and improve the detection for polymorphic malware targeting Microsoft operating systems

Amber : a aero-interaction honeypot with distributed intelligence

For the greater part, security controls are based on the principle of Decision through Detection (DtD). The exception to this is a honeypot, which analyses interactions between a third party and itself, while occupying a piece of unused information space. As honeypots are not located on productive information resources, any interaction with it can be assumed to be non-productive. This allows the honeypot to make decisions based simply on the presence of data, rather than on the behaviour of the data. But due to limited resources in human capital, honeypots’ uptake in the South African market has been underwhelming. Amber attempts to change this by offering a zero-interaction security system, which will use the honeypot approach of decision through Presence (DtP) to generate a blacklist of third parties, which can be passed on to a network enforcer. Empirical testing has proved the usefulness of this alternative and low cost approach in defending networks. The functionality of the system was also extended by installing nodes in different geographical locations, and streaming their detections into the central Amber hive