Scanning Computer Viruses with Reduced Virus Definition File

s1090009

Daisuke Anzai

Supervised by Prof. H Toyoizumi

Scanning System

Anti-virus

software

Virus

Definition

file

scan

Supply the information

matching

Virus Definition File

• Since 1986, computer viruses have been increased extremely fast

• Now, there are more than 68000 kind of virus information has already published in the virus definition file

Problems

• This file length effects scan time

• These viruses will be increasing and more 100000 kinds in near future

• To scan them, server has big loading

Purpose

• Describe the possibility of reducing virus definition file

• Using M/D/1 queuing model, evaluate this server’s performance

Condition

• Virus detected by InterScan VirusWall which installed in the mail server of the University of Aizu are logged at Information Processing Center

• As a simulation data, use the data in last November

Virus log list

0

20

40

60

80

100

120

140

160

180WORM_BAGLE.AT

WORM_NETSKY.PHTML_NETSKY.P

WORM_NETSKY.QWORM_BAGLE.AU

WORM_NETSKY.DWORM_MYDOOM.M

WORM_NETSKY.CWORM_BAGLE.Z

WORM_NETSKY.ZHTML_SUNFRAUD.B

PE_VALLA.A

PE_FUNLOVE.4099WORM_SWEN.A

WORM_BAGLE.AGWORM_BAGLE.AH

WORM_BAGLE.GEN- 1WORM_BAGLE.X

WORM_NETSKY.ABOTHER

Virus Character

The probability that a specific virus come again is high if the virus arrived many in recently

The definition file must have efficacy against the new type and new type will appear one after another

Algorithm

• Logged everyday

• Sum of log during I. 1 month (30 days)

II. 1 week (7 days)

III. 1 day Change the rank to descending order and

elect top n

Example of algorithm(1 month method, n=10)

Sum of log from 10/2 to 10/31

1. 2.…10.

Scan 11/2Sum of log from 10/3 to 11/1

1. 2.…10.

Scan 11/1

Virus definition fileLog file

The Rate of Eliminating Virus Mail (n=10)

50%

60%

70%

80%

90%

100%

11/1 11/2 11/3 11/4 11/5 11/6 11/7

monthweekday

The Elimination Rate of Virus Mail (average the 7days)

50%

55%

60%

65%

70%

75%

80%

85%

90%

95%

100%

top10 Top20 Top30 Top40 Top50 Top60 Top70

month week day

Queuing Theory

• To calculate the probability can be received service have not waiting, the average length in queue, and average time from arriving to leaving

• Queuing classify several kinds by distribution of arrival and service, number of windows, and existence of procession limit

To client

Probability waiting will arise when a mail arrived () Number of mails in queue (L) Waiting time (W)

Scanning time (S)Arrival rate ()

Modeling of M/D/1 queuing system

startfinish

Define and

• The rate of average arrival () – Assume that 10000 mails arrived on a

hour. When 1 second, average of arrival is

78.26060

10000

• The rate of average service () – It assume that the time need to scan for one mail

is S(second). Then,

1

S

Reducing

nS

nS

Sn

S

5100.4'

68000'

68000'

Assume that 68000 kinds of virus information published in virus definition file currently, and reducing definition file published only n kinds. New service rate S’ define as

Length in Queue and Waiting Time

nS

nSnSLW

nS

nSnSL

5

56

5

552

1078.21

)1078.22(102.7

1078.21

)1078.22(100.2

)1(2

The Relation S and W

100 200 300 400 500 600ssecond2

4

6

8

10wsecond

n68000

n30

n50

n70n100

Result

• If scanning viruses are several ten kinds, it is low risk for users when the scanning is efficiently

• Instead of using the waist time to lookup old viruses, server can use the processing ability to scan new type viruses which hard to detect

Future Works

• Research the measure against the attacking viruses in a special day

Reference (Mathematics)

1. D.P.Heyman, M.J.Sobel, Stochastic Models, 1990

2. Sheldon M.Ross, Stochastic Process Second Edition, 1996

Reference (Virus information)

4. Symantec, http://www.symantec.com/

5. Information Processing Center, http://web-int/labs/istc/