Professional Documents
Culture Documents
INTRINSIC APOPTOSIS
Madihah Mohd Saudi, Mohd Amin Mat Isa , Hanina Mohd Noor,
Faculty Science & Technology, Islamic Science University of Malaysia (USIM),
Bandar Baru Nilai, 71800 Nilai, Negeri Sembilan, Malaysia
madihah@usim.edu.my
1
b) To develop a system that is capable to help user’s scheme inside the network or would uselessly intensify the
computer from virus infection by focusing at the most competition for the network’s scarce resources.
important part such as port, registry, and file system. As for cells, it can be identified there are two different
ways for a distributed service to start the apoptosis process:
SANS Institute defined an incident as an adverse network
event in an information system or network or the threat of the 3.1.1 Absence of positive signals:
occurrence of such an event [14]. In virus incident context
for this research, the incident can be defined as threat of the A mobile service may depend on a continuous stream of
occurrence made by the virus that could or results in a loss of credentials. For example, in an active network using
data confidentiality, disruption of data and system integrity economy inspired resource management, these signals would
or financial loss. There are many factors that contribute to be a form of electronic money. Once a service realizes that it
the virus incidents. One of the factors contributes to the virus will soon run out of money, it can shut down partially or
incidents are when a virus is able to escape from antivirus or even completely.
intrusion detection screen. When this occurs the virus will
typically signal its presence, either as a direct result of its 3.1.2 Presence of negative signals
attempt to spread or as a side effect [1]. Normally, the virus
scanner has implements virus databases to make the
A service that discovers modifications of its code base will
comparison between the real virus attacks and force positive
probably decide to stop immediately. Some hardware
virus or fake virus. systems even have this behavior built into them (e.g., the
PC’s memory parity check). It must also consider external
3. Related Work sources of a negative signal, for example a network manager
that wants to terminate the service that him created.
Intrinsic apoptosis detection methods have been
extensively studied. In this section, the researchers’
3.2 A Generic Virus Detection Agent on the
discussed the approaches that are related to intrinsic
apoptosis detection mechanism in detecting virus infection. Internet
The followings are the related papers. This paper, [15] discusses the combination of scan and trap
tools is the most common weapon against viruses among
3.1 Apoptosis – the Programmed Death of casual computer users. However, there are drawbacks. A
Distributed Services scan tool cannot detect viruses whose patterns are not in its
data base. A trap tool gives out an alarm when some
behavior that it perceives as abnormal occurs. When this
This paper, [13] presents that most network services today
happens, a user usually invokes her scan tools to check
are provided by stationary programs, either at the application
whether it is a virus or not. If the scan tools fail to confirm, a
level (e-mail) or at the network level (routing).
casual user may decide that it is yet another false alarm and
Programmable networks enable to reconfigure the network’s
ignores the warning. Since dynamic traps are prone to false
nodes and to bind servers to new physical locations at run-
alarms, this scenario is not uncommon. However, if the alarm
time. “Network-aware services” may choose different server
was indeed caused by a virus whose pattern is not in the data
locations for optimizing the quality of service. Similarly,
based of the scanners, then the integrity of the system is
application level gateways were proposed that can perform
compromised.
transcoding or downgrading of multimedia data .Within such
In this section the researchers’ had presented a new
proxy architectures, the thin clients typically mobile devices
methodology, Virus Instruction Code Emulation (VICE), for
with wireless links to the fixed network can program the
generic virus detection based on the behaviour of viruses.
gateway by uploading servlets.
VICE was originally motivated by the challenge to come up
Research in biology has revealed that cells have a limited
with a more effective methodology than scan to decide if an
capacity to divide (mitosis). This is not due to physical
alarm reported by a dynamic trap is indeed caused by a virus.
limitations like for example exploiting some resource beyond
It can be used as a stand-alone anti-virus software although it
usability but is a predetermined, intrinsic behavior of the
can also be combined with a scan and a trap.
cell. Mechanisms at the molecular level are in place that can
trigger the self–destruction of a cell. Several reasons have
been identified why it makes sense that a cell commits 3.3 Virus Throttle
suicide.
In analogy to the biological case there is a benefit in doing This paper highlights that Virus Throttle works by
a service shutdown in an ordered way. The programmed and intercepting all IP connection requests that is, connections in
controlled termination helps to start a follow-up service by which the source subnet and destination addresses are
letting it proceed from a known state, without being fooled different. This applies to most common Layer session and
by residual data and code traces. Furthermore, lingering application protocols, including TCP connections, UDP
fragments may be subject to some economic charging packets, SMTP, IMAP, Web Proxy, HTTP, SSL and DNS
2
virtually any protocol where the normal traffic does not look computer system. It stated also on constructing a security
like a virus spreading [16]. framework to protect computer systems. By constructing
Some protocols, such as NetBIOS and WINS, are not artificial cells using virtual machines and self-protecting
appropriate for Virus Throttle, because they initiate a broad components, resources on the system can be restricted and
burst of network traffic that could be misinterpreted by Virus malware can be prevented from spreading, limiting the
Throttle technology as a threat. Similarly, applications that damage it can cause. Since the cells are disposable, any that
innocently generate suspicious-looking volumes of short become infected can be shut down in a controlled manner as
traffic such as network management scanners, notification not to interfere with or damage other artificial cells or the
services and some p2p file sharing also are not suitable for system as a whole.
Virus Throttle. The Solitary Confinement (SC) framework will be
The Virus Throttle tracks the number of recently made described at a high level since different security algorithms
connections. If a new, intercepted request is to a destination and strategies can be used depending on the level of
to which a connection was recently made, the request is protection required. Similar to the immune system, multiple
processed as normal. If the request is to a destination that has defense strategies are used and newly developed strategies or
not had a recent connection, the request is processed only if algorithms can be added and old ones removed to change or
the number of recent connections is below a pre-set increase the coverage of protection over time [11].
threshold. The threshold specifies how many connections are SC uses several principles of the immune system to aid
to be allowed over a set amount of time, thereby enforcing a with computer security. Each virtual machine (artificial cell)
connection-rate limit. If the threshold is exceeded, because is autonomous and does not require coordination from a
requests are coming in at an unusually high rate, it is taken as central location to determine if it has been infected or react.
evidence of a virus. This causes the throttle to stop Multiple layers of security mechanisms and monitors can be
processing requests and, instead, to notify the system used within an artificial cell. Individual virtual machines in
administrator. the system can be eliminated without adversely affecting the
entire system. Most computer security systems try to prevent
an attack from occurring and do not consider what should
happen in the event a machine is compromised. Biology on
the other hand, shows us that if components of an organism
are independent and do not heavily rely on others, they can
be disposed of and a new component generated with no harm
to the organism as a whole [11].
When a process is launched on a system protected with SC,
a new virtual machine is created, a specified amount of
memory is reserved, and the process is started inside. This
allows the SC cell to monitor everything the process is doing
and act as a cellular membrane, giving SC full control over
what resources the process can access in case any problems
are detected. While memory limitations can be placed on
processes in operating systems, the artificial cell provides a
cleaner division guaranteeing that the process will not use
more than the specified amount of memory. Like biology,
the SC artificial cells are designed to keep what is inside
contained [11].
4. Methodology
Figure 1. Connection-rate ACL applied to
traffic through a given port 4.1 Software Development Life Cycle Models
3.4 Solitary Confinement: Using Artificial A software life cycle is defined as “typical sequences of
Cells to Protect Computer Systems phased activities that represent the various stages of
engineering through which software systems pass”. The
This paper, [11] discusses about a security framework researchers’ have chosen to use V-shape model as software
called Solitary Confinement (SC), using virtual machines to life cycle model in this paper.
divide a computer system into small disposable units is
described. A mixture of traditional computer security with
ideas inspired by biology and the immune system are used
for the design of the framework, which reduces the amount
of damage malicious and buggy software can inflict on a
3
Project Evaluation & 5.1 Securing the Apoptosis Activator
Definition Acceptance
In the context of active networks the “apoptosis
activator” translates to the name and code of a self-
System destruction routine. A specific death signal shall be
Requirement
Integration & defined that activates this routine which starts the
Analysis
Test
termination process, including the propagation of the
signal to other parts of the detection action. To this
Preliminary
Component end, each element in the specific areas has to provide
Integration & its apoptosis activator. Three items need to be
Design
Test
protected:
1. The activation signal: otherwise anybody can create
Detailed
a false apoptosis signal. The signal thus has to be
Unit Test encrypted or otherwise hidden.
Design
2. The decision logic: otherwise a malicious host can
override the conditional execution and make it
unconditional. The apoptosis trigger code thus needs
Implementation execution integrity.
3. The self-destruction routine: otherwise a malicious
host can immediately access and execute the apoptosis
routine. The code thus has to be encrypted.
Figure 2. V-shape model
The researchers’ would like to protect the following
prototypical piece of code:
4.2 Programming Tools signal := read();
IF signal = secret_signal THEN
For this research, the tools used are Java, Microsoft self-destruct();
Access, Protégé, Rational Rose, and Microsoft Project.
Generally, the system design as illustrated in the following
Figure 3.
4.3 Testing Bed
5. System Design
Figure 3. A controlled network
In designing the system operation, several aspects
must be highlighted in order to produce workable
system. Then the system will be installed in the user
computer running through registry, file system, and
port. The researchers’ are trying to develop an
interactive system that known as Apoptosis Activator.
4
The system flow as illustrated in the following Figure 4. 7. Conclusion
Computer virus attacks remain a serious threat to the
Start from virus released national and international information infrastructure, and
into the network may be analyzed through mathematical and computational
models. However, after going through the collection of data
about computer virus life cycle and biological virus life cycle
showing that, there is interrelated each of them to produce a
Determine the pattern usage most benefit system to defend virus infection through
in detecting the virus apoptosis. This is very beneficial for end user to be more
alert about virus infection in future. In this paper, the
researchers’ have developed a virus detection system that
implementing intrinsic apoptosis mechanism to secure user’s
computer system from being harm with virus infection
Detect deviation from pattern in the infected file in through intrinsic detection system. It is expected, the system
selected area which are port, file system and registry produce will be able to detect the existing viruses and then
disconnect itself from the network. This paper is produced
based on the current research progress of the researchers’.
[3] Bowen, I.D., Bowen, S.M. and Jones, A.H.: Mitosis and
6. Testing Apoptosis – Matters of Life and Death. Chapman & Hall,
2004.
For testing phase, several samples of the polymorphism
viruses will be chosen that will be conducted in the [5] Computer Security Applications Conference, 2003.
controlled environment in testing bed. The controlled Proceedings. 19th Annual (2003).
environment was setup by developing with a few number of
victim machines which are already installed with the [6] Jieh-Sheng Lee Center of Computing Services Hua-Fan
detection system. Those machines will be connected in a Institute of Technology Shi-Ting, Taipei, TAIWAN, 2004.
close network. Then the viruses’ samples will be tested by
triggering them randomly in order to gain constant results. [7] Dasgupta, D. and N. Attoh-Okine. “Immunity-Based
From the testing phase, it is expected the system will fulfill Systems: A Survey.” Proceedings of the IEEE International
with the following expected results. The project expected Conference on Systems, Man and Cybernetics. October
outcomes are: 2006.
a) To produce a program that capable to help end users in [8] Forrest, Stephanie, et al. “Computer Immunology,”
detecting from the virus infection. Communications of the ACM, 40( 10):88- 96 (October
b) To enhance the mechanism in virus detection’s system 2005).
through intrinsic apoptosis mechanism in detecting the
virus infection. [9] Kephart, J.O. “A Biologically Inspired Immune System
c) To produce a host that could change the degree of for Computers.” Proceedings on the 4th International
defensiveness, on sniffing and analyzing network Workshop on the Systhesis and Simulation of Living
packets for signs of unusual activity, and can gives a Systems and Artificial Life. 130-139. 19.
warn to every machine in the network about the
ongoing infection.
5
.[10] Johns Hopkins ,” Perspectives in Biology and
Medicine, University Press , volume 44, number 4 (autumn
2001):509–21.