AN EFFICIENT DEFENSIVE OF VIRUS INFECTION THROUGH
INTRINSIC APOPTOSIS
Madihah Mohd Saudi, Mohd Amin Mat Isa , Hanina Mohd Noor,
Faculty Science & Technology, Islamic Science University of Malaysia (USIM),
Bandar Baru Nilai, 71800 Nilai, Negeri Sembilan, Malaysia
madihah@usim.edu.my
Abstract
In today’s Internet, malicious code such as viruses,
cause service disruptions with enormous economic
impact. Current attack detection system is based on the
virus behavior itself. In order to find the similarity of
the virus behavior become difficult for polymorphism
virus due to the virus presence that always change its
features when effects other component. In this paper,
the apoptosis concept is implemented to prevent virus
spreading within entire of end users machines. This
term is borrowed from cell biology and designates the
programmed cell death. The researchers’ discuss the
need for a self–destruction mechanism inside an end
user’s computer system.
1. Introduction
As the Internet evolves in complexity and
interconnectivity, it becomes more than the sum of
individual, private networks. Instead, it takes on the
characteristics of a single, complex organism. Computer
virus outbreaks no longer infect a few thousand computers
only. A single virus can now sicken the entire body of the
Internet. Today, computer users are directly threatened by
more than 97,000 viruses, worms and Trojan horses. The
Internet can thus be likened to the human body. For example,
if each computer in the world represents a structural cell in
this body, then security experts and anti-virus solutions
might represent the immune system of the body. Most anti-
virus software and intrusion detection systems attempt to
locate malicious code by searching through computer files
and data packets sent over a computer network. If the
security software found patterns that correspond to known
computer viruses or worms, it takes appropriate steps to
neutralize the threat. Polymorphic algorithms make it
difficult for such software to locate the offending code as it
constantly mutates. Many times, users are not even aware
that they have been infected.
Besides that, it is hard to control whole factors that causing
the virus infection in certain machine that still connecting to
1
a network. A more effective approach is to implement
apoptosis concept in virus detection system within a
computer before they infect other files. Most infected area
such as registry, file system, and port must be secured with a
trusted system to prevent them from being totally died after
infected by those viruses. In apoptosis terminology or cell
death programmed, the action of the infected host will kill
itself in meaning it should be able to recognize their own
anti-social behavior and detach them from the network.
Basically, the death by apoptosis is a neat orderly process
begins from shrinkage in volume of the cell, then the cell
become loss of adhesion to the neighboring cell. After that,
the formation of blebs at the cell surface followed by a
dissection of chromatin into small fragments before it
destroyed from the body compartment. This mechanism
closely related to the computer network environment.
One great concern is the increasing length of the initial
occurrence stage, the significant gap between the initial time
of attack and implementation of defensive strategies for a
new computer virus. In part, this is due to the sophistication
of virus writers, allowing computer viruses to evolve more
rapidly than biological viruses. Some recent highly damaging
viruses used methods where the virus automatically spread
with no human in the loop, for example automatic emails,
http requests by IIS web servers, and “guessing” IP addresses
to attack. The researchers’ target is to enhance the existing
detection system in order to produce new mechanism in
detecting viruses. However, is it possible to kill the host
through intrinsic apoptosis?
2. Objectives
The objectives of this paper are:
a) To conduct in depth study in intrinsic apoptosis
mechanism from computer security perspective.
Generally, virus detection in a network environment is
based on the conventional techniques such as scan and
dynamic trap. However, the researchers’ are trying to
enhance the existing virus detection technique to overcome
this problem by implementing the apoptosis mechanism.
b) To develop a system that is capable to help user’s
computer from virus infection by focusing at the most
important part such as port, registry, and file system.
SANS Institute defined an incident as an adverse network
event in an information system or network or the threat of the
occurrence of such an event [14]. In virus incident context
for this research, the incident can be defined as threat of the
occurrence made by the virus that could or results in a loss of
data confidentiality, disruption of data and system integrity
or financial loss. There are many factors that contribute to
the virus incidents. One of the factors contributes to the virus
incidents are when a virus is able to escape from antivirus or
intrusion detection screen. When this occurs the virus will
typically signal its presence, either as a direct result of its
attempt to spread or as a side effect [1]. Normally, the virus
scanner has implements virus databases to make the
comparison between the real virus attacks and force positive
virus or fake virus.
3. Related Work
Intrinsic apoptosis detection methods have been
extensively studied. In this section, the researchers’
discussed the approaches that are related to intrinsic
apoptosis detection mechanism in detecting virus infection.
The followings are the related papers.
3.1 Apoptosis – the Programmed Death of
Distributed Services
This paper, [13] presents that most network services today
are provided by stationary programs, either at the application
level (e-mail) or at the network level (routing).
Programmable networks enable to reconfigure the network’s
nodes and to bind servers to new physical locations at run-
time. “Network-aware services” may choose different server
locations for optimizing the quality of service. Similarly,
application level gateways were proposed that can perform
transcoding or downgrading of multimedia data .Within such
proxy architectures, the thin clients typically mobile devices
with wireless links to the fixed network can program the
gateway by uploading servlets.
Research in biology has revealed that cells have a limited
capacity to divide (mitosis). This is not due to physical
limitations like for example exploiting some resource beyond
usability but is a predetermined, intrinsic behavior of the
cell. Mechanisms at the molecular level are in place that can
trigger the self–destruction of a cell. Several reasons have
been identified why it makes sense that a cell commits
suicide.
In analogy to the biological case there is a benefit in doing
a service shutdown in an ordered way. The programmed and
controlled termination helps to start a follow-up service by
letting it proceed from a known state, without being fooled
by residual data and code traces. Furthermore, lingering
fragments may be subject to some economic charging
2
scheme inside the network or would uselessly intensify the
competition for the network’s scarce resources.
As for cells, it can be identified there are two different
ways for a distributed service to start the apoptosis process:
3.1.1 Absence of positive signals:
A mobile service may depend on a continuous stream of
credentials. For example, in an active network using
economy inspired resource management, these signals would
be a form of electronic money. Once a service realizes that it
will soon run out of money, it can shut down partially or
even completely.
3.1.2 Presence of negative signals
A service that discovers modifications of its code base will
probably decide to stop immediately. Some hardware
systems even have this behavior built into them (e.g., the
PC’s memory parity check). It must also consider external
sources of a negative signal, for example a network manager
that wants to terminate the service that him created.
3.2 A Generic Virus Detection Agent on the
Internet
This paper, [15] discusses the combination of scan and trap
tools is the most common weapon against viruses among
casual computer users. However, there are drawbacks. A
scan tool cannot detect viruses whose patterns are not in its
data base. A trap tool gives out an alarm when some
behavior that it perceives as abnormal occurs. When this
happens, a user usually invokes her scan tools to check
whether it is a virus or not. If the scan tools fail to confirm, a
casual user may decide that it is yet another false alarm and
ignores the warning. Since dynamic traps are prone to false
alarms, this scenario is not uncommon. However, if the alarm
was indeed caused by a virus whose pattern is not in the data
based of the scanners, then the integrity of the system is
compromised.
In this section the researchers’ had presented a new
methodology, Virus Instruction Code Emulation (VICE), for
generic virus detection based on the behaviour of viruses.
VICE was originally motivated by the challenge to come up
with a more effective methodology than scan to decide if an
alarm reported by a dynamic trap is indeed caused by a virus.
It can be used as a stand-alone anti-virus software although it
can also be combined with a scan and a trap.
3.3 Virus Throttle
This paper highlights that Virus Throttle works by
intercepting all IP connection requests that is, connections in
which the source subnet and destination addresses are
different. This applies to most common Layer session and
application protocols, including TCP connections, UDP
packets, SMTP, IMAP, Web Proxy, HTTP, SSL and DNS
virtually any protocol where the normal traffic does not look
like a virus spreading [16].
Some protocols, such as NetBIOS and WINS, are not
appropriate for Virus Throttle, because they initiate a broad
burst of network traffic that could be misinterpreted by Virus
Throttle technology as a threat. Similarly, applications that
innocently generate suspicious-looking volumes of short
traffic such as network management scanners, notification
services and some p2p file sharing also are not suitable for
Virus Throttle.
The Virus Throttle tracks the number of recently made
connections. If a new, intercepted request is to a destination
to which a connection was recently made, the request is
processed as normal. If the request is to a destination that has
not had a recent connection, the request is processed only if
the number of recent connections is below a pre-set
threshold. The threshold specifies how many connections are
to be allowed over a set amount of time, thereby enforcing a
connection-rate limit. If the threshold is exceeded, because
requests are coming in at an unusually high rate, it is taken as
evidence of a virus. This causes the throttle to stop
processing requests and, instead, to notify the system
administrator.
Figure 1. Connection-rate ACL applied to
traffic through a given port
3.4 Solitary Confinement: Using Artificial
Cells to Protect Computer Systems
This paper, [11] discusses about a security framework
called Solitary Confinement (SC), using virtual machines to
divide a computer system into small disposable units is
described. A mixture of traditional computer security with
ideas inspired by biology and the immune system are used
for the design of the framework, which reduces the amount
of damage malicious and buggy software can inflict on a
3
computer system. It stated also on constructing a security
framework to protect computer systems. By constructing
artificial cells using virtual machines and self-protecting
components, resources on the system can be restricted and
malware can be prevented from spreading, limiting the
damage it can cause. Since the cells are disposable, any that
become infected can be shut down in a controlled manner as
not to interfere with or damage other artificial cells or the
system as a whole.
The Solitary Confinement (SC) framework will be
described at a high level since different security algorithms
and strategies can be used depending on the level of
protection required. Similar to the immune system, multiple
defense strategies are used and newly developed strategies or
algorithms can be added and old ones removed to change or
increase the coverage of protection over time [11].
SC uses several principles of the immune system to aid
with computer security. Each virtual machine (artificial cell)
is autonomous and does not require coordination from a
central location to determine if it has been infected or react.
Multiple layers of security mechanisms and monitors can be
used within an artificial cell. Individual virtual machines in
the system can be eliminated without adversely affecting the
entire system. Most computer security systems try to prevent
an attack from occurring and do not consider what should
happen in the event a machine is compromised. Biology on
the other hand, shows us that if components of an organism
are independent and do not heavily rely on others, they can
be disposed of and a new component generated with no harm
to the organism as a whole [11].
When a process is launched on a system protected with SC,
a new virtual machine is created, a specified amount of
memory is reserved, and the process is started inside. This
allows the SC cell to monitor everything the process is doing
and act as a cellular membrane, giving SC full control over
what resources the process can access in case any problems
are detected. While memory limitations can be placed on
processes in operating systems, the artificial cell provides a
cleaner division guaranteeing that the process will not use
more than the specified amount of memory. Like biology,
the SC artificial cells are designed to keep what is inside
contained [11].
4. Methodology
4.1 Software Development Life Cycle Models
A software life cycle is defined as “typical sequences of
phased activities that represent the various stages of
engineering through which software systems pass”. The
researchers’ have chosen to use V-shape model as software
life cycle model in this paper.
 Project Evaluation & 5.1 Securing the Apoptosis Activator
Definition Acceptance
In the context of active networks the “apoptosis
activator” translates to the name and code of a self-
System destruction routine. A specific death signal shall be
Requirement
Integration & defined that activates this routine which starts the
Analysis
Test
termination process, including the propagation of the
signal to other parts of the detection action. To this
Preliminary
Component end, each element in the specific areas has to provide
Integration & its apoptosis activator. Three items need to be
Design
Test
protected:
1. The activation signal: otherwise anybody can create
Detailed
a false apoptosis signal. The signal thus has to be
Unit Test encrypted or otherwise hidden.
Design
2. The decision logic: otherwise a malicious host can
override the conditional execution and make it
unconditional. The apoptosis trigger code thus needs
Implementation execution integrity.
3. The self-destruction routine: otherwise a malicious
host can immediately access and execute the apoptosis
routine. The code thus has to be encrypted.
Figure 2. V-shape model
The researchers’ would like to protect the following
prototypical piece of code:
4.2 Programming Tools signal := read();
IF signal = secret_signal THEN
For this research, the tools used are Java, Microsoft self-destruct();
Access, Protégé, Rational Rose, and Microsoft Project.
Generally, the system design as illustrated in the following
Figure 3.
4.3 Testing Bed

Testing bed for this paper will be conduct in a controlled

network. The controlled network will be set up during the
testing session. The controlled network consist of the
Ethernet, several PCs as the victims, and several samples of
the polymorphism viruses will be release on selected nodes.
There are roughly 10 nodes in total, currently. The
experiment can allocate nodes from either one or from both
clusters. These nodes are interconnected by a “programmable
backplane” of high speed Ethernet switches, trunked to form
a single logical switch. The virus sample virus will be
attached to a file before it will be transferred trough the
network to the target PCs. The target PCs, which have been
installed with the system, will work effectively to detect the
viruses. Therefore, the PCs will disconnect their connection
to the network by closing the port.

5. System Design
Figure 3. A controlled network
In designing the system operation, several aspects
must be highlighted in order to produce workable
system. Then the system will be installed in the user
computer running through registry, file system, and
port. The researchers’ are trying to develop an
interactive system that known as Apoptosis Activator.

4
The system flow as illustrated in the following Figure 4.
Start from virus released
into the network
Determine the pattern usage
in detecting the virus
Detect deviation from pattern in the infected file in
selected area which are port, file system and registry
Flag deviation as anomaly possibly
indicating infection by polymorphism
Disconnect the
connection from the
E coevolution”,Communications of the ACM, January, pp. 46-
Figure 4. The flow of detection system
6. Testing
For testing phase, several samples of the polymorphism
viruses will be chosen that will be conducted in the
controlled environment in testing bed. The controlled
environment was setup by developing with a few number of
victim machines which are already installed with the
detection system. Those machines will be connected in a
close network. Then the viruses’ samples will be tested by
triggering them randomly in order to gain constant results.
From the testing phase, it is expected the system will fulfill
with the following expected results. The project expected
outcomes are:
a) To produce a program that capable to help end users in
detecting from the virus infection.
b) To enhance the mechanism in virus detection’s system
through intrinsic apoptosis mechanism in detecting the
virus infection.
c) To produce a host that could change the degree of
defensiveness, on sniffing and analyzing network
packets for signs of unusual activity, and can gives a
warn to every machine in the network about the
ongoing infection.
5
7. Conclusion
Computer virus attacks remain a serious threat to the
national and international information infrastructure, and
may be analyzed through mathematical and computational
models. However, after going through the collection of data
about computer virus life cycle and biological virus life cycle
showing that, there is interrelated each of them to produce a
most benefit system to defend virus infection through
apoptosis. This is very beneficial for end user to be more
alert about virus infection in future. In this paper, the
researchers’ have developed a virus detection system that
implementing intrinsic apoptosis mechanism to secure user’s
computer system from being harm with virus infection
through intrinsic detection system. It is expected, the system
produce will be able to detect the existing viruses and then
disconnect itself from the network. This paper is produced
based on the current research progress of the researchers’.
8. Acknowledgements
The work was supported by the Universiti Sains Islam
Malaysia (USIM) under the Grant PPPP(E)/2007.
9. References
[1] Nachenberg, C. (2003), “Computer virus
51.
[2] Whalley, I. (2004), “Virus defense for the future”,
Security Management, November, pp. 60 4.
[3] Bowen, I.D., Bowen, S.M. and Jones, A.H.: Mitosis and
Apoptosis – Matters of Life and Death. Chapman & Hall,
2004.
[5] Computer Security Applications Conference, 2003.
Proceedings. 19th Annual (2003).
[6] Jieh-Sheng Lee Center of Computing Services Hua-Fan
Institute of Technology Shi-Ting, Taipei, TAIWAN, 2004.
[7] Dasgupta, D. and N. Attoh-Okine. “Immunity-Based
Systems: A Survey.” Proceedings of the IEEE International
Conference on Systems, Man and Cybernetics. October
2006.
[8] Forrest, Stephanie, et al. “Computer Immunology,”
Communications of the ACM, 40( 10):88- 96 (October
2005).
[9] Kephart, J.O. “A Biologically Inspired Immune System
for Computers.” Proceedings on the 4th International
Workshop on the Systhesis and Simulation of Living
Systems and Artificial Life. 130-139. 19.
.[10] Johns Hopkins ,” Perspectives in Biology and
Medicine, University Press , volume 44, number 4 (autumn
2001):509–21.

[11] Jeff Gilchrist.” Solitary Confinement: Using Artificial

Cells to Protect Computer Systems”, 2005.

[12] Christopher Hercules Claudatos, ”Method and system in

detecting malware”,Feb 21 2008.

[13] Christian Tschudin, Apoptosis – the Programmed Death

of Distributed Services, Feb 2002.

[14] SANS Institute, “Handling Incident Response” 2003.

[15] Jieh-Sheng Lee, Jieh Hsiang, Po-Hao Tsang, “A Generic

Virus Detection Agent on the Internet” Center of Computing
Services Hua-Fan Institute of Technology, 2001.

[16] S.R.Subramanya, Natraj Lakshminarasimhan,

“Computer viruses”, 2002.

[17] Abhishek Karnik, Suchandra Goswami & Ratan Guha,

“Detecting Obfuscated Viruses Using Cosine Similarity
Analysis” 2007.

[18] Sanjay Goelan and Stephen F. Bush, “Biological model

of security for virus propagation in computer network”,
December 2004.

[19] HP Innovation Center, “Connection-Rate Filtering

Based on Virus Throttle Technology”, 2006.