Autotask aufbau und management von sl as - daisuke wantanabe
Scanning Computer Viruses with Reduced Virus Definition File s1090009 Daisuke Anzai Supervised by...
-
Upload
reynard-bennett -
Category
Documents
-
view
215 -
download
0
Transcript of Scanning Computer Viruses with Reduced Virus Definition File s1090009 Daisuke Anzai Supervised by...
Scanning Computer Viruses with Reduced Virus Definition File
s1090009
Daisuke Anzai
Supervised by Prof. H Toyoizumi
Scanning System
Anti-virus
software
Virus
Definition
file
scan
Supply the information
matching
Virus Definition File
• Since 1986, computer viruses have been increased extremely fast
• Now, there are more than 68000 kind of virus information has already published in the virus definition file
Problems
• This file length effects scan time
• These viruses will be increasing and more 100000 kinds in near future
• To scan them, server has big loading
Purpose
• Describe the possibility of reducing virus definition file
• Using M/D/1 queuing model, evaluate this server’s performance
Condition
• Virus detected by InterScan VirusWall which installed in the mail server of the University of Aizu are logged at Information Processing Center
• As a simulation data, use the data in last November
Virus log list
0
20
40
60
80
100
120
140
160
180WORM_BAGLE.AT
WORM_NETSKY.PHTML_NETSKY.P
WORM_NETSKY.QWORM_BAGLE.AU
WORM_NETSKY.DWORM_MYDOOM.M
WORM_NETSKY.CWORM_BAGLE.Z
WORM_NETSKY.ZHTML_SUNFRAUD.B
PE_VALLA.A
PE_FUNLOVE.4099WORM_SWEN.A
WORM_BAGLE.AGWORM_BAGLE.AH
WORM_BAGLE.GEN- 1WORM_BAGLE.X
WORM_NETSKY.ABOTHER
Virus Character
The probability that a specific virus come again is high if the virus arrived many in recently
The definition file must have efficacy against the new type and new type will appear one after another
Algorithm
• Logged everyday
• Sum of log during I. 1 month (30 days)
II. 1 week (7 days)
III. 1 day Change the rank to descending order and
elect top n
Example of algorithm(1 month method, n=10)
Sum of log from 10/2 to 10/31
1. 2.…10.
Scan 11/2Sum of log from 10/3 to 11/1
1. 2.…10.
Scan 11/1
Virus definition fileLog file
The Rate of Eliminating Virus Mail (n=10)
50%
60%
70%
80%
90%
100%
11/1 11/2 11/3 11/4 11/5 11/6 11/7
monthweekday
The Elimination Rate of Virus Mail (average the 7days)
50%
55%
60%
65%
70%
75%
80%
85%
90%
95%
100%
top10 Top20 Top30 Top40 Top50 Top60 Top70
month week day
Queuing Theory
• To calculate the probability can be received service have not waiting, the average length in queue, and average time from arriving to leaving
• Queuing classify several kinds by distribution of arrival and service, number of windows, and existence of procession limit
To client
Probability waiting will arise when a mail arrived () Number of mails in queue (L) Waiting time (W)
Scanning time (S)Arrival rate ()
Modeling of M/D/1 queuing system
startfinish
Define and
• The rate of average arrival () – Assume that 10000 mails arrived on a
hour. When 1 second, average of arrival is
78.26060
10000
• The rate of average service () – It assume that the time need to scan for one mail
is S(second). Then,
1
S
Reducing
nS
nS
Sn
S
5100.4'
68000'
68000'
Assume that 68000 kinds of virus information published in virus definition file currently, and reducing definition file published only n kinds. New service rate S’ define as
Length in Queue and Waiting Time
nS
nSnSLW
nS
nSnSL
5
56
5
552
1078.21
)1078.22(102.7
1078.21
)1078.22(100.2
)1(2
The Relation S and W
100 200 300 400 500 600ssecond2
4
6
8
10wsecond
n68000
n30
n50
n70n100
Result
• If scanning viruses are several ten kinds, it is low risk for users when the scanning is efficiently
• Instead of using the waist time to lookup old viruses, server can use the processing ability to scan new type viruses which hard to detect
Future Works
• Research the measure against the attacking viruses in a special day
Reference (Mathematics)
1. D.P.Heyman, M.J.Sobel, Stochastic Models, 1990
2. Sheldon M.Ross, Stochastic Process Second Edition, 1996
Reference (Virus information)
4. Symantec, http://www.symantec.com/
5. Information Processing Center, http://web-int/labs/istc/