Browse Prior Art Database

Artificial Immunity for Personal Computers

IP.com Disclosure Number: IPCOM000121030D
Original Publication Date: 1991-Jul-01
Included in the Prior Art Database: 2005-Apr-03
Document File: 5 page(s) / 201K

Publishing Venue

IBM

Related People

Comerford, LD: AUTHOR [+2]

Abstract

Computer viruses threaten the integrity of today's computing systems. This invention describes an intelligent hardware coprocessor which emulates an immune system in the computing system's architecture. This system reduces the vulnerability present in software-only antiviral systems to attach by viruses while providing new capabilities unavailable to such systems.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 28% of the total text.

Artificial Immunity for Personal Computers

      Computer viruses threaten the integrity of today's
computing systems.  This invention describes an intelligent hardware
coprocessor which emulates an immune system in the computing system's
architecture.  This system reduces the vulnerability present in
software-only antiviral systems to attach by viruses while providing
new capabilities unavailable to such systems.

      The advent of computer viruses has spawned a new set of
problems to be overcome by those who seek to make productive use of
computers.  Unless a computing system is completely isolated from
other computing systems, and all software which it runs is developed
on that machine by people of goodwill, that computing system is
susceptible to infection. It is almost never the case that computing
systems are isolated, thus the existence of viruses has evoked a
defensive response from members of the computing community.

      There are three general anti-virus strategies employed today.
The first is a process which begins with the identification of a
virus.  A signature string is extracted from the virus and is
incorporated in a software tool which can search disk files or loaded
memory.  If the search reveals a match, typically the user is warned
and has the option of taking some action.

      The second approach involves a process that has a model of the
appropriate use of the file system.  It constantly monitors disk
activity, looking for irregularities or questionable actions on the
part of some software process.  When such an irregularity is
detected, the disk activity can be halted and the user is warned.
This approach could be generalized to cover all forms of computer
I/O, for instance, network traffic, although current implementations
focus on the DASD subsystem.

      The third approach looks for the consequences of any virus
which may have been active.  This generally takes the form of
checking the integrity of various files against previous known
states.  Unauthorized or unexpected changes signal that something is
amiss, and the user is notified.

      Each of these approaches is currently implemented as a software
device.  Used together, these software packages provide a substantial
level of protection against the current generation of viruses.  Each
of them has weaknesses, though, that new viruses will be able to
exploit.

      The vulnerability of the virus-fighting software falls into
either of two categories.  If the virus-fighting agent is a
background process, then a new virus could disable that process
before doing its damage.  This is possible because they share a
common environment.  On the other hand, if the virus fighter is a
utility which is run periodically, viruses will be able to act in the
interval between invocations.

      We believe that new generations of viruses will appear which
have knowledge of the current implementations of each of these
approac...