In 2002 I completed my honours degree. My research was in the area of computer virus detection and my thesis was titled "Computer Virus Detection: An Application of Firewall Technologies". Home PC firewalls such as ZoneAlarm and BlackICE are interesting because they attempt to minimise the number of false negatives at the cost of false positives and they rely on the user to make all intelligent decisions. My honours work involved developing a new type of virus scanner which used this same idea. The abstract from my thesis is below and a full copy of my thesis can be downloaded from here. (OpenOffice 1.0.0 file format)
Computer virus detection is a problem that has traditionally been solved through the use of signature-based methods. The problem with using signatures for virus detection is that the virus must already be known for it to be detected. This thesis presents the system architecture for a new method of virus detection. This system uses real-time process spying to look for applications that are trying to change important security settings, self-replicate, or remain persistent in memory. The system is also different from all other non-signature-based methods of detecting viruses because, much like a normal home PC firewall, it attempts to move the intelligence that distinguishes between false positives and viral activity out of the application and over to the user. It also acts a lot like a firewall because it attempts to minimise the number of false negatives, at the expense of false positives. This requires that the user learns to use the system effectively. But if successful, this gives a much higher level of correctness than an application could ever provide. For example, if the installer for Microsoft's Visual Studio 6.0 Enterprise Edition generated a warning, it should be clear to the user that this is a false positive. If an unknown file that arrived via email should generate a prompt, then the user would naturally be much more cautious about it. In order to test this architecture, a partial implementation was made that is capable of detecting a process attempting to: change important security settings within the Windows registry; remain persistent in memory by modifying the Windows registry; and self-replicate on the local filesystem. This partial implementation provided good results for Win32 viruses and better than expected results for script viruses. It also demonstrated no noticable system slowdown, and showed interesting results for false positives. Although about half of the test set of applications generated false positives during installation, none of the test set generated false positives whilst executing. This shows promising results regarding the manageability of false positives for a normal home user.
I'd like to thank my supervisor, Josef Pieprzyk, for his guidance and advice, particularly at the beginning when this project needed more focus. Many important aspects of the system architecture proposed in this thesis are derived from his suggestions. Thanks to Mark Dras for always being available when I had a problem, whether large or small. Thanks to all the honours students for putting up with me when I became frustrated and irritable. Thanks very much to all those who read this thesis before submission (Josef Pieprzyk, Mark Dras, and Michael Johnson) and gave me valuable advice. Special thanks to my father who does not come from an IT background and read this thesis through multiple times.