Putting A 'Korset' On The Spread Of Computer Viruses

ScienceDaily (2008-09-15) -- Prof. Avishai Wool and his graduate student Ohad Ben-Cohen of Tel Aviv University’s Faculty of Engineering have written a program called the "Korset" to stop malware on Linux, the operating system used by the majority of web and email servers worldwide. They have modified the kernel in system's operating system so that it monitors and tracks the behavior of the programs installed on it. Quoting from the article:

If the kernel senses abnormal activity, it stops the program from working before malicious actions occur. “When we see a deviation, we know for sure there’s something bad going on,” Prof. Wool explains. [more]

Interesting article. Their approach could probably work on PC's, Apple computers, cell phones, or any other computerized device that contains software. I have always thought that individual software programs could use a similar approach by monitoring their pgm size and date modified. If either of the two have changed since installed on the computer then the pgm would not run and alert the user of a possible virus attack. Of course, if the pgm gets updated then the pgm would take this into account. On a similar note, I found this patent on the web:

A computer virus trapping device (10) is described that detects and eliminates computer viruses before they can enter a computer system and wreck havoc on its files, peripherals, etc. The trapping device (10) creates a virtual world that simulates the host computer system (28) intended by the virus to infect. The environment is made as friendly as possible to fool a computer virus into thinking it is present on the host (28), its intended target system. Within this virtual world, the virus is encouraged to perform its intended activity. The invention is able to detect any disruptive behaviour occurring within this simulated host computer system. It is further able to remove (52) the virus from the data stream before it is delivered to the host (28) and/or take any action previously instructed by a user (38).

Both are good ideas. Instead of removing a specific virus by its "DNA" or virus-print, you are removing any virus by its behavior. If a virus changes then the anti-virus companies have to update their anti-virus pgm. They always have to play catch-up.