ABSTRACT

As the networks are growing larger, so is the amount of viruses that hit the
loophole. A relatively new unknown virus is said to cause some damage before being
identified and prevented by existing Antivirus Engines since conventional approach is a
reactive solution. The need of the hour is a pro – active solution to avoid this initial
damage. It also addresses a distributed updating mechanism, which allows for greater
flexibility in detecting the returning viruses.
So the underlying principle is to construct an AV Engine that stimulates our
existing system behavior and any file deviating from the system properties defined in the
engine becomes suspicious and undergoes further scrutiny. This prototype AV Engine
will be based on file patterns also termed as file signatures. They are like the fingerprints
used to identify what type of file format a certain file belongs to. These file patterns are
basic necessity for characterizing the system behavior. However since numerous file
formats exist, initial work is limited to most common file formats and the ways of
generating their corresponding file signatures which are to incorporated in AV Engine to
mimic system behavior.
The most preferred and accurate way devised to generate file patterns or
signatures is by the use of Byte Frequency Algorithm (BFA). It can be used to identify
some particular characters in the input file and determine the frequency of occurrence of
those characters. Based on this a BFA graph is built that is used to generate required file
patterns of an input file format. But BFA varies for different inputs of the same file and
hence a safe standard deviation is set for the most frequently occurring characters. More
and more inputs of the same file type leads to generation of more accurate file patterns of
that file type thus making it a Self Learning Algorithm.
Also if a new or different file type support is to be added to enhance the
stimulation of system behavior by the AV engine, then that file type’s signature can be
generated independently and added in the form of a plug-in. Hence the AV Engine is also
said to be Extensible.
 In the scenario of a new file being downloaded to the system, its file pattern is
matched with existing file patterns in the AV engine database. If a match occurs, it is
bypassed as a genuine file; else it undergoes further scrutiny in Heuristics / Behavior
module and Emulation module. This illustrates the Modular approach of the engine.
Overall the new AV Engine accentuates a new file pattern approach based on BFA for
pro-actively detecting the viruses.