Linki

Miarą człowieka nie jest tytuł przed jego imieniem.
A Time For Us, Książki,E-book, Harmonijka Ustna, Taby na harmonijke ustna
9 - Księżniczka Mia, e-book, Pamiętnik Księżniczki
90469396-Tereza-Burns-The-Little-Book-of-Black-Venus-and-the-Three-Fold-Transformation-of-Hermetic-Astrology, Astrology
A Little Book of Big Christmas Tales - Anne Azel, ebook, ebook.1400, Temp 1
91 - Pan Samochodzik i Zamek w Rynie - Sebastian Miernicki, e-book, Pan Samochodzik
97 - Pan Samochodzik i Castrum Doloris - Jakub Czarny, e-book, Pan Samochodzik
99 - Pan Samochodzik i Bractwo Dębu - Marek Żelech, e-book, Pan Samochodzik
A Bóg będzie wszystkim we wszystkim... Szczerba Wojciech E-BOOK, Nauka
A Conversation with Mystery, Sukces itp, e-book j.angielski (techniki podrywania, masaz erotyczny i inne ksiazki ktore pomag ci w uwiedzeniu
A Caseira Cozinha Polonesa. Domowa kuchnia polska - wersja portugalska praca zbiorowa E-BOOK, Inne
  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • sylkahaha.htw.pl

    • [ Pobierz całość w formacie PDF ]
    ACostAnalysisofTypical
    ComputerVirusesandDefenses
    by Fred Cohen y
    Search Terms: Computer Viruses, Computer Risk Analysis
    Abstract:
    Various properties of computer viruses have been studied at length by many authors [1],
    but one of the areas where research results are relatively rare is evaluation of the costs of
    defenses. In this paper, we explore the costs of computer virus defenses in typical computing
    environments.
    y Copyright c ASP, 1990
    ASP Press, PO Box 81270, Pittsburgh, PA 15217
    1
    1
    Background
    The major computer virus defenses in widespread use today are \scanners" [2], \monitors"
    [3], \cryptographic checksums" [4], and \integrity shells" [5]. Other practical techniques that
    are viable for this purpose, but have not been put into widespread use as virus defenses are
    limited function [6,7], limited sharing [6,7], and sound change control [8].
    Virus scanners are programs that search for known computer viruses. They normally
    work by searching some of the les on a disk for known and easily detected viruses. Some
    scanners also use special indicators to detect harder to identify viruses. For example, some
    viruses force the seconds eld in the le modication time under DOS to 61 seconds, and
    some scanners use this as an indicator of that virus. Most virus scanners only cover viruses in
    binary executable les and only cover viruses that have xed locations relative to the start
    of a program. Viruses with more complex infection mechanisms (e.g. random placement
    within a program), complex evolutionary viruses, and viruses that infect interpreted les
    (e.g. \Basic" viruses), are rarely scanned for by modern scanners. This is because these
    types of scans require complete examination of les, and thus a lot of time.
    Cryptographic checksums are hard to forge many-to-one transforms that typically take a
    user supplied key and le, and produce a number [4]. By summing les with this technique
    and subsequently checking them on a regular basis, we can usually detect unauthorized
    changes, even when an attacker is trying to avoid detection.
    Integrity shells are command interpreters that look for changes in interpreted information
    before interpreting it. They normally use cryptographic checksums for detection, can detect
    all primary infection and prevent all secondary infection, and are optimal for virus defense in
    untrusted systems [5]. Integrity shells can check all interpreted information, not just binary
    executable les.
    Virus monitors are programs that look for known viruses each time an executable program
    is run. This is a special case of the integrity shell technique, where instead of using a
    cryptographic checksum to detect change, we look only for known viruses. Like scanners,
    monitors typically look only for viruses with simple infection mechanisms at known locations.
    2
    2
    Notation and Assumptions
    We will abbreviate as follows:
    T
    s
    Total for scanner s systems
    T
    c
    Total for crypto checksum c checks/year
    T
    m
    Total for monitor e employee cost/min
    T
    i
    Total for integrity shell u (d)(update-count)
    t
    s
    minutes per scan t
    c
    minutes per check
    l
    s
    license for scanner l
    c
    license crypto-checksum
    l
    m
    license for monitor l
    i
    license integrity shell
    a
    n
    new attacks a
    o
    old attacks
    r
    s
    system cleanup costs r
    f
    le cleanup costs
    d distribution costs o
    i
    comm-rate
    [K=c]
    Most of these terms are self explanatory, but a few are a bit obscure. The licensing cost
    for crypto-checksums and integrity shells is normally a one-time cost, whereas for scanners
    and monitors, regular updates force licenses to be paid over time. To compensate, we use
    10% per year of the total licensing cost for integrity shells and crypto-checksums as an
    equivalent to the yearly licensing cost for scanners and monitors.o
    i
    is a term that describes
    the rate of spread of a virus, and has experientially been about 2 for a typical PC in a typical
    environment, and about 10 for a typical PC in a LAN environment. The update count is the
    number of times per year we do updates of scanners and monitors (which require updates to
    stay eective), and the distribution cost is the cost of each distribution (or redistribution)
    and installation of a software package.
    We will also assume, for comparison purposes, that all performance is measured relative
    to a 4 Mhz PC-XT with 65 msec hard disk drives. Many current processors are far faster.
    For example, it is not unusual to see a 32 Mhz PC with an 18msec hard disk, which would
    be from 20 to 30 times faster than our assumed performance levels. Performance variations
    will also be discussed later, so we hope to cover this dierence at that time.
    Another important assumption we make is that the number of attacks per year does not
    vary with the number of systems. This is clearly not a valid assumption in many cases.
    To compensate for this, we discuss the eect of making the number of attacks linear in the
    number of systems.
    3
    3
    Analysis of Virus Scanners
    Most scanners and monitors are licensed on a per system per year basis. They require regular
    updates and must be used on a regular basis in order to be eective. They cover some viruses,
    and don't cover others, and there is a signicant delay between the initial release of a virus
    and its inclusion in scanners and monitors. For most organizations, there is a substantial
    cost associated with the cleanup of a virus once detected. The more often we scan, the less
    a virus spreads before detection, but at the same time, scanning takes a signicant amount
    of time, and that time can be quite costly when spent on a large number of systems on a
    regular basis.
    The yearly operating cost of performing checks, assuming that employees are relatively
    idle while the checks are being done, is the number of checks per year times the employee
    cost times the time required for each scan. The update cost is the cost of distribution and
    installation times the number of updates per unit time. The license fee is set contractually.
    All of these are linear in the number of systems being scanned, so the yearly operating cost
    of performing scans is calculated as follows:
    yearly-operating-cost=s[cet
    s
    +l
    s
    +u]
    Typical gures are; one check each working day (usually at bootup), US$20 per hour
    (1/3 of a dollar per minute) for idle employee costs, 3 minutes per bootup scan, US$10 per
    year for licensing fees, US$5 per update, and 4 updates per year. Thus the yearly operating
    cost per system of scanning comes to:
    ((250)(1=3)(3)) + 10 + ((5)(4)) = 250 + 10 + 20 =$280/system/year
    The most striking thing here is that licensing costs are the least important factor in the
    cost of scanning. Even the update cost, which tends to exceed licensing cost, is trivial com-
    pared to the cost of performing daily checks. By using weekly checks instead of daily checks,
    or by scheduling coee breaks during checking times, the cost of checking can be dramatically
    reduced. Unfortunately, scanning is usually done at system startup, and employees tend to
    sit and wait for the system to become ready at startup.
    If there are viruses in the environment, the situation changes considerably. For viruses
    that are not detected by the current version of the scanner, it is a reasonable assumption that
    they will spread throughout all of the systems in the environment over a period of days to
    months, depending on the communications methods in use. We also assume that eventually,
    a cleanup will be necessary or desired, and for the moment, we will assume that there are
    no side eects of the virus such as data diddling, le deletion, etc. [9] Cleanup costs are
    assumed to include all down-time of equipment, employee time spent on cleanup, and time
    wasted while awaiting cleanup. Thus we calculate the \new attack cost" as follows:
    new-attack-cost=a
    n
    r
    s
    s
    4
    It is hard to assess a typical environment today because of poor reporting, poor detection,
    and a general lack of statistical data on the subject. According to the IBM high integrity
    research laboratory [10], they don't nd out about a virus until it has spread to about 10
    major organizations. They were nding new viruses at a rate of more than one per week as
    of February, 1990. If a complete system cleanup costs $100, you would expect to spend $100
    per system per year in cleanup costs from each new virus.
    For known attacks that enter the environment, a regularly used scanning program can
    be quite eective in limiting damage. The spread of a virus in a computing environment
    is actually quite complex, and substantial work has been done to make an accurate model
    [11]. Another less accurate model that assumes an innite population and homogeneous
    communications predicts (not surprisingly) exponential spread [12]. For simplicity, we will
    take the position that exponential spread occurs based on the communications rate, but is
    limited by the number of systems available for infection. Spread rate has been found to be
    10 times larger in a networked environment than in an environment without networks [10],
    and clearly this should be taken into account. The old attack cost can then be calculated
    as:
    old-attack-cost=a
    o
    r
    s
    min[s,o
    i
    ]
    In this model, as the checks per year goes down, the system tends towards increased
    cleanup costs.Kcan be calculated based on measured spread rates. Our observations have
    indicated that a virus in a non-networked environment spreads to 2 systems in the rst day,
    4 in the second day, etc. Thus, for a comm-rate of 2 for non-networked systems (20 for
    LANs), a check every business day, cleanup costs of $100 per system, 3 old viruses per year,
    and any number of systems over 2, we get a yearly cleanup cost as follows:
    (3)($100)(min[(>2),2
    250=250
    ]=$600
    For a LAN environment with 20 old viruses per year, 20 or more systems, and all other
    factors being equal, we get:
    (20)($100)min[(>20),20
    250=250
    ]=$40,000
    If we try to reduce checking costs by only checking once per week, we nd that the
    expected loss from attacks goes up exponentially.
    For example, in the LAN environment
    above, we get:
    (20)($100)min[s,20
    250=50
    ]
    =min[($2,000s),$200,000,000]
    Checking often is very important in terms of reduced cleanup costs when viruses appear,
    and this tends to dominate all other factors when checks are done infrequently.
    The total cost, not including any side eects caused by viruses, is simply the sum of the
    costs we have given so far and a one-time initial distribution cost. The cost per system per
    year is then simply derived.
    5
    [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • diakoniaslowa.pev.pl