davecb (6526) writes "A prototype anti-virus system
developed at the University of Michigan uses the "fingerprint" of virus activity to more effectively identify viruses. The system obtains such fingerprints by intentionally infecting a quarantined computer with viruses. Conventional anti-virus software monitors systems for suspicious activity and then tries to determine the source by checking for virus signatures, which makes it difficult to spot new pieces of malware and track different variations.
The University of Michigan team studied the files and processes malware created and modified on an infected computer, and developed software that uses the information gathered to identify malware. The prototype is capable of defining clusters of malware that operate in similar ways, and can create a kind of family tree that illustrates how superficially different programs have similar methods of operation. In tests on the same software, the prototype was able to identify at least 10 percent more of the sample than five leading anti-virus programs. The prototype also always correctly connected different pieces of malware that operate similarly, while the best anti-virus program was only able to identify 68 percent of such links. (Courtesy of ACM Technews)"