Gatekeeper
Proactive virus detection has been the "holy grail" of malicious code research for years. The challenge is that the problem is really difficult. Our current protection paradigm is much more reactive. New samples appear and anti-virus developers scramble to push out an update. This doesn't sound ideal, and it really isn't: worms like SQL.Slammer succeeded in spreading worldwide in less than 10 minutes after its initial release. That's simply too fast for a human to react. An automated solution is needed.
While at IBM Research, I worked on the IBM Immune System. The idea of the solution was to automate the sample capture and signature development - we demoed the system at the Virus Bulletin Conference in San Francisco. However, despite the amazing technology and good folks, the system hasn't ever really been deployed, and as such hasn't reached its full potential.
Gatekeeper represented another approach at protecting the network, by using a strategy of active monitoring of new executables. While we didn't invent behavioral virus detection (that idea is as old as viruses themselves!) we did introduce a new twist: undo.
Traditionally, a tension has existed between early detection (less damage, but less accurate) and late detection (very accurate, but potentially lots of damage). James Whittaker experimented with adding an undo functionality. This effectively breaks the tension, and allows for very accurate detection. Work on Gatekeeper at Florida Tech halted when the technology was licensed; we are now focusing on techniques which identify more stealthly and slow-moving threats.
Gatekeeper was initially funded by a grant from the Office of Naval Research.
Selected References
El Far I., Ford R., Ondi A., and Pancholi M., Suppressing the Spread of Email Malcode using Short-Term Message Recall, Journal of Computer Virology, Volume 1, Number 1, pp. 4-12, November 2005
Ford R., Wagner M., and Michalske J., Gatekeeper II: New Approaches to Generic Virus Prevention, from the proceedings of the International Virus Bulletin Conference, Chicago (2004)