virus generally attaches itself to the computer programs and remains in hard disk and other ..... Thus it provides a generic method of detection and repairing for.
Inventions on Generic Detection of Computer Viruses A TRIZ based analysis Umakant Mishra Bangalore, India http://umakantm.blogspot.in
Contents 1. Introduction to computer viruses .......................................................................2 1.1 Characteristics of computer viruses ............................................................2 1.2 Types of virus infections ..............................................................................2 1.3 Methods of virus detection...........................................................................2 2. Limitations of signature scanning......................................................................3 2.1 Time lag between virus creation and virus detection...................................3 2.2 Problem of updating signature database.....................................................4 2.3 Many types of viruses cannot be detected by signature scanning...............4 3. Generic Methods of Virus Detection .................................................................4 3.1 Verification of program size .........................................................................5 3.2 Verification of Checksum.............................................................................5 3.3 Verification of Revision Information .............................................................5 3.4 Verification of Disk Address.........................................................................6 3.5 Verification of Object Program.....................................................................6 4. Inventions on generic detection of computer viruses ........................................6 4.1 Adaptive statistical regression and classification of data strings, with application to the generic detection of computer viruses (Patent 5675711) ......6 4.2 Computer virus trap (Patent 5842002) ........................................................8 4.3 System for creating virus diagnosing mechanism, method of creating the same, virus diagnosing apparatus and method therefore (Patent 5881151) .....9 4.4 Method for protecting executable software programs against infection by software viruses (Patent 6073239)..................................................................10 4.5 Computer virus detection (Patent 6886099)..............................................11 4.6 Viral replication detection using a counter virus (Patent 6813712)............13 4.7 Generic detection and elimination of marco viruses (Patent 7089591) .....14 5. Summary ........................................................................................................15 Reference: ..........................................................................................................16
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
1. Introduction to computer viruses A computer virus is a manmade destructive computer program or code. It is generally loaded onto a computer system without the knowledge of the user and causes unauthorized and unwanted changes to the components of the computer or to the information stored on the computer. There are various types of malware, such as, viruses, worms, trojans and spyware. Generally they are all called as viruses for convenience. Different types of viruses cause different types of damages/ disturbances in a computer system. 1.1 Characteristics of computer viruses One of the fundamental characteristics of a computer virus is that it replicates. A virus generally attaches itself to the computer programs and remains in hard disk and other permanent storage media. Virus can transmit from one computer to another just by using an infected file or an infected disk. Some viruses are capable of transmitting themselves across networks even bypassing network security systems. Different types of viruses have different capabilities and limitations. For example, a boot sector virus infects boot sector and not the data files, a macro virus infects the documents and not executable files and so on. Every virus does not act immediately. Some viruses wait patiently as benign programs until their events are triggered to become active. 1.2 Types of virus infections As the characteristics of different viruses differ so also their patterns of infections. Some viruses add themselves at the beginning of the host program whereas some others append themselves to the host program. In some infections the host program may remain in one single block, whereas in other infections the host program may be fragmented or erased. (For more details on patterns and outcomes of virus infections please refer to my previous article An Introduction to Computer Viruses in Feb 2007 issue of TrizSite journal available at http://papers.ssrn.com/abstract=1916631)
1.3 Methods of virus detection There are several methods of detecting viruses. As the characteristics of different viruses are different their detection methods are also different. All methods do not work for all types of viruses. Some of the important methods followed by antivirus programs are signature scanning, heuristic scanning, activity monitoring and integrity checking.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
The methods of virus detection may be classified as generic methods that work for any kind of viruses, known or unknown (as provided by activity monitors and integrity managers) and specific methods that work for only known viruses (as used in signature scanning). In specific methods, the characteristics of a virus is analyzed by anti-virus specialists and added to their signature database for scanning the virus. The generic methods don’t depend on characteristics of individual viruses. Hence, the generic methods can catch future viruses that are not yet born.
2. Limitations of signature scanning Signature scanning is a method of scanning each file for extracted bytes from the virus. After the virus analysts find a virus signature the signature is stored in a signature database of the anti-virus software. The anti-virus program scans a target program- executable file, boot record, documents files with macros etc.- to detect the presence of that signature. If that signature is found then the target program is deemed infected, otherwise the target program is deemed uninfected. Although signature scanning can detect about 80% of the viruses, there are many limitations of this type of virus specific scanning methods. The drawbacks of such conventional signature scanning are as follows. 2.1 Time lag between virus creation and virus detection One of the worst drawbacks of signature scanning is that it cannot detect new and unknown viruses. This is because the method requires the signature of the virus to be included in the virus definition database before scanning and there is generally a substantial time lag between the virus creation and distribution of virus signature database. Before the updated signatures are distributed world wide, a new virus can spread and cause damage without being detected.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
In signature scanning, when a new virus appears, the infected file is analyzed to extract the signature. The signature is then added to the signature database and distributed to the anti-virus users. As this whole process takes several days/ weeks, a new virus can spread / cause damage without being detected. 2.2 Problem of updating signature database Updating the signature database is very critical for signature scanning. This is because the viruses whose signatures are not there in the signature database will not be detected during signature scanning. Hence, the signature database has to be updated both by the anti-virus companies (in their website) and then by the anti-virus customers (in their computers).
As the new viruses are created almost on everyday, the anti-virus companies continually discover new viruses and update their definition files on a regular basis. Over time, the size of the data files become very large and takes excessive amount of time to download. Besides downloading the virus database again and again is a boring job. But it is necessary to update the virus databases by every individual user in order to detect the latest viruses. 2.3 Many types of viruses cannot be detected by signature scanning Polymorphic viruses and metamorphic viruses generate different types of instructions in the viral body with each infection. As they don’t have static strings in their signatures, they cannot be detected by simple searching of a signature. (To read more on signature scanning, please refer to my earlier article Overcoming limitations of Signature scanning- Applying TRIZ to Improve Anti-Virus Programs in Apr 2007 issue of TrizSite Journal, available at http://papers.ssrn.com/abstract=1980629)
3. Generic Methods of Virus Detection The generic methods of virus detection work independent of virus signatures. Hence all the above drawbacks of signature scanning can be overcome by using generic methods. Popular generic methods include integrity checking and heuristic scanning (Principle-6: Universality).
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
An integrity checker keeps “snapshots” or “fingerprints” of uninfected programs (executables, boot records etc.) in a secured location. During integrity checking, it verifies whether the new fingerprints of programs match with its previous fingerprints. If they match then the files are unmodified and hence deemed as uninfected. If they don’t match then the anti-virus program uses artificial intelligence to determine whether the modification is “virus-like” or user-induced. Integrity checking is much faster than passing through a signature scanning. Similarly, the heuristic technique does not require exact signatures of known viruses. The anti-virus experts identify a number of features that could be present in many viruses called as “classifiers”. The method has to examine a target program and analyze its code to determine if the code appears virus-like. The generic methods like heuristic techniques and integrity checking don’t require exact signature of viruses. Hence, they are applicable to all types of viruses, known and unknown. Let’s see some of the methods followed by the generic scanning. 3.1 Verification of program size This method stores the original size of the object program translated by the compiling portion. Then the execution size of the object program loaded on the computer is compared with the original size. If they coincide with each other, then process is continued. If they do not coincide with each other, the program is suspected of virus infection and the process is interrupted. 3.2 Verification of Checksum This method stores the checksum of the original object program translated by the compiling portion. Then the checksum of the object program loaded on the computer is compared with the original checksum. If they coincide with each other, the process is continued. If they do not coincide with each other, the program is suspected and the process is interrupted. 3.3 Verification of Revision Information According to this method the revision information of the original object program translated by the compiling portion is stored. The revision information of the object program (such as date of updating, time of updating, version number etc.) is verified with the original revision information. If they coincide with each other, the process is continued. If they do not coincide with each other, the program is suspected of virus infection.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
3.4 Verification of Disk Address The disk address indicating the place, in which the object program translated by the compiling portion is stored, is compared with the disk address of the object program loaded and executed as an operating system or a program for the computer. If they coincide with each other, the program is deemed to be uninfected and the process is continued. 3.5 Verification of Object Program The original object program translated by the compiler to produce the executable is compared with the loaded object program. If they coincide with each other, the process in continued. If they don’t coincide with each other, the program is deemed to be infected and the process in interrupted.
4. Inventions on generic detection of computer viruses 4.1 Adaptive statistical regression and classification of data strings, with application to the generic detection of computer viruses (Patent 5675711) The conventional method of signature scanning is not useful for detecting new viruses. It is necessary to construct a generic virus detector in order to detect new viruses. For generic virus detection, a human expert has to identify a number of features that could be present in many viruses and construct a classifier to classify an executable data as “infected” or “not-infected”. But it is very difficult for a human analyst to construct a classifier that combines the features from so many different viruses. Therefore there is a need to develop an automatic method of constructing data strings, which can classify a program as infected or not. Adaptive statistical regression and classification of data strings, with application to the generic detection of computer viruses (Patent 5675711) Patent 5675711 (invented by Kephart et. Al., assignee IBM, October 1997) discloses a method of automatically constructing data strings that classify an executable whether infected or not. The invention provides a method for automatically extracting generic viral features from sets of infected and uninfected programs and automatically constructing a classifier that employs those features to distinguish between infected and uninfected programs (Principle-25: Self Service).
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
The invention makes use of various methods to maintain high accuracy and reliability. It also uses “adaptive” or “learning” techniques from the domain of statistical regression and classification, such as, multi-layer neural networks. For example, the technique can be applied to distinguish infected files or boot records from uninfected files and boot records.
The invention makes use of techniques available in other fields to construct virus classifiers. The technique is similar to digital bits, bytes or characters, in the context of computer data or text; arbitrary representations of nucleotides, amino acids, etc., in the context of DNA or protein sequences; and arbitrary representations of phonemes or triphones in the context of human speech analysis and synthesis. The invention provides an automated technique for extracting features of data strings that are relevant to the classification decision and an automated technique for developing a classifier which uses these features to classify the data string whether the string is infected or not (Principle-25: Self service). As classifiers are constructed automatically, the method overcomes the difficulties associated with constructing classifiers developed b human effort and human expertise. The same inventors have further disclosed an adaptive statistical regression and classification method for generic detection of computer viruses later in Patent 5907834 (Method and apparatus for detecting a presence of a computer virus, invented by Kephart, et al., assignee IBM, May 1999).
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
4.2 Computer virus trap (Patent 5842002) The conventional anti-virus mechanism catches virus only after the virus enters into a system and often after performing its intended activity. Besides the “signature” based antiviruses fail to catch new viruses as they are capable of catching only those viruses which are already created and known. There is a need for a device that can search, detect and eliminate viruses before they are created and known, and before they ever enter into a computer system. Computer virus trap (Patent 5842002) Patent 5842002 (invented by Schnurer et al, assignee Quantum Leap Innovations, Nov 1998) discloses a virus trapping device that detects and eliminates viruses before they can enter a computer system. Instead of the conventional defensive strategies of detecting changes in files, scanning unintended behavior or attempting to prevent the virus from performing its damage, the present invention takes an offensive strategy by encouraging the virus to infect and destroy files (Principle-13: Other way round). The invention chooses a foreign operating system which creates a virtual world that simulates the host computer system and encourages the virus to infect (Principle-26: Copy). The environment is made as friendly as possible to fool a computer virus to think as if it is present on its intended target system. Within this virtual world, the virus is encouraged to perform its intended activity. When the virus starts its disruptive behavior within the simulated host computer system it is caught and removed.
The invention preys on the most critical behavior of a virus that is its ability to replicate. If it does not replicate, it cannot grow and stay alive. This behavior of a virus makes it travel from PC to floppy to PC to network. This method of encouraging the virus to perform its activity is opposite to the conventional method of catching the virus before it does its activity (Principle-13: Other way round, Principle-9: Prior Counteraction). By using this method the virus is removed from the data stream before it is delivered to the host and make any damage.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
4.3 System for creating virus diagnosing mechanism, method of creating the same, virus diagnosing apparatus and method therefore (Patent 5881151) The conventional method of using anti-virus involves a long time to develop a vaccine effective to a virus of a new type. A lot of infection and file damage takes place during the time required for detecting a new virus and developing vaccines for it. There is need for creating a method of automatically creating a virus diagnosing mechanism. System for creating virus diagnosing mechanism, method of creating the same, virus diagnosing apparatus and method therefor (Patent 5881151) Patent 5881151 (invented by Yamamoto, assignee Fujitsu Limited, March 1999) discloses a method of automatically creating virus-diagnosing mechanism. The virus diagnosing mechanism comprises a compiling portion and diagnostic object-generating portion disposed in the compiling portion. Thus the virus diagnostic mechanism is generated automatically by the diagnostic object-generating portion (Principle-25: Self Service).
The virus-diagnosing portion is able to realize any one of the following functions: Verification of the program size, Verification of Checksum, Verification of Revision Information, Verification of Disk Address, Verification of object Program, Verification of Object Program by using Compression and Decompression. The disclosed method automatically creates the source program by using a programming language like COBOL, FORTRAN or the like. A compilation portion compiles the source program into an executable program. This method detects an infection quickly without waiting for virus signatures or definitions from external sources.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
4.4 Method for protecting executable software programs against infection by software viruses (Patent 6073239) As the signature scanning method has a lot of limitations it is necessary to protect an executable program without maintaining a signature database. Many anti-virus programs do not allow any modification to an executable file, because most computer viruses replicate themselves by writing malefic instructions at the “entry point” of the executable files. However, this increases the number of false positives, as writing to an executable file can be a legal operation. Some anti-viruses store the fingerprints of executable programs in a separate location and compare a newly generated fingerprint with the stored fingerprint to check the integrity of the files. If the fingerprints don’t match then an infection is suspected and the original file is recovered from the backup. But this method does not work if the executable file is modified during the normal course of action. Hence, there is a need for an improved method to protect an executable program against infection by a virus. Generally an anti-virus has to generate an alarm signal when the vital codes of a program are modified by a virus and prevent the operation. But if the anti-virus alarms all modifications to a program then that would generate a lot of false positives. On the other hand, if the anti-virus waits to see whether the vital codes are modified or not, then the anti-virus cannot prevent the operation as by the time the anti-virus decides to block the operation, the virus could have already made the modifications.
Method for protecting executable software programs against infection by software viruses (Patent 6073239) Patent 6073239 (invented by Eyal Dotan, assignee In-defense Inc., June 2000) discloses a method of protecting executable programs against virus infections. The method selects the significant data and stores that data in a different location as a precaution. When a virus or other writing operation attempts to write any data to the program, the method intercepts the operation and determines whether the writing operation is attempting to modify the significant data. If the writing operation is attempting to modify the significant data an alarm is generated and writing is denied. If the data is already modified, the method restores the program to its initial state and undoes all the modifications that the virus may have made to the program.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
Thus the invention solves the contradiction by first storing a backup of the vital data in a separate location. Although the virus is allowed to alter the program code, the method then restores the original data from the stored backup undoing all the modifications made by the virus (Principle-26: Copying, Principle-34: Discard and Recover).
4.5 Computer virus detection (Patent 6886099) Signature scanning (matching the signature patterns of the known viruses) and heuristic testing (searching types of activities associated with viruses) are the two most popular types of virus testing mechanism. But both these techniques are only capable of detecting known viruses or viruses behaving in known ways. A new virus cannot be detected unless its signature is added to the signature database. Similarly viruses with a new type of action will not be detected in heuristic identification since their patterns of activity are not tested until they have been created, released and infected the innocent users. Hence, there is a need for a generic method which can detect the new and unknown viruses and viruses of new and unknown behavior.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
Computer virus detection (Patent 6886099) Patent 6886099 (invented by Smithson, et al., assignee Networks Associates Technology, Apr 2005) provides a method and system for detecting new viruses and new types of viruses on a computer system. The invention uses a new virus detection approach. It is based on the assumption that a computer system exhibits certain measurable characteristics when it is subject to an outbreak of a computer virus. Based on the above assumption, the invention detects an outbreak of a computer virus by measuring parameters of the activity of the computer system as a whole over a measurement period. The technique does not seek to detect an individual virus by its fingerprint or characteristics, but instead measures non-virus specific activity (Principle-35: Parameter change). For example, the method may use certain measurement parameters like, how many e-mail messages are sent having an identical message title, how many emails are sent with identical file attachment, how many emails are sent having attachments of a given type, how many emails are sent having attachments of executable files, and the overall email throughput within the computer system.
According to the invention, the measurement parameters, measurement periods and threshold levels can be set automatically by the system or manually by the user. The threshold levels may be varied with the time of day and day of week as well as the tests applied. If the selected measurement parameters cross a respective predetermined threshold level, within the given measurement period, the system signals the outbreak of a computer virus. When an outbreak is detected, the computer implements some countermeasure steps. After executing each step, the system waits for some time to determine whether the virus outbreak is continuing. If the outbreak is found to be persisting the system executes the subsequent countermeasure steps.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
The same inventors further continued the invention in Patent 7093293 (“Computer virus detection”, invented by Smithson et al, assignee McAfee, Aug 2006) to provide defense against new viruses and new types of viruses by measuring one or more parameters over a measurement period against a threshold level. If the measurement parameters cross a predetermined threshold level the system is suspected to have a virus.
4.6 Viral replication detection using a counter virus (Patent 6813712) The recent macro viruses take advantage of the scripting languages and are stored with MS Office and Lotus documents. The payload is usually triggered at some point in the future to give the virus sufficient time to infect documents without being detected.
Viral replication detection using a counter virus (Patent 6813712) Patent 6813712 (invented by Luke, assignee International Business Machines Corporation, Nov 2004) provides a counter virus agent for detecting viral infection of a computer system. This beneficial counter virus is released deliberately with a pre-determined population level. The counter virus can attach itself to an object/file for replication as a virus. But the counter virus maintains its own population level by self-destructing or infecting other files depending on the population level. In this way the population is maintained unless the counter virus infects another (unauthorized) virus, in which case the replication mechanism of the unauthorized virus overcomes the population control mechanism of the counter virus. This resulting increment in the population reveals the existence of the unknown virus.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
This method is very different from the conventional methods of virus removal as it uses counter viruses in order to detect and control viruses (Principle-13: Other way round). The important benefit of this invention is that it can detect new and unknown viruses and there is no need for prior knowledge of the attacking virus.
4.7 Generic detection and elimination of marco viruses (Patent 7089591) The signature scanning method is capable of detecting only publicly identified macro viruses. Besides this method generally takes a long time to (i) gather a sample and send it to an anti-virus research center (ii) to develop a definition and (iii) to distribute the definition to the general public. The other method, known as heuristics method, can scan for newly developed macro viruses by searching strings of bytes that are indicative of viral behavior. The current heuristics are good at detecting new viruses that are variants of known viruses, but not so good at detecting new viruses that are not variants of known viruses. There is a need for a heuristics method which is capable of identifying both publicly identified macro viruses and publicly unidentified macro viruses, and capable of eliminating the macro viruses that are detected.
Generic detection and elimination of marco viruses (Patent 7089591) Patent 7089591 (invented by Chi, assignee Symantec Corporation, Aug 2006) discloses a heuristics method of detecting both publicly identified macro viruses and publicly unidentified macro viruses.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
According to the invention, a detection module analyses the code to determine whether the macro contains instructions to be moved to a global environment and to be copied to a local document. When these two conditions are satisfied the detection module declares that a macro virus is present within the code.
The invention couples a repair module with the detection module for deleting the malicious code. Alternatively if the user is willing to allow a longer time, the detection module can be made to handle string concatenation operators, proxied variable names, program calls and/or substituted object names. The present invention uses heuristics that can determine effectively whether any given code contains a macro virus or not. It detects the macro viruses by scanning their generic behaviors, i.e., moving the code to the global environment (to be used by the application for all documents) and then copying the code to a local environment (to be used for a specific document). Thus it provides a generic method of detection and repairing for all kinds of macro viruses (Principle-6: Universality).
5. Summary The conventional methods of signature scanning and heuristic testing depend on prior knowledge of individual virus signatures and virus behaviors. Hence these methods are capable of detecting only the known viruses or viruses behaving in known ways. Hence, these methods cannot detect the viruses unless they are created, released and infected the innocent users. This situation creates the need for generic detectors that can detect even the new and unknown viruses. The generic scanning methods, in contrast, don’t depend on individual virus signatures or behaviors. Hence they are better applicable to detect the new and unknown viruses and viruses of new and unknown behavior. The other advantage of generic methods is that they don’t require updating of virus databases periodically. The popular generic methods include integrity checking and heuristic scanning. Integrity checking may include verification of program size, verification of checksum, verification of revision information, verification of disk address,
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
verification of object program and others. However, generic methods are not easy to implement. It is difficult to analyze a large number of features of the viruses to build virus classifiers in order to determine an executable data whether “infected” or “not-infected”. Besides, this method is not so guaranteed as signature scanning. There is possibility of many viruses escaping through this method. There are continuous efforts to improve the generic methods to make them more accurate, and to reduce the number of false negatives and false positives. Some inventions have made the methods adaptive by using “learning” techniques, some inventions implemented the methods used in DNA sampling for human beings, some have tried to generate virus “classifiers” automatically and some have created counter viruses to detect and control the harmful viruses. The future will see much more inventions on generic methods.
Reference: 1. US Patent 5675711, “Adaptive statistical regression and classification of data strings, with application to the generic detection of computer viruses”, Inventor- Kephart et. Al, AssigneeIBM, Oct 1997. 2. US Patent 5907834, “Method and apparatus for detecting a presence of a computer virus”, Inventor- Kephart, et al., Assignee- IBM, May 1999. 3. US Patent 5842002, “Computer virus trap”, Inventor- Schnurer et al, Assignee- Quantum Leap Innovations, Nov 1998. 4. US Patent 5881151, “System for creating virus diagnosing mechanism, method of creating the same, virus diagnosing apparatus and method therefor”, Inventor- Yamamoto, AssigneeFujitsu Limited, March 1999. 5. US Patent 6073239, “Method for protecting executable software programs against infection by software viruses”, Inventor- Eyal Dotan, Assignee- In-defense Inc., June 2000. 6. US Patent 6886099, “Computer virus detection”, Inventor- Smithson, et al., assignee Networks Associates Technology, Apr 2005 7. US Patent 7089591, “Generic detection and elimination of marco viruses”, Inventor- Chi, assignee Symantec Corporation, Aug 2006 8. US Patent 7093293, “Computer virus detection”, Inventor- Smithson et al, assignee McAfee, Aug 2006 9. Umakant Mishra, “An Introduction http://papers.ssrn.com/abstract=1916631 10. Umakant Mishra, “An Introduction http://papers.ssrn.com/abstract=1916673
Inventions on Generic Detection of Computer Viruses
to
to
Computer
Virus
Viruses”,
Scanners”,
available
at
available
at
by Umakant Mishra
11. Umakant Mishra, “Methods of http://papers.ssrn.com/abstract=1916708
Virus
detection
and
their
limitations”,
12. Umakant Mishra, “Overcoming limitations of Signature scanning- Applying TRIZ to Improve Anti-Virus Programs”, http://papers.ssrn.com/abstract=1980629 13. Umakant Mishra, “Solving Problems of Virus definition files – A TRIZ perspective”, http://papers.ssrn.com/abstract=1980632 14. Umakant Mishra, “The Revised http://ssrn.com/abstract=2432096
40
Principles
for
Software
Inventions”,
15. US Patent and Trademark Office (USPTO) site, http://www.uspto.gov/
About the author After working for more than 18 years in various fields of Information Technology Umakant is currently doing independent research on TRIZ and IT since 2004. He last worked as Director and Chief Technology Officer (2000-2004) in CREAX Information Technologies (Bangalore). Before that he worked as IS/IT manager (1996-2000) for ActionAid India (Bangalore). Umakant is a Master in Philosophy (MA), Master in Business Administration (MBA), Bachelor in Law and Logic (LLB), Microsoft Certified Systems Engineer (MCSE+I), Certified Novel Engineer (CNE), Master Certified Novell Engineer (MCNE), Certified Intranet Manager (CIM), Certified Internet Professional (CIP), Certified Software Test Manager (CSTM) and holds many other global IT certifications. Umakant has authored the books "TRIZ Principles for Information Technology", “Improving Graphical User Interface using TRIZ”, “Using TRIZ for Anti-Virus Development” etc. and working on a book on “Management Information Systems”. Many of his articles are available in SSRN eLibrary (http://ssrn.com/author=646786), bepress (http://works.bepress.com/umakant_mishra), Arxiv (http://arxiv.org/a/mishra_u_1) etc. More about Umakant is available at http://umakantm.blogspot.in.
Inventions on Generic Detection of Computer Viruses
by Umakant Mishra
