Suppressing the Spread of Email Malcode using Short-term Message Recall

Abstract

Outbreaks of computer viruses and worms have established a pressing need for developing proactive antivirus solutions. A proactive antivirus solution is one that reliably and accurately detects novel malicious mobile code and one that either prevents damage or recovers systems from the damage that such code inflicts. Research has indicated that behavioral analysis, though provably imprecise, can feasibly predict whether novel behavior poses a threat. Nevertheless, even the most reliable detection methods can conceivably misclassify malicious code or deem it harmful only after substantial damage has taken place. The study of damage control and recovery mechanisms is, therefore, clearly essential to the development of better proactive systems. Earlier work has demonstrated that undoing the damage of malicious code is possible with an appropriate behavior monitoring and recording mechanism. However, it remains that even if a system is recovered, the virulent code may have already propagated to other systems, some of which may not be well-equipped in terms of proactive defenses. Curbing the propagation of undesired code once it has left the boundaries of a system is a hard problem and one that has not received much attention. This work focuses on a specific instance of this difficult problem: viruses and worms that spread by email. In this paper, we explore how advantageous it would be to have a short-term email undo mechanism whose purpose is to recall infected messages. Simulation results demonstrate that such ability can substantially curb the damage of email viruses on a global scale. The results are encouraging because they only assume technology that is either readily available or that is otherwise clearly practical today