Re: Virus author profiling

Harlan,

There are two primarly approaches to profiling. One is based on statistics and is generally called inductive profiling. This approach has the limitations that you mention as well as some weak assumptions (e.g., human behavior is uniform and predictable). Although such generalizations can be useful in some situations, they have limited investigative relevance and can be misleading.

The second approach is evidence based, generally called deductive profiling. The deductive approach is based on the assumption that the offender's actions leave an impression of him/her on the crime scene, or in this case, in the virus code and/or execution. Using the information revealed by an offender through evidence at the crime scene, deductive profilers (and good investigators) can learn useful things about the perpetrator such as criminal skill level, profession), and level of knowledge of the target. The types of information that you can obtain through this approach can be very useful in an investigation.

The offender characteristics most popularized by media (e.g., sex, age, race) are the most problematic - these should be avoided unless there is clear evidence of them in a specific crime.

Eoghan Casey
www.corpus-delicti.com/eco/

Harlan Carvey wrote:

> Stewart,
Received on Fri Mar 21 13:44:09 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek