The malware detection system is actually just a Windows 2000 pro system setup as a work alike to the desktops, it however has a few custom kernel drivers that audit for specific behaviors. Anythin deemed as a new executable by the proxying firewall is forked to the malware detection system (which is actually several systems but you get the idea). From here it is automatically executed and its behavior observed, this allows it to 'learn' new evil signatures. these signatures are then fed into the "normal" signature based IDS systems atop the diagram.

The malware detector isn't a filter, and to use it as such would slow down network traffic a standstill at times as it tests new software before passing it on. The idea of the malware detector in this situation is to effectively quarentine worms and the likes by educating IDS systems enterprise-wide after first discovery. This approach grants that a few systems will be infected and takes the aim of detection and isolation rather than prevention as preventing every new attack against COTS desktops is unrealistic to say the least.

No nueral net is used, just a system to detect if new software does stuff it oughtn't but outside the current protection of the software on hand. This struck us as a far more effective learning environment than attempting to utilize more conventional AI ideals.

catch