View
720
Download
1
Category
Tags:
Preview:
DESCRIPTION
In the Internet age, virus epidemics are getting worse than before, making the networks slow, computers slow, suspending mission critical operations and so on. In this presentation, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection. The special feature of this technology is that its virus detection algorithm is based on the network behavior of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates. The technology white paper is available at the following link: http://www.slideshare.net/ahmedmzl/virus-detection-based-on-virus-throttle-technology
Citation preview
VIRUS DETECTION BASED ON VIRUS THROTTLE TECHNOLOGY
Ahmed Muzammil Jamal Mohamed ahmedmuzammil@outlook.com
Virus
¨ Infects or Corrupts Files ¨ Hidden in Code ¨ Can be Metamorphic ¨ Can’t Surivive Itself ¨ Propagates by sharing files ¨ Propagates by affecting open
network shares
Trojan
¨ Appears as a useful file - “waterfalls.scr”
¨ Undesired Functionality ¨ Executes malicious code along
with the useful code ¨ Unable to identify by a naïve
user
Worm
¨ A malicious program ¨ Self Replicating ¨ Doesn’t need a host program ¨ Harms network
- Consumes Local Resources - Consumes Bandwidth
Limitations of Existing Virus Detection Methods
¨ They detect viruses based on signature recognition
¨ Based on physical characteristics of the virus
¨ Effectiveness decreases w.r.t. no. of viruses
¨ Takes time to release the signature of a new virus ¨ Need for a new solution:
Machine Speed vs. Human Speed
Virus Throttle – What is it ?
¨ Car Throttle – Reduce Speed
¨ Virus Throttle is based on the behavior of malicious code
¨ Malicious Code make many connections to new computers
¨ SQL Slammer - >800 Connections per Second
¨ Rate Limit on Connections to New Computers
Virus Throttle – How It Works ?
Example Worm – W32/Nimda-D
¨ Tests carried out at HP Labs using the W32/Nimda-D worm and several other test worms
¨ W32/Nimda-D - It is a mass-mailing worm - It affects both local files and network shares - Creates 120+ connections per second
¨ Test Worms had different frequencies of connections
¨ The virus spreads rapidly
¨ Need for signature update
¨ Without signature update - Temporary Solution - Suspend the network - Financial / Productivity Loss
¨ After signature update - Each computer has to be disinfected - Takes days to complete
Detection of W32/Nimda-D Worm using the traditional approach
Detection of W32/Nimda-D Worm using the Virus Throttle
¨ Throttle detects the process ¨ Throttle cuts the extra connections ¨ Thus no or less number of PCs are affected.
Advantages of Virus Throttle
¨ Works without knowing anything about the virus
¨ Protection only slows down the network traffic ¤ Thus false negatives don’t have much effect
¨ Gives IT staff time to react
¨ Effects of deploying the Virus Throttle widely ¤ Difficult for viruses to spread at all
Results
connections per second
stopping time
allowed connections
Nimda 120 0.25s 1
Test Worm 20 5.44s 5 40 2.34s 2 60 1.37s 1 80 1.04s 1 100 0.91s 1 150 0.21s 0 200 0.02s 0
SQL Slammer 850 0.02s 0
Virus Detection on PC based on Virus Throttle Technology
¨ Traditional Virus Scanners scan all the files
¨ Consume much of the processing resource
¨ The new technique filters the files that have to be scanned.
Components of the new technique for Virus Detection ¨ A gateway – Defined as THROTWALL
¨ A Traditional Virus Scanner
THROTWALL
¨ THROTWALL is similar to firewall for networks and works on the basis of Virus Throttle.
¨ Monitors running processes for suspicious activity
¨ Protects the super resources
¨ When process requests
Thank You…
¨ Read the research whitepaper here: Slideshare.net
¨ Like this presentation? Share it...
¨ Questions? Tweet me @ahmedmzl
¨ This presentation was presented at the following conferences: ¤ The IET-UK Present Around the World – India Finals ¤ National Conference on Communication and Informatics
Recommended