INTERCEPTION OF AUTOMATED BLOCKING OF MALICIOUS

CODE WITH NDIS MIDWAY DRIVER

1

Presented by S.Gayathri T.Kanimozhi E.Velvizhi S.Ambika

GUIDED BY R.VASANTHI M.E.,(Ph.D).,

CONTENTS

2

ABSTRACTOBJECTIVESINTRODUCTION EXISTING SYSTEM PROPOSED SYSTEM FLOW DIAGRAMIABM BLOCK DIAGRAMIABM DATA FLOW DIAGRAMMAIN MODULES CONCLUSION REFERENCE

ABSTRACT

• It is a new approach to computer security via malicious software analysis and automatic blocking software.

• This propose a technique for the Network Driver Interface Specification (NDIS).

• The NDIS model supports hybrid network.

3

INTRODUCTION

• Malicious code has been categorized based upon functionality and attack vector.

• The malicious code has spreading from one victim computer to another.

• Various malicious codes are

virus

worms

Trojan horses

4

INTRO CONT..

• Various security mechanisms are

Firewall

Sniffer

Antivirus

IDS

• TCP/IP are used in this mechanisms.

• Raw sockets can’t make calls to the bind() function.

5

EXISTING SYSTEM

• In the existing system ,relying on the underlying operating system for data gathering and monitoring

• Anti hacker ,firewall not to allow the packet filtering and detecting network attacks in network

6

PROPOSED SYSTEM

• In the proposed system, malware protection operation support all operating system. For data gathering and monitoring.

• Kaspersky is implemented the technology of NDIS intermediate driver

• NDIS to perform the packet filtering and detecting network attacks function in network.

7

KMP ALGORITHM

8

•String search algorithm

•Mismatch and Match algorithm

EX: m: 01234567890123456789012 S: ABC ABCDAB ABCDABCDABDE W: ABCDABD i: 0123456

IABM NDIS MIDWAY DRIVER BLOCK DIAGRAM

9

URI Decoder

ASCII Filter

Instruction Sequences

Distiller

Instruction Sequences Analyzer

HTTP Request

SIGFREE

Pass(Requests are printable ASCII)

Pass(Request only contains pure data)

Block(Request contain executable codes)

DATAFLOWDIAGRAM

10

Upload files

Admin login

Import file

Start

User search

Select HTTP request

Encode and Decode URL

Convert intoASCII code

Distill URL

Analyse URL

Checkresponse

Retrieveall files

Retrievenon-executable

files

Block executablecodes

End

It containsexecutable

codesIt containspure data

VARIOUS MODULES

Prevention/Detection of Buffer OverflowsWorm Detection and Signature GenerationSigFree Attack Model URI decoderASCII Filter Instruction sequences distiller (ISD)

11

PREVENTION/DETECTION OF

BUFFER OVERFLOWS

• Buffer overflow is one of the most serious vulnerabilities in computer systems.

• The cyber attacks such as server

Worms

Zombies

Botnet.12

• Finding bugs in source code

• Compiler extensions.

• OS modifications

• Hardware modifications

• Capturing code running symptoms of buffer overflow attacks

13

WORM DETECTION AND

SIGNATURE GENERATION

• This is code transformation techniques.

• online attack blocker.

• Used in different purposes.

14

SIGFREE ATTACK MODEL

• The HTTP requests are used.

• It’s a real time ,application blocker.

• Its one of the cyber security.

15

16

16

URI DECODER

• Query parameter of a request URI.

• Request parameter of a request URI.

.

17

18

18

ASCII FILTER 

• Malicious executable codes are normally binary strings.

• ASCII ranging from 20-7E in hex.

• SigFree allows a special type of executable codes.

19

20 20

INSTRUCTION SEQUENCES

DISTILLER(ISD)

• Instruction sequences from the query parameters of Request-URI and Request-Body

21

22

22

INSTRUCTION SEQUENCES

ANALYZER

• Using the instruction sequences distiller as the inputs, these module analyzes these instruction sequences to determine whether one of them is a program.

23

24 24

Friday, April 7, 2023 2525

CONCLUSION

• We proposed NDIS technique, in order to provide better protection for user, security prevention mechanisms need to be done at kernel mode.

• We used an another technique is SigFree model.

26

REFERENCE

• Lee Ling Chuan, Chan Lee Yee, Mahamod Ismail and Kasmiran Jumari, “Automated Blocking of Malicious Code with NDIS Intermediate Driver”, ICACT 2011, IEEE February 2011.

• Printing Communications Associates, Inc. (PCAUSA),“NDIS_PACKET Discussion Part 2: NDIS_PACKET Reserved Areas,” January 17, 2010.

• MSDN Library, Microsoft Corporation, “NDIS-Supplied Packet and Buffer Handling Functions (NDIS 5.1),” March 6, 2010.

27

28

THANK YOU