Real Time Malware Defense System in LINUX
-
Upload
dilip-jaiswal -
Category
Engineering
-
view
147 -
download
3
description
Transcript of Real Time Malware Defense System in LINUX
Real-Time Malware Defense System (Based On Linux Task Structure)
Seminar By : Dilip K. Jaiswal
Class : T.E-I.T
Roll No : 55
Guided By : Prof. Bhushan S. Chaudhari
1
Contents
• Introduction
• Malware
• What is process And How it works in Linux
• Related Work
• Detection Based on System Call
• Architecture of RTMDS
• Modes of Operation
• Task Structure
2
Contents (cont...)
• Criteria Of Detecting Malware
• System Designing
• Getting Process information
• Detecting Malicious activity in Linux
• Advantages
• Conclusion
• References
3
Introduction
• Focus on Processes for information security.
• Real Time monitoring at Kernel Level
• It will fully achieve anti-virus and anti-sobatage system
4
Malware
• Worms
• Viruses
• Trojan Horse
5
What is Process?
• A program under is execution called as Process.
6
Working of Processes in Linux
• How process is created
• Where process information get stored
7
Related Work
• API Interface or System Call provided by O.S.
• Through system Calls there are two techniques
– Signature based Analysis
– Signature free Analysis
8
Detection Based On System Call
Signature Based Analysis
• System maintains Database to detect malware
• System Continuously runs as a daemon process
Signature Free Analysis
• No Such Database is maintained
• Detection is done using process descriptor
9
Architecture Of RTMDS
10
Modes Of Operation
• Kernel Level
• User level
11
Task Structure • Task Descriptor • The task_struct structure is allocated via the slab allocator. • Slab allocator • Task Structure • struct task_struct { pid_t pid; pid_t tgid; pid_t uid; Void *stack;
__u32 status; time _t utime; time _t stime; int nvcsw; int preempt_count; }
12
Criteria Of Detecting Malware
• From the task structure and observe the behavior and properties of the process.
• following criteria that has been mentioned
– Scheduling lists & Process lists
– Memory mapping
13
Activity Diagram
14
Communication Diagram
15
Getting Process Information • cat /proc/P_id/status
• cat /proc/P_id/stack
• cat /proc/meminfo
16
Detecting Malicious Activity in Linux • sudo cat /etc/shadow
• sudo cat /etc/passwd
• sudo top or sudo htop
17
Conclusion
• Detects Malware and kills during its execution time
• It has least false alarms and higher accuracy
18
References
1. Farrukh Shazad, Sohali Bhatti, Muhammad Shahzad and Muddsar Farukh, InExecution Malware Detection using Task Structureof Linux process 978-1-61284-233- 2/11/2011 IEEE.
2. Nwokedi Ldika, Aditya Mathur, A Survey of Malware Detection Techniques, Research supported by Arxan Technologies/21STC.R&T Fund,2/2/2007.
3. Farrukh Shazad, M. Shahzad, Muddassar Farooq; “In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS”.
4. Robert Love; "Linux Kernel Development", 3rd Edition. 5. Robert Love; "Linux Kernel Development, Developer's Library", 3rd
Edition. 6. Dilip Pandit, Dineshkumar Kongonda, Kabita Ghosh, Ravikumar
Wagh, Tushar Kute;"Real Time Malware Defense System"
19
THANK YOU
ANY QUERIES…??
20