VIRUS DETECTION BASED ON VIRUS THROTTLE TECHNOLOGY

Ahmed Muzammil Jamal Mohamed ahmedmuzammil@outlook.com

Virus

¨  Infects or Corrupts Files ¨  Hidden in Code ¨  Can be Metamorphic ¨  Can’t Surivive Itself ¨  Propagates by sharing files ¨  Propagates by affecting open

network shares

Trojan

¨  Appears as a useful file - “waterfalls.scr”

¨  Undesired Functionality ¨  Executes malicious code along

with the useful code ¨  Unable to identify by a naïve

user

Worm

¨  A malicious program ¨  Self Replicating ¨  Doesn’t need a host program ¨  Harms network

- Consumes Local Resources - Consumes Bandwidth

Limitations of Existing Virus Detection Methods

¨  They detect viruses based on signature recognition

¨  Based on physical characteristics of the virus

¨  Effectiveness decreases w.r.t. no. of viruses

¨  Takes time to release the signature of a new virus ¨  Need for a new solution:

Machine Speed vs. Human Speed

Virus Throttle – What is it ?

¨  Car Throttle – Reduce Speed

¨  Virus Throttle is based on the behavior of malicious code

¨  Malicious Code make many connections to new computers

¨  SQL Slammer - >800 Connections per Second

¨  Rate Limit on Connections to New Computers

Virus Throttle – How It Works ?

Example Worm – W32/Nimda-D

¨  Tests carried out at HP Labs using the W32/Nimda-D worm and several other test worms

¨  W32/Nimda-D - It is a mass-mailing worm - It affects both local files and network shares - Creates 120+ connections per second

¨  Test Worms had different frequencies of connections

¨  The virus spreads rapidly

¨  Need for signature update

¨  Without signature update - Temporary Solution - Suspend the network - Financial / Productivity Loss

¨  After signature update - Each computer has to be disinfected - Takes days to complete

Detection of W32/Nimda-D Worm using the traditional approach

Detection of W32/Nimda-D Worm using the Virus Throttle

¨  Throttle detects the process ¨  Throttle cuts the extra connections ¨  Thus no or less number of PCs are affected.

Advantages of Virus Throttle

¨  Works without knowing anything about the virus

¨  Protection only slows down the network traffic ¤ Thus false negatives don’t have much effect

¨  Gives IT staff time to react

¨  Effects of deploying the Virus Throttle widely ¤ Difficult for viruses to spread at all

Results

connections per second  

stopping time  

allowed connections  

Nimda  120   0.25s   1  

Test Worm  20   5.44s   5  40   2.34s   2  60   1.37s   1  80   1.04s   1  100   0.91s   1  150   0.21s   0  200   0.02s   0  

SQL Slammer  850   0.02s   0  

Virus Detection on PC based on Virus Throttle Technology

¨  Traditional Virus Scanners scan all the files

¨  Consume much of the processing resource

¨  The new technique filters the files that have to be scanned.

Components of the new technique for Virus Detection ¨  A gateway – Defined as THROTWALL

¨  A Traditional Virus Scanner

THROTWALL

¨  THROTWALL is similar to firewall for networks and works on the basis of Virus Throttle.

¨  Monitors running processes for suspicious activity

¨  Protects the super resources

¨  When process requests

Thank You…

¨  Read the research whitepaper here: Slideshare.net

¨  Like this presentation? Share it...

¨  Questions? Tweet me @ahmedmzl

¨  This presentation was presented at the following conferences: ¤ The IET-UK Present Around the World – India Finals ¤ National Conference on Communication and Informatics