real time malware defense system in linux
DESCRIPTION
My third year I.T engineering seminar was Real Time Malware Defense System Based On Linux Task Structure. If anybody felt of asking something. Feel free.TRANSCRIPT
Real-Time Malware Defense System (Based On Linux Task Structure)
Seminar By : Dilip K. Jaiswal
Class : T.E-I.T
Roll No : 55
Guided By : Prof. Bhushan S. Chaudhari
1
Contents
• Introduction
• Malware
• What is process And How it works in Linux
• Related Work
• Detection Based on System Call
• Architecture of RTMDS
• Modes of Operation
• Task Structure
2
Contents (cont...)
• Criteria Of Detecting Malware
• System Designing
• Getting Process information
• Detecting Malicious activity in Linux
• Advantages
• Conclusion
• References
3
Introduction
• Focus on Processes for information security.
• Real Time monitoring at Kernel Level
• It will fully achieve anti-virus and anti-sobatage system
4
Malware
• Worms
• Viruses
• Trojan Horse
5
What is Process?
• A program under is execution called as Process.
6
Working of Processes in Linux
• How process is created
• Where process information get stored
7
Related Work
• API Interface or System Call provided by O.S.
• Through system Calls there are two techniques
– Signature based Analysis
– Signature free Analysis
8
Detection Based On System Call
Signature Based Analysis
• System maintains Database to detect malware
• System Continuously runs as a daemon process
Signature Free Analysis
• No Such Database is maintained
• Detection is done using process descriptor
9
Architecture Of RTMDS
10
Modes Of Operation
• Kernel Level
• User level
11
Task Structure • Task Descriptor • The task_struct structure is allocated via the slab allocator. • Slab allocator • Task Structure • struct task_struct { pid_t pid; pid_t tgid; pid_t uid; Void *stack;
__u32 status; time _t utime; time _t stime; int nvcsw; int preempt_count; }
12
Criteria Of Detecting Malware
• From the task structure and observe the behavior and properties of the process.
• following criteria that has been mentioned
– Scheduling lists & Process lists
– Memory mapping
13
Activity Diagram
14
Communication Diagram
15
Getting Process Information • cat /proc/P_id/status
• cat /proc/P_id/stack
• cat /proc/meminfo
16
Detecting Malicious Activity in Linux • sudo cat /etc/shadow
• sudo cat /etc/passwd
• sudo top or sudo htop
17
Conclusion
• Detects Malware and kills during its execution time
• It has least false alarms and higher accuracy
18
References
1. Farrukh Shazad, Sohali Bhatti, Muhammad Shahzad and Muddsar Farukh, InExecution Malware Detection using Task Structureof Linux process 978-1-61284-233- 2/11/2011 IEEE.
2. Nwokedi Ldika, Aditya Mathur, A Survey of Malware Detection Techniques, Research supported by Arxan Technologies/21STC.R&T Fund,2/2/2007.
3. Farrukh Shazad, M. Shahzad, Muddassar Farooq; “In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS”.
4. Robert Love; "Linux Kernel Development", 3rd Edition. 5. Robert Love; "Linux Kernel Development, Developer's Library", 3rd
Edition. 6. Dilip Pandit, Dineshkumar Kongonda, Kabita Ghosh, Ravikumar
Wagh, Tushar Kute;"Real Time Malware Defense System"
19
THANK YOU
ANY QUERIES…??
20