Real-Time Malware Defense System (Based On Linux Task Structure)

Seminar By : Dilip K. Jaiswal

Class : T.E-I.T

Roll No : 55

Guided By : Prof. Bhushan S. Chaudhari

1

Contents

• Introduction

• Malware

• What is process And How it works in Linux

• Related Work

• Detection Based on System Call

• Architecture of RTMDS

• Modes of Operation

• Task Structure

2

Contents (cont...)

• Criteria Of Detecting Malware

• System Designing

• Getting Process information

• Detecting Malicious activity in Linux

• Advantages

• Conclusion

• References

3

Introduction

• Focus on Processes for information security.

• Real Time monitoring at Kernel Level

• It will fully achieve anti-virus and anti-sobatage system

4

Malware

• Worms

• Viruses

• Trojan Horse

5

What is Process?

• A program under is execution called as Process.

6

Working of Processes in Linux

• How process is created

• Where process information get stored

7

Related Work

• API Interface or System Call provided by O.S.

• Through system Calls there are two techniques

– Signature based Analysis

– Signature free Analysis

8

Detection Based On System Call

Signature Based Analysis

• System maintains Database to detect malware

• System Continuously runs as a daemon process

Signature Free Analysis

• No Such Database is maintained

• Detection is done using process descriptor

9

Architecture Of RTMDS

10

Modes Of Operation

• Kernel Level

• User level

11

Task Structure • Task Descriptor • The task_struct structure is allocated via the slab allocator. • Slab allocator • Task Structure • struct task_struct { pid_t pid; pid_t tgid; pid_t uid; Void *stack;

__u32 status; time _t utime; time _t stime; int nvcsw; int preempt_count; }

12

Criteria Of Detecting Malware

• From the task structure and observe the behavior and properties of the process.

• following criteria that has been mentioned

– Scheduling lists & Process lists

– Memory mapping

13

Activity Diagram

14

Communication Diagram

15

Getting Process Information • cat /proc/P_id/status

• cat /proc/P_id/stack

• cat /proc/meminfo

16

Detecting Malicious Activity in Linux • sudo cat /etc/shadow

• sudo cat /etc/passwd

• sudo top or sudo htop

17

Conclusion

• Detects Malware and kills during its execution time

• It has least false alarms and higher accuracy

18

References

1. Farrukh Shazad, Sohali Bhatti, Muhammad Shahzad and Muddsar Farukh, InExecution Malware Detection using Task Structureof Linux process 978-1-61284-233- 2/11/2011 IEEE.

2. Nwokedi Ldika, Aditya Mathur, A Survey of Malware Detection Techniques, Research supported by Arxan Technologies/21STC.R&T Fund,2/2/2007.

3. Farrukh Shazad, M. Shahzad, Muddassar Farooq; “In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS”.

4. Robert Love; "Linux Kernel Development", 3rd Edition. 5. Robert Love; "Linux Kernel Development, Developer's Library", 3rd

Edition. 6. Dilip Pandit, Dineshkumar Kongonda, Kabita Ghosh, Ravikumar

Wagh, Tushar Kute;"Real Time Malware Defense System"

19

THANK YOU

ANY QUERIES…??

20