virus detection based on virus throttle technology
DESCRIPTION
In the Internet age, virus epidemics are getting worse than before, making the networks slow, computers slow, suspending mission critical operations and so on. In this presentation, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection. The special feature of this technology is that its virus detection algorithm is based on the network behavior of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates. The technology white paper is available at the following link: http://www.slideshare.net/ahmedmzl/virus-detection-based-on-virus-throttle-technologyTRANSCRIPT
![Page 2: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/2.jpg)
Virus
¨ Infects or Corrupts Files ¨ Hidden in Code ¨ Can be Metamorphic ¨ Can’t Surivive Itself ¨ Propagates by sharing files ¨ Propagates by affecting open
network shares
![Page 3: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/3.jpg)
Trojan
¨ Appears as a useful file - “waterfalls.scr”
¨ Undesired Functionality ¨ Executes malicious code along
with the useful code ¨ Unable to identify by a naïve
user
![Page 4: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/4.jpg)
Worm
¨ A malicious program ¨ Self Replicating ¨ Doesn’t need a host program ¨ Harms network
- Consumes Local Resources - Consumes Bandwidth
![Page 5: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/5.jpg)
Limitations of Existing Virus Detection Methods
¨ They detect viruses based on signature recognition
¨ Based on physical characteristics of the virus
¨ Effectiveness decreases w.r.t. no. of viruses
¨ Takes time to release the signature of a new virus ¨ Need for a new solution:
Machine Speed vs. Human Speed
![Page 6: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/6.jpg)
Virus Throttle – What is it ?
¨ Car Throttle – Reduce Speed
¨ Virus Throttle is based on the behavior of malicious code
¨ Malicious Code make many connections to new computers
¨ SQL Slammer - >800 Connections per Second
¨ Rate Limit on Connections to New Computers
![Page 7: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/7.jpg)
Virus Throttle – How It Works ?
![Page 8: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/8.jpg)
Example Worm – W32/Nimda-D
¨ Tests carried out at HP Labs using the W32/Nimda-D worm and several other test worms
¨ W32/Nimda-D - It is a mass-mailing worm - It affects both local files and network shares - Creates 120+ connections per second
¨ Test Worms had different frequencies of connections
![Page 9: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/9.jpg)
¨ The virus spreads rapidly
¨ Need for signature update
¨ Without signature update - Temporary Solution - Suspend the network - Financial / Productivity Loss
¨ After signature update - Each computer has to be disinfected - Takes days to complete
Detection of W32/Nimda-D Worm using the traditional approach
![Page 10: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/10.jpg)
Detection of W32/Nimda-D Worm using the Virus Throttle
¨ Throttle detects the process ¨ Throttle cuts the extra connections ¨ Thus no or less number of PCs are affected.
![Page 11: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/11.jpg)
Advantages of Virus Throttle
¨ Works without knowing anything about the virus
¨ Protection only slows down the network traffic ¤ Thus false negatives don’t have much effect
¨ Gives IT staff time to react
¨ Effects of deploying the Virus Throttle widely ¤ Difficult for viruses to spread at all
![Page 12: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/12.jpg)
Results
connections per second
stopping time
allowed connections
Nimda 120 0.25s 1
Test Worm 20 5.44s 5 40 2.34s 2 60 1.37s 1 80 1.04s 1 100 0.91s 1 150 0.21s 0 200 0.02s 0
SQL Slammer 850 0.02s 0
![Page 13: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/13.jpg)
Virus Detection on PC based on Virus Throttle Technology
¨ Traditional Virus Scanners scan all the files
¨ Consume much of the processing resource
¨ The new technique filters the files that have to be scanned.
![Page 14: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/14.jpg)
Components of the new technique for Virus Detection ¨ A gateway – Defined as THROTWALL
¨ A Traditional Virus Scanner
![Page 15: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/15.jpg)
THROTWALL
¨ THROTWALL is similar to firewall for networks and works on the basis of Virus Throttle.
¨ Monitors running processes for suspicious activity
¨ Protects the super resources
¨ When process requests
![Page 16: Virus detection based on virus throttle technology](https://reader034.vdocuments.us/reader034/viewer/2022051612/54bea39d4a7959ef2f8b465b/html5/thumbnails/16.jpg)
Thank You…
¨ Read the research whitepaper here: Slideshare.net
¨ Like this presentation? Share it...
¨ Questions? Tweet me @ahmedmzl
¨ This presentation was presented at the following conferences: ¤ The IET-UK Present Around the World – India Finals ¤ National Conference on Communication and Informatics