Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh Jordan University of Science and Technology Outline
Problem and Background Threat Model System Architecture Conclusions and Future work
Antivirus Virus Signatures Antivirus (cont.) On-access Scanner Scan on file system operations Open, read, write, close, etc.
On-demand Scan on user request Problem in Scanning Network Traffic Al-Saleh et al., Investigating the detection capabilities of antiviruses under concurrent attacks. IET IFS Journal, 2014.
Antivirus Kaspersky Anti-Virus 6.0 Symantec Endpoint Protection 11.0 Sophos Endpoint Security, and Control 10.0 Panda Internet Security 2014 Avg Internet Security 2014 BitDefender Internet Security 2014 Avast Internet Security 2014
TotalDefense Internet Security Detect? No No No No No
No No No Problem (cont.) Most malware infect victims through networks Worm Adware
Trojan Horse Spam Botnet Etc. Why? Is it hard to scan network traffic? How hard is it?
Drop security for performance? How much performance degradation when scanning network traffic? Still speculation! Exact reason is NOT known
Solution Very simple It is a MUST to scan network traffic How? Hmmmm, needs more thinking Threat Model
Basic Idea Simply, we need a way to tell the AV to scan network data. Discrete packets (IP level) ineffective scanner; Malware spans different packets Out of order
Higher level (TCP) Builds state machine
Maintains order Separates connections Separates inbound from outbound traffic Packet Capturing (pcap) Kernel modules passively capture network traffic and pass them to user space processes through a well-defined
Application Programming Interface (API) Examples: Tcpdump and Wireshark Use such libraries to build a state machine for TCP connections ClamAV The most popular open-source AV
www.clamav.net Allows agents to make use of it programmatically Link to the ClamAV shared library ClamAV daemon along with the database of virus signatures are loaded once and shared with the user agents.
System Architecture Conclusion and Future Work Antivirus software MUST scan network traffic The proposed system will be implemented Performance impact should be studied Acknowledgements
Jordan University of Science and Technology for the financial support Thanks
"buy car" : "sell car") <<endl; Root/Cint in High-Frequency Finance storing / filtering data tracking patterns through visualization and statistical tools Root/Cint macros for quick proto-typing of new predictive sources gROOT->ProcessLine(command,&error) PROOF to parallelize simulations Development with the Matrix package...
Famous 'space men' pictographs in Capital Reef park. Weird rocks at the start of the 'Burr Trail'. The things you see when hunting season is over! Winter storm clouds set the sky on fire at sunset. On the way home,...
Change, reconstruction LING 400 Winter 2010 Overview Reconstruction Time-depth Conversative vs. innovative languages Reconstruction and prehistory More historical change Morphological, morphosyntactic Semantic Time-depth "Persian is an old language." All (modern) daughters of proto-language have equal time-depth.
First-fit and best-fit are better than worst-fit in terms of speed and storage utilization. But all suffer from . fragmentation . How to satisfy a request of size . n. ... Otherwise, fetch the cache line from the memory into...
How government chooses the proper mix of order, freedom, and equality in its policymaking has to do with the process of choice. We evaluate the American governmental process using two models of democratic government: majoritarian and pluralist.
Léxico (Aktionsart) - Vendler, Z. (1967) Verbs and Times.Linguistics in Philosophy, N. Y., Cornell U. P.. Clasificación de verbos en clases aspectuales por rasgos léxicos. Télico. Situación . delimitada que culmina. despertarse. descubrir
Argon. How to draw Bohrs Models. 1. First, find the number of protons, neutrons and electrons. 2. Draw a nucleus. 3. Look at the period. This is the number of shells the atom will have. Ex. Elements in Period 2...
Ready to download the document? Go ahead and hit continue!