Application-Level Reconnaissance: Timing Channel Attacks ...

Application-Level Reconnaissance: Timing Channel Attacks ...

Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh Jordan University of Science and Technology Outline

Problem and Background Threat Model System Architecture Conclusions and Future work

Antivirus Virus Signatures Antivirus (cont.) On-access Scanner Scan on file system operations Open, read, write, close, etc.

On-demand Scan on user request Problem in Scanning Network Traffic Al-Saleh et al., Investigating the detection capabilities of antiviruses under concurrent attacks. IET IFS Journal, 2014.

Antivirus Kaspersky Anti-Virus 6.0 Symantec Endpoint Protection 11.0 Sophos Endpoint Security, and Control 10.0 Panda Internet Security 2014 Avg Internet Security 2014 BitDefender Internet Security 2014 Avast Internet Security 2014

TotalDefense Internet Security Detect? No No No No No

No No No Problem (cont.) Most malware infect victims through networks Worm Adware

Trojan Horse Spam Botnet Etc. Why? Is it hard to scan network traffic? How hard is it?

Drop security for performance? How much performance degradation when scanning network traffic? Still speculation! Exact reason is NOT known

Solution Very simple It is a MUST to scan network traffic How? Hmmmm, needs more thinking Threat Model

Basic Idea Simply, we need a way to tell the AV to scan network data. Discrete packets (IP level) ineffective scanner; Malware spans different packets Out of order

Higher level (TCP) Builds state machine

Maintains order Separates connections Separates inbound from outbound traffic Packet Capturing (pcap) Kernel modules passively capture network traffic and pass them to user space processes through a well-defined

Application Programming Interface (API) Examples: Tcpdump and Wireshark Use such libraries to build a state machine for TCP connections ClamAV The most popular open-source AV

www.clamav.net Allows agents to make use of it programmatically Link to the ClamAV shared library ClamAV daemon along with the database of virus signatures are loaded once and shared with the user agents.

System Architecture Conclusion and Future Work Antivirus software MUST scan network traffic The proposed system will be implemented Performance impact should be studied Acknowledgements

Jordan University of Science and Technology for the financial support Thanks

Recently Viewed Presentations

  • Development with the Matrix package - ROOT

    Development with the Matrix package - ROOT

    "buy car" : "sell car") <<endl; Root/Cint in High-Frequency Finance storing / filtering data tracking patterns through visualization and statistical tools Root/Cint macros for quick proto-typing of new predictive sources gROOT->ProcessLine(command,&error) PROOF to parallelize simulations Development with the Matrix package...
  • Sherann and Bruces trip to Zion, Bryce and

    Sherann and Bruces trip to Zion, Bryce and

    Famous 'space men' pictographs in Capital Reef park. Weird rocks at the start of the 'Burr Trail'. The things you see when hunting season is over! Winter storm clouds set the sky on fire at sunset. On the way home,...
  • Design Tradeoffs For hard and Soft FPGA-based Networks-on-Chip

    Design Tradeoffs For hard and Soft FPGA-based Networks-on-Chip

    The Case for Embedded NoCson FPGAs. Mohamed ABDELFATTAH. Vaughn BETZ
  • Historical Linguistics: Reconstruction and prehistory

    Historical Linguistics: Reconstruction and prehistory

    Change, reconstruction LING 400 Winter 2010 Overview Reconstruction Time-depth Conversative vs. innovative languages Reconstruction and prehistory More historical change Morphological, morphosyntactic Semantic Time-depth "Persian is an old language." All (modern) daughters of proto-language have equal time-depth.
  • Figure 15.1 A distributed multimedia system

    Figure 15.1 A distributed multimedia system

    First-fit and best-fit are better than worst-fit in terms of speed and storage utilization. But all suffer from . fragmentation . How to satisfy a request of size . n. ... Otherwise, fetch the cache line from the memory into...
  • The Challenge of Democracy CHAPTER 1 Freedom, Order,

    The Challenge of Democracy CHAPTER 1 Freedom, Order,

    How government chooses the proper mix of order, freedom, and equality in its policymaking has to do with the process of choice. We evaluate the American governmental process using two models of democratic government: majoritarian and pluralist.
  • Presentación de PowerPoint - WordPress.com

    Presentación de PowerPoint - WordPress.com

    Léxico (Aktionsart) - Vendler, Z. (1967) Verbs and Times.Linguistics in Philosophy, N. Y., Cornell U. P.. Clasificación de verbos en clases aspectuales por rasgos léxicos. Télico. Situación . delimitada que culmina. despertarse. descubrir
  • Bohrs Models

    Bohrs Models

    Argon. How to draw Bohrs Models. 1. First, find the number of protons, neutrons and electrons. 2. Draw a nucleus. 3. Look at the period. This is the number of shells the atom will have. Ex. Elements in Period 2...