towards extending the antivirus capability to scan network traffic mohammed i. al-saleh jordan...
TRANSCRIPT
Towards Extending the Antivirus Capability to Scan Network Traffic
Mohammed I. Al-Saleh
Jordan University of Science and Technology
Outline
• Problem and Background• Threat Model• System Architecture• Conclusions and Future work
Antivirus
Virus Signatures
Antivirus (cont.)
• On-access Scanner– Scan on file system operations– Open, read, write, close, etc.
• On-demand– Scan on user request
Problem in Scanning Network Traffic
• Al-Saleh et al., “Investigating the detection capabilities of antiviruses under concurrent attacks”. IET IFS Journal, 2014.
Antivirus Detect?Kaspersky Anti-Virus 6.0 NoSymantec Endpoint Protection 11.0 No
Sophos Endpoint Security, and Control 10.0 No
Panda Internet Security 2014 NoAvg Internet Security 2014 NoBitDefender Internet Security 2014 NoAvast Internet Security 2014 NoTotalDefense Internet Security No
Problem (cont.)
• Most malware infect victims through networks– Worm– Adware– Trojan Horse– Spam– Botnet– Etc.
Why?
• Is it hard to scan network traffic?– How hard is it?
• Drop security for performance?– How much performance degradation when
scanning network traffic?• Still speculation!– Exact reason is NOT known
Solution
• Very simple– It is a MUST to scan network traffic
• How?– Hmmmm, needs more thinking…
Threat Model
Basic Idea
• Simply, we need a way to tell the AV to scan network data.– Discrete packets (IP level)
• ineffective scanner; – Malware spans different packets– Out of order
– Higher level (TCP)• Builds state machine• Maintains order• Separates connections• Separates inbound from outbound traffic
Packet Capturing (pcap)
• Kernel modules– passively capture network traffic and pass them to
user space processes through a well-defined Application Programming Interface (API)
• Examples: Tcpdump and Wireshark• Use such libraries to build a state machine for
TCP connections
ClamAV
• The most popular open-source AV– www.clamav.net
• Allows agents to make use of it programmatically– Link to the ClamAV shared library– ClamAV daemon along with the database of virus
signatures are loaded once and shared with the user agents.
System Architecture
Conclusion and Future Work
• Antivirus software MUST scan network traffic
• The proposed system will be implemented
• Performance impact should be studied
Acknowledgements
• Jordan University of Science and Technology for the financial support
Thanks