Post on 23-Dec-2015
transcript
Towards Extending the Antivirus Capability to Scan Network Traffic
Mohammed I. Al-Saleh
Jordan University of Science and Technology
Antivirus (cont.)
• On-access Scanner– Scan on file system operations– Open, read, write, close, etc.
• On-demand– Scan on user request
Problem in Scanning Network Traffic
• Al-Saleh et al., “Investigating the detection capabilities of antiviruses under concurrent attacks”. IET IFS Journal, 2014.
Antivirus Detect?Kaspersky Anti-Virus 6.0 NoSymantec Endpoint Protection 11.0 No
Sophos Endpoint Security, and Control 10.0 No
Panda Internet Security 2014 NoAvg Internet Security 2014 NoBitDefender Internet Security 2014 NoAvast Internet Security 2014 NoTotalDefense Internet Security No
Problem (cont.)
• Most malware infect victims through networks– Worm– Adware– Trojan Horse– Spam– Botnet– Etc.
Why?
• Is it hard to scan network traffic?– How hard is it?
• Drop security for performance?– How much performance degradation when
scanning network traffic?• Still speculation!– Exact reason is NOT known
Basic Idea
• Simply, we need a way to tell the AV to scan network data.– Discrete packets (IP level)
• ineffective scanner; – Malware spans different packets– Out of order
– Higher level (TCP)• Builds state machine• Maintains order• Separates connections• Separates inbound from outbound traffic
Packet Capturing (pcap)
• Kernel modules– passively capture network traffic and pass them to
user space processes through a well-defined Application Programming Interface (API)
• Examples: Tcpdump and Wireshark• Use such libraries to build a state machine for
TCP connections
ClamAV
• The most popular open-source AV– www.clamav.net
• Allows agents to make use of it programmatically– Link to the ClamAV shared library– ClamAV daemon along with the database of virus
signatures are loaded once and shared with the user agents.
Conclusion and Future Work
• Antivirus software MUST scan network traffic
• The proposed system will be implemented
• Performance impact should be studied