Virus
¨ Infects or Corrupts Files ¨ Hidden in Code ¨ Can be Metamorphic ¨ Can’t Surivive Itself ¨ Propagates by sharing files ¨ Propagates by affecting open
network shares
Trojan
¨ Appears as a useful file - “waterfalls.scr”
¨ Undesired Functionality ¨ Executes malicious code along
with the useful code ¨ Unable to identify by a naïve
user
Worm
¨ A malicious program ¨ Self Replicating ¨ Doesn’t need a host program ¨ Harms network
- Consumes Local Resources - Consumes Bandwidth
Limitations of Existing Virus Detection Methods
¨ They detect viruses based on signature recognition
¨ Based on physical characteristics of the virus
¨ Effectiveness decreases w.r.t. no. of viruses
¨ Takes time to release the signature of a new virus ¨ Need for a new solution:
Machine Speed vs. Human Speed
Virus Throttle – What is it ?
¨ Car Throttle – Reduce Speed
¨ Virus Throttle is based on the behavior of malicious code
¨ Malicious Code make many connections to new computers
¨ SQL Slammer - >800 Connections per Second
¨ Rate Limit on Connections to New Computers
Virus Throttle – How It Works ?
Example Worm – W32/Nimda-D
¨ Tests carried out at HP Labs using the W32/Nimda-D worm and several other test worms
¨ W32/Nimda-D - It is a mass-mailing worm - It affects both local files and network shares - Creates 120+ connections per second
¨ Test Worms had different frequencies of connections
¨ The virus spreads rapidly
¨ Need for signature update
¨ Without signature update - Temporary Solution - Suspend the network - Financial / Productivity Loss
¨ After signature update - Each computer has to be disinfected - Takes days to complete
Detection of W32/Nimda-D Worm using the traditional approach
Detection of W32/Nimda-D Worm using the Virus Throttle
¨ Throttle detects the process ¨ Throttle cuts the extra connections ¨ Thus no or less number of PCs are affected.
Advantages of Virus Throttle
¨ Works without knowing anything about the virus
¨ Protection only slows down the network traffic ¤ Thus false negatives don’t have much effect
¨ Gives IT staff time to react
¨ Effects of deploying the Virus Throttle widely ¤ Difficult for viruses to spread at all
Results
connections per second
stopping time
allowed connections
Nimda 120 0.25s 1
Test Worm 20 5.44s 5 40 2.34s 2 60 1.37s 1 80 1.04s 1 100 0.91s 1 150 0.21s 0 200 0.02s 0
SQL Slammer 850 0.02s 0
Virus Detection on PC based on Virus Throttle Technology
¨ Traditional Virus Scanners scan all the files
¨ Consume much of the processing resource
¨ The new technique filters the files that have to be scanned.
Components of the new technique for Virus Detection ¨ A gateway – Defined as THROTWALL
¨ A Traditional Virus Scanner
THROTWALL
¨ THROTWALL is similar to firewall for networks and works on the basis of Virus Throttle.
¨ Monitors running processes for suspicious activity
¨ Protects the super resources
¨ When process requests
Thank You…
¨ Read the research whitepaper here: Slideshare.net
¨ Like this presentation? Share it...
¨ Questions? Tweet me @ahmedmzl
¨ This presentation was presented at the following conferences: ¤ The IET-UK Present Around the World – India Finals ¤ National Conference on Communication and Informatics
