Presentation is loading. Please wait.

Presentation is loading. Please wait.

V. A. Memos and K. E. Psannis*

Published byElijah McGee Modified over 6 years ago

Similar presentations

Presentation on theme: "V. A. Memos and K. E. Psannis*"— Presentation transcript:

1 A New Methodology based on Cloud Computing for Efficient Virus Detection
V. A. Memos and K. E. Psannis* Department of Technology Management, * Department of Applied Informatics University of Macedonia, Greece CISSE Online e-Conference (TeNe), December 12-14, 2013

2 Research Purposes Understanding the way that antivirus programs work
Understanding the weaknesses of the current antivirus techniques for data protection Propose a new security model which can offer better security and efficient virus detection

3 Problem Definition Thousand new malware samples are discovered daily and spread on the internet Virus programmers use many advanced techniques, such as code mutation and encryption methods (e.g. crypters) to make their viruses undetectable, so they are usually one step ahead of the antivirus programs Antivirus software use various static and dynamic techniques to detect malware The most basic technique that they use is “signature scanning” which is considered to be outdated In addition, some of the new techniques, such as heuristic detection methods, have many weaknesses

4 Virus signature method
Signatures are byte sequences (strings) which are a part of virus code Each antivirus software choose and use a specific part of bytes sequence of a virus code to identify it E.g. 55 8B EC 6A FF B This signature-based detection model has many advantages, but it has inevitably many weaknesses too

5 Advantages: Scan speed (lots of files are analyzed per second) Use less memory and system resources Disadvantages: Signature is unlikely to be unique (large amount of files so it is almost impossible not to exist in other non-malicious files too) False positive problems It is easy to be changed by specialists Virus database is need to be constantly updated This method is unable to detect polymorphic viruses (whose code is self-replicated and self-concealed) and new unknown malware

6 Other detection methods (such as “heuristics”)
They are used additionally by many antivirus programs They are based on looking up for suspicious instruction sequences that may be related to malware existence Better detection capabilities However, they present a lot of false positives when they are adjusted for maximum detection rate In addition, such behavior detection methods take up many system resources, so they slow down computers’ operation and overload networks.

7 Experiments A. Finding virus signature
B. The problem of false positives C. Virus concealment

8 A. Finding virus signature
Tools we use: “s” file 238KB size, which looks like a picture, but it is an executable malicious file (trojan horse) which is transmitted via social networks Avira antivirus (as on-demand scanner) DSplit file splitter Windows Command Line HxD hex editor program

9 dsplit.exe 0 max s.exe

10 The above command creates 25 new smaller files so that each file is 10
The above command creates 25 new smaller files so that each file is bytes larger than its previous one and bytes smaller than its next one

11 Scan with Avira Antivirus
Virus signature TR/Offend.kdv in the last 16 files

12 Virus signature TR/Offend. kdv
Virus signature TR/Offend.kdv in the last 16 files, from the 100KB file to the final one It actually means that some of the added bytes into the 90KB file make the 100KB one to be detected as malware So, we delete all the created files except these two files and continue with the next proper command

13 dsplit.exe s.exe creates new files between 90KB and 100KB ones so that each of them is bytes larger than its previous one and bytes smaller than its next one

14 By scanning these files again with Avira antivirus, we observe that 9/11 files detected as trojan horse, from 92KB file onwards It means that there is something in the 92KB file that isn’t in the previous 91KB one

15 The process is a routine and as previously we delete all other files and hold these two files and type the proper command, which is now:  dsplit.exe 91000  92000  100  s.exe. By repeating the above steps, it will be needed to give the following commands too: dsplit.exe   10  s.exe   dsplit.exe  s.exe 

16 Thus, we will manage to have files with only 1 byte difference between each other.  

17 By scanning these files, we observe only 91050B file detected as trojan
So the additional 1B in 91049B file, makes the next one detected

18 Open and compare their codes with Hex editor

19 The byte which is added and causes the trojan detection is the hexadecimal 41 or the string A 
So, we just find the end of the string signature which Avira antivirus use to identify this trojan horse To find the start of the signature we need a clear – non-malicious – file. We use taskmgr.exe system file We open taskmgr.exe file with HxD too and try copying some of the last bytes from the 91050B file into it Then, we scan it with Avira antivirus It is a routine again by adding byte-to-byte from the detected file to this clear one, until we can manage to make this clear file detectable as a Trojan, too

20

21 By continuous tests we find that Avira uses 123 bytes length signature to detect the s.exe file as “TR/Offend.kdv.49932”, which is consisted of the following: 55 8B EC 6A FF B A EC E8 33 DB 89 5D FC 6A 02 FF D C FF 83 0D C FF FF B 0D C FF B 0D BC A1 5C B 00 A3 CC E D C 68 AC 64 41

22

23 B. The problem of false positives
The 123 additional bytes in the original code of the taskmgr.exe are no more than a useless code and it neither affect the operation of the task manager file, nor makes it malicious.

24 VirusTotal site. Only Avira finds this file as malware…

25 C. Virus Concealment By changing an alphabet string in the malicious s.exe file, such as “U” to “u” (55 to 75 in hexadecimal code), signature will change, but not the file’s destructive function

26

27 However, Avira antivirus is unable to detect the malware!

28 Proposed Approach Hybrid security model which merges:
System-Changes based signatures (new proposed technique for creation virus signatures) Sandboxing method Cloud technology

29 System-Changes based signatures
This new method will not be based on specific byte sequences, but on specific system-changes sequences A malicious file will be identified from the sequence of changes that it tries to cause on the computer system Each malicious behavior will have its different and unique signature

30 Sandboxing Method Isolated environment which provides additional protection level All files run firstly inside the sandbox, until antivirus program verify their function (malicious or not?) If the user runs a file that is malicious, the changes it will cause to the system will not be permanent In this case, the installed antivirus program blocks the malicious process of the file and the system resets to its previous mode

31 Cloud Technology Architecture that is based on communication between servers that are somewhere on the internet – “cloud” – and computers that are connected to this “cloud”. The connected computers have installed a small program - in our case the antivirus program - that is used as a client. The most processes of the program take part in the connected server by the web service which is running in the cloud. So, computer doesn’t need to process and store large amount of data – in our case virus signatures. Low memory consumption and system resources, without supercharge the computer even if it is not meet the minimum requirements that have the most current computers

32 Proposed Model m cloud virtual sub-servers that constitute the Home Cloud Server n terminals connected to m cloud virtual sub-servers i sandboxes contained in n terminals k files are inserted to n terminals l virus signatures that are collected and contained to the Home Cloud Server’s Virus Database l virus signatures that are transmitted from the Home Cloud Server’s Virus Database to m cloud virtual sub-servers’ Virus Databases where: i=1,2.., n=1,2.., m=1,2.., k=1,2.., l=1,2.., i=n.

33 Model Architecture

34 Conclusions – Future Work
The current virus detection methods present many security problems Our proposed model merges System-Changes-based Virus Signatures, Cloud Computing and Sandboxing technologies and can offer maximum efficient protection against known and unknown internet threats Future work will include deep study and analysis of the capability to adjust to the new proposed security model

35 Questions? V. A. Memos and K. E. Psannis*
University of Macedonia, Greece s:

Download ppt "V. A. Memos and K. E. Psannis*"

Similar presentations

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
By Joshua T. I. Towers. 13.3 $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.

By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Project By Ben Woodard ISC 110 Professor: Dr. Elaine Wenderholm.

Project By Ben Woodard ISC 110 Professor: Dr. Elaine Wenderholm.
No.24 Prerawat Denvutivorkarn M.2/2. Definition: antivirus is protective software designed to defend your computer against malicious software. Malicious.

No.24 Prerawat Denvutivorkarn M.2/2. Definition: "antivirus" is protective software designed to defend your computer against malicious software. Malicious.
What is it, how does it work, and why is it important?

What is it, how does it work, and why is it important?
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.

R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Computer Viruses Preetha Annamalai Niranjan Potnis.

Computer Viruses Preetha Annamalai Niranjan Potnis.
Hacker Zombie Computer Reflectors Target.

Hacker Zombie Computer Reflectors Target.
Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.
WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.

WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.
 a crime committed on a computer network, esp. the Internet.

 a crime committed on a computer network, esp. the Internet.

Similar presentations

Ads by Google