Application-Level Reconnaissance: Timing Channel Attacks ...

Application-Level Reconnaissance: Timing Channel Attacks ...

Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh Jordan University of Science and Technology Outline

Problem and Background Threat Model System Architecture Conclusions and Future work

Antivirus Virus Signatures Antivirus (cont.) On-access Scanner Scan on file system operations Open, read, write, close, etc.

On-demand Scan on user request Problem in Scanning Network Traffic Al-Saleh et al., Investigating the detection capabilities of antiviruses under concurrent attacks. IET IFS Journal, 2014.

Antivirus Kaspersky Anti-Virus 6.0 Symantec Endpoint Protection 11.0 Sophos Endpoint Security, and Control 10.0 Panda Internet Security 2014 Avg Internet Security 2014 BitDefender Internet Security 2014 Avast Internet Security 2014

TotalDefense Internet Security Detect? No No No No No

No No No Problem (cont.) Most malware infect victims through networks Worm Adware

Trojan Horse Spam Botnet Etc. Why? Is it hard to scan network traffic? How hard is it?

Drop security for performance? How much performance degradation when scanning network traffic? Still speculation! Exact reason is NOT known

Solution Very simple It is a MUST to scan network traffic How? Hmmmm, needs more thinking Threat Model

Basic Idea Simply, we need a way to tell the AV to scan network data. Discrete packets (IP level) ineffective scanner; Malware spans different packets Out of order

Higher level (TCP) Builds state machine

Maintains order Separates connections Separates inbound from outbound traffic Packet Capturing (pcap) Kernel modules passively capture network traffic and pass them to user space processes through a well-defined

Application Programming Interface (API) Examples: Tcpdump and Wireshark Use such libraries to build a state machine for TCP connections ClamAV The most popular open-source AV

www.clamav.net Allows agents to make use of it programmatically Link to the ClamAV shared library ClamAV daemon along with the database of virus signatures are loaded once and shared with the user agents.

System Architecture Conclusion and Future Work Antivirus software MUST scan network traffic The proposed system will be implemented Performance impact should be studied Acknowledgements

Jordan University of Science and Technology for the financial support Thanks

Recently Viewed Presentations

  • GULLIVER'S TRAVELS - Havlicek's classroom

    GULLIVER'S TRAVELS - Havlicek's classroom

    GULLIVER'S TRAVELS PART ONE The Voyage to Lilliput QUESTION #1 What do you think is Gulliver's probable frame of mind in the opening passage? ANSWER Confusion Surprise Fear Curiosity QUESTION #2 What does the Lilliputian language add to the narrator's...
  • Stereochemistry - International University of Sarajevo

    Stereochemistry - International University of Sarajevo

    Example: cis andtrans isomers of butenedioic acid. HOOC-CH=CH-COOH. Different arrangement in space. Cis isomer - maleic acid. Trans isomer - fumaric acid. discovery of stereochemistry - most important breakthroughs inthe structural theory of organic chemistry.
  • Morse Code 101 - EVARC

    Morse Code 101 - EVARC

    PARIS mimics a word rate that is typical of natural language words and reflects the benefits of Morse code's shorter code durations for common characters such as "e" and "t". CODEX offers a word rate that is typical of 5-letter...
  • Impedance (Z) vs. Admittance (Y) Resistance(R) Conductance(G) Mass

    Impedance (Z) vs. Admittance (Y) Resistance(R) Conductance(G) Mass

    Note tympanogram peak pressure introduce pressure into canal Have patient swallow water recheck tympanogram peak pressure Resonant Freq. Resonant Freq. Gradient = hp/ht R L SOC CN 8th IE ME OE SOC CN 8th IE ME OE 7th CN 7th...
  • Global TB Drug Facility

    Global TB Drug Facility

    Sélection des produits 2. Prévisions 3. Approvisionnement (incluant prix le plus bas et qualité garantie) 4. Soutien pour la gestion des médicaments 10 étapes d'approche pratique pour sécuriser la livraison des médicaments antituberculeux au travers du mécanisme d'achat direct (Direct...
  • Challenger Learning Center 2008 Anual Conf

    Challenger Learning Center 2008 Anual Conf

    2 Boy Scout National Jamboree Ft. A.P. Hill. Peebles Elementary. Saint Petersburg Junior Technical Centre. New Mexico Museum of Natural History. Boulder County Schools-Alpha Project. ... Meadowlark Ridge Elementary. Bradley-Bourbonnais Community High School.
  • Diapositiva 1 - jcyl.es

    Diapositiva 1 - jcyl.es

    Máquinas virtuales. Específicos para algunos virus. … y remedios? El clásico formateo. Herramientas de eliminación (Removal tools). Congelador. Copias de seguridad. Restaurar sistema. Imágenes de disco. Live CD. Herramientas I Contraseñas seguras, password.es. Keepass. Xmarks Antivirus free: Avira, AVG, Avast......
  • Chapter 2.4: Chemical Reactions and Enzymes

    Chapter 2.4: Chemical Reactions and Enzymes

    A catalyst - a substance that speeds up the rate of a chemical reaction by lowering the activation energy of the reaction. An enzyme is a protein that act as biological catalyst by speeding up reactions that take place in...