1 / 22

Virus Detection Mechanisms

Virus Detection Mechanisms. Final Year Project by Chaitanya kumar CH K.S. Karthik. Project details. Project Guide: Dr. V.Ch.Venkaiah Description: Study various detection mechanisms Implement the mechanisms. Some important terms.

haamid
Download Presentation

Virus Detection Mechanisms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik

  2. Project details • Project Guide: Dr. V.Ch.Venkaiah • Description: • Study various detection mechanisms • Implement the mechanisms

  3. Some important terms • Backdoors/Trapdoors allow unauthorized access to the system. • Logic bombs are programmed threats that lie dormant for an extended period of time until they are triggered.

  4. Some important terms (Cont…) • A Virus is a piece of code that inserts itself into a host [program] to propagate. The virus is executed along with the original program. • Boot sector viruses insert themselves into the boot sector area and are activated when the system boots.

  5. Some important terms (Cont…) • Multi-partite Viruses refers to viruses that can use multiple means of infection, such as MBR, boot sector and parasitic • Trojan horses are programs that appear to have one function but actually perform another function.

  6. Some important terms (Cont…) • A wormis a program that can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines.

  7. Some important terms (Cont…) • Payload refers to what the virus does (besides propagation) once executed. • Do nothing • Playing with your data • Malicious damage

  8. Detection of Internet Worms • Traffic Analysis • Growth in traffic volume • Rise in number of scans and sweeps • Change in traffic patterns for some hosts • Predicting scans by analyzing the scan engine of the worm

  9. Detection of Internet Worms • Honeypots • Setup a seemingly vulnerable host on the network and log all the filesystem and network activity using low level tools • A picture of what happens when a worm strikes a real host, along with network signatures and binaries is obtained. This can be used to develop attack signatures

  10. Detection of Internet Worms • Worms don’t usually monitor DNS entries for new hosts. They simply scan. • Black hole monitoring • Monitor the locally unused subnets within our address space. • Monitor the globally unused address space, or dark IP space, and to monitor that usage.

  11. Detection of Internet Worms • Signature-Based Detection • Network signatures • Log signatures from nonvulnerable servers • Filesystem signatures (used by any typical antivirus software)

  12. Defenses against worms • Host based • Personal Firewalls, antivirus software, privilege control • Firewall and Network Defenses • Stop existing worms • Implement inbound and outbound rules • Reactive IDS

  13. Defenses against worms • Proxy-Based Defenses (application level) • Authentication • Mail-server proxies (can scan the emails) • Web-based proxies (content screening)

  14. Attacking the Worm Network • Shutdown messages (stop the worm processes or halt the host) • “I am already infected” • Poison updates • These methods can be unprofessional if our attacker gets out of our control

  15. Virus Scanners • Compare code to a database of known malicious code • Just matching strings in the code • Reasonably useful in days of floppies • Identify viruses by their “signatures.” • Search for these patterns in executable files. • Watch for changes in files • Size, time of modification, etc. • Monitor system for malicious actions

  16. Virus Scanners Internals Disk driver Hardware Read/Write request/reply

  17. Virus Scanners Internals • File system filter scans a file whenever it is accessed. • If the file is infected, it returns the original file after cleaning it. • If it cannot be cleaned, it returns failure message and performs appropriate action such as quarantining or deleting the infected file.

  18. Monitoring using compression enabled filesystem • The virus can hide itself in other files by prepending itself to other executable. • But this way there will be a change in the file size which can be easily recognized.

  19. Monitoring using compression enabled filesystem • To avoid detection a virus compresses the original file and then prepend the virus to it. • Since the compression is performed to reduce the file size by the size of virus there will be no apparent change in file size • When executed the virus code decompresses the original code and then executes it.

  20. File sizes before compressed by the file system Original file Compress file by the size of virus code virus Original file compressed by the virus Monitoring using compression enabled filesystem

  21. File sizes before compressed by the file system Original file virus Original file compressed by the virus Compression by filesystem File sizes on the disc after compressed by the file system Original file virus Original file compressed by the virus Compression by virus Monitoring using compression enabled filesystem

  22. Monitoring using compression enabled filesystem • In a compression enabled filesystem the file size differs from original to that on the disk which is compressed. • When a virus hides itself in other file by compressing and prepending the virus code the file size may differ on the disk when compressed again by the filesystem

More Related