Virus Detection System

1,069 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,069
On SlideShare
0
From Embeds
0
Number of Embeds
40
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Virus Detection System

  1. 1. Virus Detection System VDS seak@antiy.net
  2. 2. OutlineThe virus trends of 2004Qualities of an IDSMechanisms of a VDSData processing
  3. 3. 20047 new kinds of virus in 2004 Other PE 10% 2% worm AD/Erotic pieces 11% 3% Script virus 黑客工具 1% 6% Back Door 20% Trojan Virus writing generation 45% UNIX tool 0% 2%
  4. 4. OutlineThe virus trends of 2004Qualities of an IDSMechanisms of a VDSData processing
  5. 5. How a traditional IDS works Meticulous protocol analysis Lightweight rule set No more than 500 records in a rule set.
  6. 6. Unitary software designingUnitary design: In the AV Ware: Scancase of dealing with an target object’sextensive complicatedincident, we should divergence.classify the events and IDS: Protocol’sunify one or more of divergence.the processing modulesby using an extensibledata structure and dataset.
  7. 7. AVML and SnortEchovirus(id=”B00801”;type=”Backdoor”;os=”Win32”;format=”pe”;name=”bo”;version=”a”;size=”124928”;Port_listen=on[31337];content=|81EC0805000083BC240C05000000535657557D148B8424240500008BAC242005000050E9950500000F85800500008B|;delmark=1)alert tcp $EXTERNAL_NET any -> $HOME_NET 21(msg:"Backdoor.bo.a Upload"; content:|81EC0805000083BC240C05000000535657557D148B8424240500008BAC242005000050E9950500000F85800500008B |;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139(msg:"Backdoor.bo.a Copy"; content:|81EC0805000083BC240C05000000535657557D148B8424240500008BAC242005000050E9950500000F85800500008B |;)。
  8. 8. Redundant scans caused by divergence FTP Transfer NETBIOS rules character rules rules
  9. 9. Rule set scaling pressure type quantity Besides worms, there are overEmail worm 2807 20,000 Trojans, Backdoors, etc… IM-worm 172 which transfer over the network.P2P-worm 1007 The correspondingIRC-worm 715 rule quantity may exceed 30,000Other worm 675 records. total 5376
  10. 10. OutlineThe virus trends of 2004Qualities of an IDSMechanisms of a VDSData processing
  11. 11. Algorithm optimization(1) 5000 4500 When the quantity of rules 4000 is less than 6,000, it is not 3500 obvious that timedurtation(ms) 3000 2500 increases linearly with 2000 record count. But after 1500 about 10,000 records, that 1000 begins to change, causing 500 0 a sudden drop in performance up until it is 0 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 50 00 50 00 50 00 50 00 50 00 15 30 45 60 75 90 10 12 13 15 16 18 19 21 22 24 records simply unavailable。 The influence of record quantity on record matching time
  12. 12. Algorithm optimization (2) The scanning speed is also affected by 实际规则检测网络数据 木马检验网络数据 实际规则检测随机数据 the data being 6000 随机规则检测网络数据 matched and the 5000 quality of the patterns.duration (ms) 4000 3000 2000 1000 0 0 1500 3000 4500 6000 7500 9000 10500 12000 13500 15000 16500 18000 19500 21000 22500 24000 records Scan methods’ and data objects’ influence on the speed
  13. 13. Algorithm optimization (3) 1200 1000speed(kb/s) original improved 800 600 400 200 0 500 2000 3500 5000 6500 8000 9500 11000 12500 14000 15500 17000 18500 20000 21500 23000 24500 26000 27500 29000 records Influence on efficiency caused by limiting the approximation of the virus’ characteristics
  14. 14. Key method of designing VDSThe Unitary Model focuses on matching speed and matchinggranularity — matching is of foremost importance.Network traffic data is classified into three types:data matchedon the binary level, data needing pre-treatment and data needingspecific algorithms。
  15. 15. Data flow direction and the Level of virus detection Divided into 4 levels: Data log / Process backstage Event process level collection, divergence, detection and (File) Scan Complete Dataflow processingCross verification Virus scan Stream scan level Provides package scanning, incomplete t en m at Pa reProcotol tag transfer data scanning And cka et g pr es can Data diffluence Protocol analysis and level complete data diffluence scanning. Data collection level Sniffer
  16. 16. System structure
  17. 17. Data efficiencyVirus data output from Harbin Institute of Technology onJuly 8 , 2003.
  18. 18. Statistics from the 26th week of 2005
  19. 19. Unknown virus forewarning systemDetected an unknown worm (I-Worm.Unknow) increasing notably on June5, 2003. On June 6 it was shown to be thevirus I-worm.sobig.f.
  20. 20. OutlineThe virus trends of 2004Qualities of an IDSMechanisms of a VDSData processing
  21. 21. Event Processing ( 1 )Detection Events Processing methodsDescription Language Tech-based Internal(DEDL). combineWe use descriptors to Parallel combinedefine standard formats Analysis-based Parallelfor network events and combinemake them supportother formats Radiant combineDefined elements: Convergence combineevent type, event ID, Chain combinesource IP, target IP,event time, and so on.More than 20 such key elements.
  22. 22. Event Processing ( 2 )If existNet_Action(RPC_Exploit)[IP(1)->IP(2);time(1)]Net_Action(RPC_Exploit) [IP(2)->IP(3) ;time(2)]andtime(2)>time(1)thanNet_Action(RPC_Exploit) [IP(1)-> IP(2) -> IP(3)]
  23. 23. Behavior ClassificationsDEDL events AVML diagnostic behavior regulationsNet_Action(act)[IP(1),IP(2):445; ;time(1)] Virus_act_libNet_Action(act)[IP(1),IP(3):445; ;time(1)] Virus…. seek(id=”W02872”;dport=139,445;trans=neNet_Action(act)[IP(1),IP(12):445; ;time(1)] tbios)Net_Action(Trans,Worm.Win32.Dvldr)[IP(1)->IP(12);time(1)]
  24. 24. Data processing IRC SERVER IRC SERVER2 IRC SERVER3 IR C Co nn IRC C IRC Connection IRC Connection ec onnec tio tion IRC Connection n Virus.A NODE A NODE B NODE C NODE DVirus.A Node A Node B Virus.A Virus.A Virus.A
  25. 25. ThoughtsNetwork virus monitoring has beenexplored academically andproductively. It has now expandedinto a new technology with its owndirection.The path of virus defense leads us tothe world of freedom.

×