SlideShare a Scribd company logo

Virus analysis

Download as PPT, PDF
2
20CS201AkashR

This is a ppt for virus analysis

Software
1 of 12
Virus Analysis Techniques, Tools, and Research Issues Part V: Research Issues Michael Venable Arun Lakhotia University of Louisiana at Lafayette, USA
Research Issues in Virus Analysis Revisit: Processes Classification of Problem Space Current State of Technologies Survey of Research Distributed Virus Analysis
AV Detection Process Sample Malicious: yes/no Signature Scanner Malicious: yes/no Disinfector File/Message Infected File Removal Instructions Clean File DESKTOP ANALYSIS LAB
Malware Analysis Process Reset Lab Environment Set up network observation tools Run program Observe network traffic Identify services requested Create DNS tables Run services on Linux Observe process actions Create/revise client on Linux Set up process observation tools Run client Static Analysis
Research Issues: AV Lab Sample Collection and Filtering Analysis Fingerprint Extraction Payload Identification Signature Distribution Evaluation of AV Scanners
Research Issues: Desktop Prevention Detection Heuristic Disinfection Recovery
Process Capture, Analyze, Create signature, Test, Roll-out Detection technology – not just grep! These technologies are used in client AV software; these are not back-end server technologies! Multi-String search Scalpel scanning (precision scanning at the entrypoint) X-Ray (plaintext crypto attack on virus/worm) CPU emulation P-CODE-driven detection Decide where and when to scan/emulate Hand-code detections in P-CODE Timeframe 5 minutes to several weeks (!) to write a signature Several hours or more for false positive/negative testing Current State of AV Technology Copyright © 2004, Carey Nachenberg, Symantec Presented: Worm 2004
Heuristics Dynamic heuristics Leverage CPU emulator to coax file-based threat into displaying bad behaviors Static heuristics Use signatures to detect known-bad sequences of code Applied to macro, script, and binary threats Behavior blocking 1st generation systems today Stop threats by intercepting and blocking system calls Policy-based blocking prevalent Simple buffer-overflow protection (software/NX) Current State: Desktop Copyright © 2004, Carey Nachenberg, Symantec Presented: Worm 2004
Signature Updates Volume We push up to 1.4B (virus definition) updates every day Up to 60 terabytes of data sent down every day! That’s up to 6 times the total amount of printed material in the Library of Congress per day Scalability Leverage Akamai’s 14,000 servers in 1,100 networks Compression Employ incremental update technologies and compression (~85-90% percent reduction) Some vendors ship “single definition packages” Current State: AV Lab Copyright © 2004, Carey Nachenberg, Symantec Presented: Worm 2004
Automation Submission filtering Automatic filtering of customer submissions (95%) Application of super-sensitive heuristics for triage purposes Analysis Auto-replication of threats in VMs Macro-based threats, binary threats Auto-fingerprint generation with provably-low false positive rates Leverages Markov chaining approach Quality Assurance Automated, parallel testing Huge corpora of files for false positive testing Current State: AV Lab Copyright © 2004, Carey Nachenberg, Symantec Presented: Worm 2004
Survey of Research TBD
Summary AV Processes Interesting problems along the processe Rethinking AV Process

Recommended

Measuring the Actual Security that Vendors Provide to Customers
Measuring the Actual Security that Vendors Provide to CustomersMeasuring the Actual Security that Vendors Provide to Customers
Measuring the Actual Security that Vendors Provide to CustomersAnthony Arrott
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Quick Heal Technologies Ltd.
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Benelux
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 
5 howtomitigate
5 howtomitigate5 howtomitigate
5 howtomitigatericharddxd
 
Test Strategies & Common Mistakes
Test Strategies & Common MistakesTest Strategies & Common Mistakes
Test Strategies & Common Mistakesfrisksoftware
 

Recommended

Measuring the Actual Security that Vendors Provide to Customers
Measuring the Actual Security that Vendors Provide to CustomersMeasuring the Actual Security that Vendors Provide to Customers
Measuring the Actual Security that Vendors Provide to CustomersAnthony Arrott
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Quick Heal Technologies Ltd.
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Benelux
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 
5 howtomitigate
5 howtomitigate5 howtomitigate
5 howtomitigatericharddxd
 
Test Strategies & Common Mistakes
Test Strategies & Common MistakesTest Strategies & Common Mistakes
Test Strategies & Common Mistakesfrisksoftware
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Securing data flow to and from organizations
Securing data flow to and from organizationsSecuring data flow to and from organizations
Securing data flow to and from organizationsOPSWAT
 
Raging Ransomware Roadshow May
Raging Ransomware Roadshow MayRaging Ransomware Roadshow May
Raging Ransomware Roadshow MaySophos Benelux
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Antimalware
AntimalwareAntimalware
AntimalwareMayank Chaudhari
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsPivotPointSecurity
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionDavid Perkins
 
Automated Malware Analysis
Automated Malware AnalysisAutomated Malware Analysis
Automated Malware AnalysisPushkar Pashupat
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?Ryan G. Murphy
 
Assessing network security
Assessing network securityAssessing network security
Assessing network securityAbhinit Kumar Sharma
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoringMarcus Botacin
 
Axigen Kaspersky V1
Axigen Kaspersky V1Axigen Kaspersky V1
Axigen Kaspersky V1Subrata Hazra
 
NetWitness
NetWitnessNetWitness
NetWitnessTechBiz Forense Digital
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Active Testing
Active TestingActive Testing
Active Testingfrisksoftware
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detectionUltraUploader
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phasesTestingXperts
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Codenomicon
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 

More Related Content

Similar to Virus analysis

Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Securing data flow to and from organizations
Securing data flow to and from organizationsSecuring data flow to and from organizations
Securing data flow to and from organizationsOPSWAT
 
Raging Ransomware Roadshow May
Raging Ransomware Roadshow MayRaging Ransomware Roadshow May
Raging Ransomware Roadshow MaySophos Benelux
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsPivotPointSecurity
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionDavid Perkins
 
Automated Malware Analysis
Automated Malware AnalysisAutomated Malware Analysis
Automated Malware AnalysisPushkar Pashupat
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?Ryan G. Murphy
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoringMarcus Botacin
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detectionUltraUploader
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phasesTestingXperts
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Codenomicon
 

Similar to Virus analysis (20)

Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint Security
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Securing data flow to and from organizations
Securing data flow to and from organizationsSecuring data flow to and from organizations
Securing data flow to and from organizations
 
Raging Ransomware Roadshow May
Raging Ransomware Roadshow MayRaging Ransomware Roadshow May
Raging Ransomware Roadshow May
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
 
Antimalware
AntimalwareAntimalware
Antimalware
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision Points
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
 
Automated Malware Analysis
Automated Malware AnalysisAutomated Malware Analysis
Automated Malware Analysis
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
 
Assessing network security
Assessing network securityAssessing network security
Assessing network security
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
 
Axigen Kaspersky V1
Axigen Kaspersky V1Axigen Kaspersky V1
Axigen Kaspersky V1
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Active Testing
Active TestingActive Testing
Active Testing
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detection
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phases
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
 

Recently uploaded

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 

Recently uploaded (20)

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 

Virus analysis

  • 1. Virus Analysis Techniques, Tools, and Research Issues Part V: Research Issues Michael Venable Arun Lakhotia University of Louisiana at Lafayette, USA
  • 2. Research Issues in Virus Analysis Revisit: Processes Classification of Problem Space Current State of Technologies Survey of Research Distributed Virus Analysis
  • 3. AV Detection Process Sample Malicious: yes/no Signature Scanner Malicious: yes/no Disinfector File/Message Infected File Removal Instructions Clean File DESKTOP ANALYSIS LAB
  • 4. Malware Analysis Process Reset Lab Environment Set up network observation tools Run program Observe network traffic Identify services requested Create DNS tables Run services on Linux Observe process actions Create/revise client on Linux Set up process observation tools Run client Static Analysis
  • 5. Research Issues: AV Lab Sample Collection and Filtering Analysis Fingerprint Extraction Payload Identification Signature Distribution Evaluation of AV Scanners
  • 7. Process Capture, Analyze, Create signature, Test, Roll-out Detection technology – not just grep! These technologies are used in client AV software; these are not back-end server technologies! Multi-String search Scalpel scanning (precision scanning at the entrypoint) X-Ray (plaintext crypto attack on virus/worm) CPU emulation P-CODE-driven detection Decide where and when to scan/emulate Hand-code detections in P-CODE Timeframe 5 minutes to several weeks (!) to write a signature Several hours or more for false positive/negative testing Current State of AV Technology Copyright © 2004, Carey Nachenberg, Symantec Presented: Worm 2004
  • 8. Heuristics Dynamic heuristics Leverage CPU emulator to coax file-based threat into displaying bad behaviors Static heuristics Use signatures to detect known-bad sequences of code Applied to macro, script, and binary threats Behavior blocking 1st generation systems today Stop threats by intercepting and blocking system calls Policy-based blocking prevalent Simple buffer-overflow protection (software/NX) Current State: Desktop Copyright © 2004, Carey Nachenberg, Symantec Presented: Worm 2004
  • 9. Signature Updates Volume We push up to 1.4B (virus definition) updates every day Up to 60 terabytes of data sent down every day! That’s up to 6 times the total amount of printed material in the Library of Congress per day Scalability Leverage Akamai’s 14,000 servers in 1,100 networks Compression Employ incremental update technologies and compression (~85-90% percent reduction) Some vendors ship “single definition packages” Current State: AV Lab Copyright © 2004, Carey Nachenberg, Symantec Presented: Worm 2004
  • 10. Automation Submission filtering Automatic filtering of customer submissions (95%) Application of super-sensitive heuristics for triage purposes Analysis Auto-replication of threats in VMs Macro-based threats, binary threats Auto-fingerprint generation with provably-low false positive rates Leverages Markov chaining approach Quality Assurance Automated, parallel testing Huge corpora of files for false positive testing Current State: AV Lab Copyright © 2004, Carey Nachenberg, Symantec Presented: Worm 2004
  • 12. Summary AV Processes Interesting problems along the processe Rethinking AV Process