Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Virus detection based on virus throttle technology


Published on

In the Internet age, virus epidemics are getting worse than before, making the networks slow, computers slow, suspending mission critical operations and so on.

In this paper, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection.

The special feature of this technology is that its virus detection algorithm is based on the network behavior of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Virus detection based on virus throttle technology

  1. 1. Virus Detection based on Virus Throttle Technology J. Ahmed Muzammil S. Suresh KumarUG Student, Dept. of Information Technology, Principal, Noorul Islam College of Engineering Vivekanandha College of Technology (Anna University), (Anna University), Kumaracoil, Tamilnadu, India. Elayampalayam, Thiruchengode, Erode. AbstractIn the Internet age, Virus Epidemics are getting worse than before, making the networks slow, Computers slow,suspending mission critical operations and so on. In this paper, a new technique for virus detection based on virusthrottle technology is presented. This technique allows detecting attacks on networks within seconds of possiblevirus affection. The special feature of this technology is that its virus detection algorithm is based on the networkbehaviour of the virus and not on identification of virus code. So it is possible to detect even unknown viruseswithout any signature updates.Keywords: Virus, Worm, Throttle, Antivirus, Network Security1. Introduction operations down or develop inoculations to cure the As every network administrator knows, virus infections.epidemics are only getting worse. In 2003, the SQL Nor is productivity the only victim of networkSlammer worm infected 75,000 computers in one viruses. The SQL Slammer virus took out a 911minute, making it the fastest-moving virus ever seen, emergency response center serving two policeand caused major network disruptions worldwide. departments and 14 fire departments near Seattle,Nimbda, Blaster, Code Red, Sasser and Welchia are USA. Protecting against computer viruses cancontinual threats as well. Today, computer users are ultimately be an effort to protect lives. [1]directly threatened by more than 97,000 viruses, In this paper we define a new technique forworms and Trojan horses. Increased usage of virus detection in PC based on the network virus andnetwork applications such as Instant Messages, P2P worm detection technique of virus throttle. Thealso increases the risk of virus infection. In the 3rd organization of the paper is such that the section 2quarter of 2005, the volume of IM(Instant defines the terms virus, worm and Trojan. Section 3Messaging) threats were more than 3,000 percent explains the limitations of the existing methods forhigher than the previous year, according to IMlogic virus detection. Section 4 explains Virus ThrottleThreat Center. technology and also the detection methodology is To protect themselves from the onslaught of explained using an example worm W32/Nimbda-D.traffic generated by computer viruses, many The method we have devised for virus detection incorporations shut down portions of their network PCs which is based on the existing Virus Throttleinfrastructure; when they can’t act fast enough, entire Technology is defined in the Section 5 of the subnets or even entire networks can be Section 6 concludes the paper.brought down by viruses. Either way, the viruses costcorporations incalculable sums in lost productivity. 2. DefinitionsBeyond bringing normal operations in an office or 2.1 Virusenterprise to a halt, computer viruses can put A computer virus is a computer program thatattacker-defined code on a system to cause additional can copy itself and infect a computer withoutdamage. permission or knowledge of the user. The original Network threats once were slow-moving and may modify the copies or the copies may modifyeasy to defend against when information transfer was themselves, as occurs in a metamorphic virus. Adone largely by sharing floppies. Organizations had virus can only spread from one computer to anotherthe time they needed to clean their networks and when its host is taken to the uninfected computer, forinstall defences. However, as CPU speeds increase, instance by a user sending it over a network orbandwidth grows, networks become more business carrying it on a removable medium such as a floppycritical and clients become more mobile, network disk, CD, USB drive or by the Internet. Additionally,administrators increasingly lack the time to shut
  2. 2. viruses can spread to other computers by infecting viruses increase, the time between initial detectionfiles on a network file system or a file system that is and the release of a signature also increases, allowingaccessed by another computer. Viruses are sometimes a virus to spread further in the interim.confused with computer worms and Trojan horses. This latency between the introduction of a new virus or worm into a network and the implementation2.1. Worm and distribution of a signature-based patch can be A computer worm is a self-replicating computer significant. Within this period, a network can beprogram. It uses a network to send copies of itself to crippled by the abnormally high rate of traffic generated by infected hosts.other nodes (computer terminals on the network) andit may do so without any user intervention. Unlike a As long as attacks occur at “machine speed” andvirus, it does not need to attach itself to an existing responses are implemented at “human speed,”program. Worms always harm the network (if only computers will essentially be defenseless against new threats. As systems get bigger and more complex, soby consuming bandwidth), whereas viruses always does the problem of addressing new threats.infect or corrupt files on a targeted computer. A different solution is needed. A truly resilient2.2. Trojan Horse infrastructure would include a solution that automatically hampers, contains and mitigates attacks Trojan horse is a program that installs malicious by previously unknown threats, giving the peoplesoftware while under the guise of doing something responsible for an infrastructure’s security the timeelse. Though not limited in their payload, Trojan they need to implement a response.horses are more notorious for installing backdoorprograms which allow unauthorized non permissible Rather than replacing current, signature-and-remote access to the victims machine by unwanted patch-based protections, the new solution wouldparties - normally with malicious intentions. Unlike a complement them by allowing computers andcomputer virus, a Trojan horse does not propagate by humans to each do what they do best: computers caninserting its code into other computer files. The term respond far more quickly than people, but are poor atis derived from the classical myth of the Trojan gauging the nature of a previously unknown threat.Horse. Like the mythical Trojan Horse, the malicious Humans are good at making such decisions, but arecode is hidden in a computer program or other slow—by machine standards—to act. A new solutioncomputer file which may appear to be useful, would have computers acting quickly to stabilize ainteresting, or at the very least harmless to an situation until humans could intervene. [1]unsuspecting user. When this computer program orfile is executed by the unsuspecting user, the 4. Virus Throttlemalicious code is also executed resulting in the set up Virus Throttle technology is a technology thator installation of the malicious Trojan horse program. was originally devised by HP Labs. It is a new technique that overcomes the limitations of previous3. Limitations of existing methods responses and meets the need for rapid containment Current methods to stop the propagation of and mitigation of attacks by malicious agents.malicious agents rely on the use of signature Traditional approaches to anti-viral protectionrecognition to prevent hosts from being infected. are based on the actual code or signature of the virus.That is, they seek to prevent the virus or worm from Virus Throttle, in contrast, is based on the behaviourentering the system. These methods concentrate on of malicious code and the ways in which thatthe physical characteristics of the virus—i.e., its behaviour differs from that of normal code. Virusprogram code—and use parts of this code to create a Throttle is based on the observation that underunique signature. Programs entering the system are normal activity, a computer will make fairly fewcompared against this signature and discarded if they outgoing connections to new computers, but insteadmatch. is more likely to regularly connect to the same set of While this method has been effective in computers. This is in contrast to the fundamentalprotecting systems, it has several limitations which, behaviour of a rapidly spreading worm, which willas the number of viruses increase, decrease its attempt many outgoing connections to neweffectiveness. It is fundamentally a reactive and case- computers. For example, while computers normallyby-case approach in that a new signature needs to be make approximately one connection per second, thedeveloped for each new virus or variant as it appears. SQL Slammer virus tried to infect more than 800Signature development is usually performed by computers per second. [1]skilled people who are able to produce only a certain The idea behind the Virus Throttle is to put a ratenumber of signatures at a time. As the number of limit on connections to new computers, such that
  3. 3. normal traffic remains unaffected but suspect traffic protection that previously allowed unknown threatsthat attempts to spread faster than the allowed rate to wreak significant damage before patches could bewill be slowed. This creates large backlogs of deployed. With Virus Throttle, previously unknownconnection requests that can be easily detected. Once threats can be mitigated, giving administrators timethe virus is slowed and detected, technicians and to deploy signature updates and patches againstsystem administrators have the time they need to further attack.intervene in order to isolate and eradicate the threatby cleaning it from the system. [1] 4.1 Tests Show Quick Detection, Prevention Tests of Virus Throttle technology conducted at Hewlett-Packard Labs in Bristol, U.K. show that Virus Throttle is able to very quickly detect and prevent worms spreading from an infected computer. For example, the throttle is able to stop the W32/Nimda-D worm in less than one second. The test was carried out using a throttle that followed the control flow shown in the Figure 1. The virus throttle parses all outgoing packets from a machine for TCP SYN packets. The destination address of an intercepted SYN packet is then compared against a list of destination addresses of Figure 1: Throttle Control Flow [2] machines to which connections have previously been made, which is termed as the working set. The Figure 1 shows the throttle control flow. All the working set can hold up to 5 such addresses. If theprocesses using the network are routed through the destination address is in this working set thevirus throttle. A process requesting access is checked connection is allowed immediately. If the address iswith a set of working processes. If it is a newly not in the working set and the working set is not fullrequesting process then it is put on a delay queue. A i.e. it holds less than 5 addresses, the destinationqueue length detector detects the number of address is added to the working set and theconnection requests from a single process and if it is connection is once again allowed to proceedwithin an acceptable threshold, then the new process immediately. If none of these two conditions are met,is updated in the working set of processes. If the the SYN packet is added to what we term the delaynumber of connections is above the threshold, then a queue and is not transmitted immediately.rate limiter limits the suspicious process from Once every second the delay queue isaccessing the network. processed and the SYN packet at its head and any other SYN packets with the same destination address This technique differs from signature-and-patch are popped and sent, allowing the establishment ofapproaches in three key ways: the requested connection. The destination address of this packet is also added to the working set, the oldest i. It focuses on the network behaviour of the virus member of which is discarded if the working set is and prevents certain types of behaviour — in full. If the delay queue is empty at processing time particular, the attempted creation of a large and the working set is full, the oldest member of number of outgoing connections per second. working set is also discarded, allowing for the ii. It is also unique in that, instead of stopping potential establishment of one connection per second viruses from entering a system, it restricts the to a target not recently connected to. code from leaving. This design, summarised as a control flow iniii. Because connections exceeding the allowed rate Figure 1, allows hosts to create as many connections can be blocked for configurable periods of time, per second as they want to the 5 most recently the system is tolerant to false positives and is connected-to machines. Any further connection therefore robust. attempts will be delayed for at least a second, and then attempted. Delaying connections rather than Virus Throttle technology is not meant to replace simply dropping them is important in a cost-sensitivesignature-based solutions but, rather, to complement environment that, if incorrectly targeted at legitimatethem. Virus Throttle fills a gap in anti-virus connection attempts, will introduce an often
  4. 4. imperceptible delay in the connection, instead of • After the signature updates have arrived, eachprohibiting it entirely. [2] computer in the network will have to scan the The throttle detects a process as a malicious whole system and clean each file. It is aone when the number of connections issued by the complex process for the IT people to scanprocess is more in number within the waiting time. each computer on the network for the worm individually and takes days to complete.The Average time taken by the Throttle to detect realand test worms is shown in the Table 1. 4.4 Response to W32/Nimbda-D worm by the Virus Throttle connections stopping time allowed per second connections • The throttle detects the process which makes Nimbda the abnormal activity of making over 500 120 0.25s 1 connections per second. Test Worm • The throttle cuts the extra connections made 20 5.44s 5 by the process other than the current 40 2.34s 2 working set, thus implementing a temporary 60 1.37s 1 solution. 80 1.04s 1 • No or less number of other computer on the 100 0.91s 1 network are affected. 150 0.21s 0 200 0.02s 0 4.5 Benefits of Virus Throttle Technology SQL Slammer The benefits of Virus Throttle technology 850 0.02s 0 include the following: • Works without knowing anything about the Table 1: Average time taken by the test Throttle to virus. Because it is triggered by the detect real and test worms [2] behaviour of a virus rather than by identifying the code of the virus, it can4.2 W32/Nimbda-D Worm handle unknown threats without waiting for signature updates. W32/Nimbda-D is a mass-mailing worm thatuses multiple methods to spread itself. It searches for • Protects network infrastructure by slowingnetwork shares, attempts to copy itself to vulnerable or stopping routed traffic from hostsMicrosoft IIS web servers. It is a virus that affects exhibiting high connection rates. Theboth local files and files on remote network shares. infrastructure will stay up and running, even[3] when it is under attack from a virus. • Can provide event logs and SNMP trap4.3 Limitations in traditional way of detection of warnings when worm-like behaviour is W32/Nimbda-D worm detected. The traditional way of detecting the W32/Nimbda- • Gives IT staff time to react before theD worm has the following limitations which makes it problem escalates to a crisis.ineffiecient for use in time critical applications. • If deployed widely, makes it difficult for viruses to spread at all. • The virus spreads out throughout the network and web servers. So each computer in the 4.6 Advantages network will have a copy of the worm. Since the throttle prevents subsequent • The antivirus software needs a signature infection, the effect on the global spread of a virus update. For that it takes atleast a day and depends on how widely the throttle is deployed. HP atmost a week, within which the virus may Labs results show that when only 50 percent of have replicated more. computers are installed with the throttle, the global spread of both real and constructed worms is • The temporary solution to this problem is to substantially reduced. Throttled machines do not suspend the network, which is impossible in contribute any network traffic in spite of being an organisation as it causes a financial loss infected, significantly reducing the amount of due to suspension of work. network traffic produced by a virus.
  5. 5. 5. Virus Throttle for Virus Detection in PCs v) If the process is not a trusted one, and it is The technique of Virus Throttle on a Network not confirmed as a virus, then the process isEnvironment can be used for improving the speed of suspended for access to the requestedvirus detection of PC based Anti-Virus Softwares. resources and the user is prompted for whatThe presently available Anti-Virus Softwares scan action to take or to add the process to theeach Application, DLL or other suspicious files for trusted applications list.virus code of known viruses. This technique definitely improves the response A gateway called THROTWALL is installed and the overall performance of the Antivirus softwarebefront an antivirus software. The THROTWALL as well as the PC itself.monitors all the running processes for suspiciousactivity. The antivirus scanner consists of presently 6. Conclusion:available signatures of viruses and also a trusted Traditional methods of addressing viruses,processes list. The job of the antivirus scanner is to worms and other malicious code depend oncheck the files flagged by the THROTWALL for signatures and patches. That leaves systemsvirus code or an entry in the trusted processes list. vulnerable to previously unknown threats until The suspicious activity that is detected by the protective code can be written and deployed. At aTHROTWALL is defined by the following time when viruses spread more quickly than everguidelines: before, often generating paralysing amounts of network traffic, this is a significant lapse. • When a process uses resources that are not required for its normal operation This paper has demonstrated a new technique for • When a process creates multiple child virus detection on PCs that is based on the virus process throttle technology of HP. The new technique uses a gateway called THROTWALL in front of an • When a change to multiple files is executed antivirus software. Using the THROTWALL by a program prevents checking all the processes and files by the • When a change to the registry is executed antivirus scanner. Thus reducing the processing • When a change to the boot sector is power required to detect viruses, Trojans and worms. executed • When a change to a running program is The usage of THROTWALL even increases the executed efficiency of the antivirus software by preventing • When a file in the system directory is new viruses that are not present in the available signatures of known viruses. The new technique also changed increases the overall performance of the PC by • When a change to the system users and making available, the valuable processing power for groups is executed other applications. • When multiple files are created When one or more of a suspicious activity is References:detected, the following steps are followed to check [1] ProCurve Networking - Connection-Ratethe process for virus code: Filtering Based on Virus Throttle Technology, i) The access to the restricted resource is Hewlett Packard Company, 2006 blocked while still allowing the process to [2] Jamie Twycross, Matthew M. Williamson - use the general resources Implementing and testing a virus throttle, ii) The particular process and child processes Hewlett-Packard Labs, Bristol, U.K., 2003 are scanned using a virus scanner [3] W32/Nimda-D Virus - Sophos Security Anlaysis iii) If the process is a trusted one, then the process is allowed to use the restricted -and-spyware/w32nimdad.html resources by commanding the gateway to permit access for the process [4] M. M. Williamson, J. Twycross, J. Griffin, and iv) If the process is not a trusted one, and it is A. Norman. Virus throttling. In Virus Bulletin, confirmed as a virus, then the process and its U.K., 2003. parent or child processes are killed and [5] Matthew M. Williamson - Design, necessary action to disinfect or delete the Implementation and Test of an Email Virus file is taken by the antivirus program itself. Throttle, HP Laboratories Bristol, 2003