In the Internet age, virus epidemics are getting worse than before, making the networks slow, computers slow, suspending mission critical operations and so on.
In this presentation, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection.
The special feature of this technology is that its virus detection algorithm is based on the network behavior of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates.
The technology white paper is available at the following link:
http://www.slideshare.net/ahmedmzl/virus-detection-based-on-virus-throttle-technology
Human Factors of XR: Using Human Factors to Design XR Systems
Virus Detection Based on Virus Throttle Technology
1. VIRUS DETECTION BASED ON
VIRUS THROTTLE TECHNOLOGY
Ahmed Muzammil Jamal Mohamed
ahmedmuzammil@outlook.com
2. Virus
¨ Infects or Corrupts Files
¨ Hidden in Code
¨ Can be Metamorphic
¨ Can’t Surivive Itself
¨ Propagates by sharing files
¨ Propagates by affecting open
network shares
3. Trojan
¨ Appears as a useful file
- “waterfalls.scr”
¨ Undesired Functionality
¨ Executes malicious code along
with the useful code
¨ Unable to identify by a naïve
user
4. Worm
¨ A malicious program
¨ Self Replicating
¨ Doesn’t need a host program
¨ Harms network
- Consumes Local Resources
- Consumes Bandwidth
5. Limitations of Existing Virus Detection Methods
¨ They detect viruses based on
signature recognition
¨ Based on physical characteristics
of the virus
¨ Effectiveness decreases w.r.t.
no. of viruses
¨ Takes time to release the signature of a new virus
¨ Need for a new solution:
Machine Speed vs. Human Speed
6. Virus Throttle – What is it ?
¨ Car Throttle – Reduce Speed
¨ Virus Throttle is based on the
behavior of malicious code
¨ Malicious Code
make many connections to
new computers
¨ SQL Slammer - >800 Connections per Second
¨ Rate Limit on Connections to New Computers
8. Example Worm – W32/Nimda-D
¨ Tests carried out at HP Labs using the W32/Nimda-D
worm and several other test worms
¨ W32/Nimda-D
- It is a mass-mailing worm
- It affects both local files and network shares
- Creates 120+ connections per second
¨ Test Worms had different frequencies of connections
9. Detection of W32/Nimda-D Worm
using the traditional approach
¨ The virus spreads rapidly
¨ Need for signature update
¨ Without signature update
- Temporary Solution
- Suspend the network
- Financial / Productivity Loss
¨ After signature update
- Each computer has to be disinfected
- Takes days to complete
10. Detection of W32/Nimda-D Worm
using the Virus Throttle
¨ Throttle detects the process
¨ Throttle cuts the extra connections
¨ Thus no or less number of PCs are affected.
11. Advantages of Virus Throttle
¨ Works without knowing anything about the virus
¨ Protection only slows down the network traffic
¤ Thus false negatives don’t have much effect
¨ Gives IT staff time to react
¨ Effects of deploying the Virus Throttle widely
¤ Difficult for viruses to spread at all
13. Virus Detection on PC based on Virus
Throttle Technology
¨ Traditional Virus Scanners scan all the files
¨ Consume much of the processing resource
¨ The new technique filters the files that have to be
scanned.
14. Components of the new technique
for Virus Detection
¨ A gateway – Defined as THROTWALL
¨ A Traditional Virus Scanner
15. THROTWALL
¨ THROTWALL is similar to firewall for networks and
works on the basis of Virus Throttle.
¨ Monitors running processes for suspicious activity
¨ Protects the super resources
¨ When process requests
16. Thank You…
¨ Read the research whitepaper here: Slideshare.net
¨ Like this presentation? Share it...
¨ Questions? Tweet me @ahmedmzl
¨ This presentation was presented at the following
conferences:
¤ The IET-UK Present Around the World – India Finals
¤ National Conference on Communication and Informatics