In the Internet age, virus epidemics are getting worse than before, making the networks slow, computers slow, suspending mission critical operations and so on.
In this paper, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection.
The special feature of this technology is that its virus detection algorithm is based on the network behavior of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Cyber Security is an important aspect in the field of information technology. Either it is often neglected or given a lesser priority .One of the biggest challenges that we face today is to secure information. The first thing that comes to our mind whenever we think about cyber security is ‘cyber crimes’, which are increasing at a very fast pace. Governments of countries, agencies and companies are taking crucial measures in order to prevent cybercrimes. Despite taking measures cyber security is still a very big concern. This paper mainly lays emphasis on the definition of worms, difference between worms and viruses, behavioural patterns of worms, major categories of worms, aspects of designing of worms, life cycle of worms, history and timeline of worms and a case study of Stuxnet.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Cyber Security is an important aspect in the field of information technology. Either it is often neglected or given a lesser priority .One of the biggest challenges that we face today is to secure information. The first thing that comes to our mind whenever we think about cyber security is ‘cyber crimes’, which are increasing at a very fast pace. Governments of countries, agencies and companies are taking crucial measures in order to prevent cybercrimes. Despite taking measures cyber security is still a very big concern. This paper mainly lays emphasis on the definition of worms, difference between worms and viruses, behavioural patterns of worms, major categories of worms, aspects of designing of worms, life cycle of worms, history and timeline of worms and a case study of Stuxnet.
Prevention based mechanism for attacks in Network SecurityEditor IJMTER
Network Security has become vital in today’s information technology era, as a result
of that numerous techniques are a unit adopted to bypass it. Network administrator has to be
compelled to manage with the recent advancements in each the hardware and software system fields
for their betterment of the user’s knowledge. This paper outlines the varied attack strategies in the
field of Networking and numerous prevention mechanisms against them.
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
Ioan Constantin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Computer Virus, Types of Viruses, Working of Virus, Methods to Prevent From Virus, How Virus Spreads, How a computer gets a virus, How are viruses removed, What is antivirus, How anti virus works,
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...IJERA Editor
MANET (Wireless Mobile Ad-hoc Network) is a technology which are used in society in daily life an
activities such as in traffic surveillance, in building construction or it’s application is used in battlefield also. In
MANET there is no control of any node here is no centralized controller that’s why each node has its own
routing capability. And each node act as device and its change its connection to other devices.
The main problem of today’s MANET is a security, because there is no any centralized controller. Our main aim
is that we protect them from DDOS attack in terms of flooding through messages, packet drop, end to end delay
and energy dropping etc. For that we are applying many techniques for saving energy of nodes and identifying
malicious node and types of DDOS attack and in this paper we are discussing this technique.
An Introduction to JSON JavaScript Object NotationAhmed Muzammil
JSON (JavaScript Object Notation), is a text-based open standard designed for human-readable data interchange. It is derived from the JavaScript scripting language for representing simple data structures and associative arrays, called objects.
Despite its relationship to JavaScript, it is language-independent, with parsers available for many languages.
The JSON format was originally specified by Douglas Crockford, and is described in RFC 4627. The official Internet media type for JSON is application/json. The JSON filename extension is .json.
The JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application, serving as an alternative to XML.
XML is expected to facilitate Internet B2B messaging because of its simplicity and flexibility. One big concern that customer may have in doing Internet B2B messaging is security. Therefore considering some security features in XML such as element-wise encryption, access control and digital signature that are beyond the capability of the transport-level security protocol such as SSL is of interest. We describe element-wise encryption of XML documents by performing some cryptographic transformations on it. For this reason, XSLT (Extensible Stylesheet Language Transformations) may well have sufficient functionality to perform all reasonable cryptographic transformations.
In this paper we implement element wise encryption operation in the document using XSLT. Extension functions of XSLT are made use to enhance the abilities of XSLT to include the encryption and decryption functions.
Prevention based mechanism for attacks in Network SecurityEditor IJMTER
Network Security has become vital in today’s information technology era, as a result
of that numerous techniques are a unit adopted to bypass it. Network administrator has to be
compelled to manage with the recent advancements in each the hardware and software system fields
for their betterment of the user’s knowledge. This paper outlines the varied attack strategies in the
field of Networking and numerous prevention mechanisms against them.
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
Ioan Constantin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Computer Virus, Types of Viruses, Working of Virus, Methods to Prevent From Virus, How Virus Spreads, How a computer gets a virus, How are viruses removed, What is antivirus, How anti virus works,
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...IJERA Editor
MANET (Wireless Mobile Ad-hoc Network) is a technology which are used in society in daily life an
activities such as in traffic surveillance, in building construction or it’s application is used in battlefield also. In
MANET there is no control of any node here is no centralized controller that’s why each node has its own
routing capability. And each node act as device and its change its connection to other devices.
The main problem of today’s MANET is a security, because there is no any centralized controller. Our main aim
is that we protect them from DDOS attack in terms of flooding through messages, packet drop, end to end delay
and energy dropping etc. For that we are applying many techniques for saving energy of nodes and identifying
malicious node and types of DDOS attack and in this paper we are discussing this technique.
An Introduction to JSON JavaScript Object NotationAhmed Muzammil
JSON (JavaScript Object Notation), is a text-based open standard designed for human-readable data interchange. It is derived from the JavaScript scripting language for representing simple data structures and associative arrays, called objects.
Despite its relationship to JavaScript, it is language-independent, with parsers available for many languages.
The JSON format was originally specified by Douglas Crockford, and is described in RFC 4627. The official Internet media type for JSON is application/json. The JSON filename extension is .json.
The JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application, serving as an alternative to XML.
XML is expected to facilitate Internet B2B messaging because of its simplicity and flexibility. One big concern that customer may have in doing Internet B2B messaging is security. Therefore considering some security features in XML such as element-wise encryption, access control and digital signature that are beyond the capability of the transport-level security protocol such as SSL is of interest. We describe element-wise encryption of XML documents by performing some cryptographic transformations on it. For this reason, XSLT (Extensible Stylesheet Language Transformations) may well have sufficient functionality to perform all reasonable cryptographic transformations.
In this paper we implement element wise encryption operation in the document using XSLT. Extension functions of XSLT are made use to enhance the abilities of XSLT to include the encryption and decryption functions.
Virus detection based on virus throttle technologyAhmed Muzammil
In the Internet age, virus epidemics are getting worse than before, making the networks slow, computers slow, suspending mission critical operations and so on.
In this presentation, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection.
The special feature of this technology is that its virus detection algorithm is based on the network behavior of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates.
The technology white paper is available at the following link:
http://www.slideshare.net/ahmedmzl/virus-detection-based-on-virus-throttle-technology
XML is expected to facilitate Internet B2B messaging because of its simplicity and flexibility.
One big concern that customer may have in doing Internet B2B messaging is security.
Therefore considering some security features in XML such as element-wise encryption, access control and digital signature that are beyond the capability of the transport-level security protocol such as SSL is of interest.
We describe element-wise encryption of XML documents by performing some cryptographic transformations on it. For this reason, XSLT (Extensible Stylesheet Language Transformations) may well have sufficient functionality to perform all reasonable cryptographic transformations.
In this paper we implement element wise encryption operation in the document using XSLT. Extension functions of XSLT are made use to enhance the abilities of XSLT to include the encryption and decryption functions.
WORM VIRUS ACCESS CONTROL HOW DO WORM VIRUS/COMPUTER WORMS WORK AND SPREAD HOW TO TELL IF YOU’RE COMPUTER HAS A WORM TRPOJAN TYPES OF TROJAN ACCESS CONTROL DISTRIBUTED DENIAL OF SERVICE SQL INJECTIONS & DATA ATTACK AUTHENTICATION BASIC AUTHENTICATION
Computer security threats & prevention,Its a proper introduction about computer security and threats and prevention with reference. Have info about threats and their prevention.
Malicious Software,Terminology of malicious programme,Malicious programs,Nature of Viruses,Virus Operation-four phases or life cycle of virus,Virus Structure,Types of Viruses,Anti-Virus Software
Computer viruses are a nightmare for the computer world. It is a threat to any user who uses a computer network. The computer will not be infected by a virus if the computer is not connected to the outside world. In this case, this is the internet. The Internet can be used as a medium for the spread of the virus to the fullest. There are many types of viruses that are spread through the internet. Some of them are aimed at making money, and there are only as a disrupt activity and computer performance. Some techniques are done to prevent the spread of the virus. Here will be explained how to tackle the virus optimally. The benefit is that the computer used will be free from virus attacks and safe to exchange data publicly. Techniques used include the prevention and prevention of viruses against computer networks are to know the characteristics and workings of the virus.
Similar to Virus detection based on virus throttle technology (20)
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Virus detection based on virus throttle technology
1. Virus Detection based on Virus Throttle Technology
J. Ahmed Muzammil S. Suresh Kumar
UG Student, Dept. of Information Technology, Principal,
Noorul Islam College of Engineering Vivekanandha College of Technology
(Anna University), (Anna University),
Kumaracoil, Tamilnadu, India. Elayampalayam, Thiruchengode, Erode.
ahmedmuzammil@outlook.com nice.ssk@gmail.com
Abstract
In the Internet age, Virus Epidemics are getting worse than before, making the networks slow, Computers slow,
suspending mission critical operations and so on. In this paper, a new technique for virus detection based on virus
throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible
virus affection. The special feature of this technology is that its virus detection algorithm is based on the network
behaviour of the virus and not on identification of virus code. So it is possible to detect even unknown viruses
without any signature updates.
Keywords: Virus, Worm, Throttle, Antivirus, Network Security
1. Introduction operations down or develop inoculations to cure the
As every network administrator knows, virus infections.
epidemics are only getting worse. In 2003, the SQL Nor is productivity the only victim of network
Slammer worm infected 75,000 computers in one viruses. The SQL Slammer virus took out a 911
minute, making it the fastest-moving virus ever seen, emergency response center serving two police
and caused major network disruptions worldwide. departments and 14 fire departments near Seattle,
Nimbda, Blaster, Code Red, Sasser and Welchia are USA. Protecting against computer viruses can
continual threats as well. Today, computer users are ultimately be an effort to protect lives. [1]
directly threatened by more than 97,000 viruses, In this paper we define a new technique for
worms and Trojan horses. Increased usage of virus detection in PC based on the network virus and
network applications such as Instant Messages, P2P worm detection technique of virus throttle. The
also increases the risk of virus infection. In the 3rd organization of the paper is such that the section 2
quarter of 2005, the volume of IM(Instant defines the terms virus, worm and Trojan. Section 3
Messaging) threats were more than 3,000 percent explains the limitations of the existing methods for
higher than the previous year, according to IMlogic virus detection. Section 4 explains Virus Throttle
Threat Center. technology and also the detection methodology is
To protect themselves from the onslaught of explained using an example worm W32/Nimbda-D.
traffic generated by computer viruses, many The method we have devised for virus detection in
corporations shut down portions of their network PCs which is based on the existing Virus Throttle
infrastructure; when they can’t act fast enough, entire Technology is defined in the Section 5 of the paper.
network subnets or even entire networks can be Section 6 concludes the paper.
brought down by viruses. Either way, the viruses cost
corporations incalculable sums in lost productivity. 2. Definitions
Beyond bringing normal operations in an office or 2.1 Virus
enterprise to a halt, computer viruses can put
A computer virus is a computer program that
attacker-defined code on a system to cause additional
can copy itself and infect a computer without
damage.
permission or knowledge of the user. The original
Network threats once were slow-moving and may modify the copies or the copies may modify
easy to defend against when information transfer was themselves, as occurs in a metamorphic virus. A
done largely by sharing floppies. Organizations had virus can only spread from one computer to another
the time they needed to clean their networks and when its host is taken to the uninfected computer, for
install defences. However, as CPU speeds increase, instance by a user sending it over a network or
bandwidth grows, networks become more business carrying it on a removable medium such as a floppy
critical and clients become more mobile, network disk, CD, USB drive or by the Internet. Additionally,
administrators increasingly lack the time to shut
2. viruses can spread to other computers by infecting viruses increase, the time between initial detection
files on a network file system or a file system that is and the release of a signature also increases, allowing
accessed by another computer. Viruses are sometimes a virus to spread further in the interim.
confused with computer worms and Trojan horses. This latency between the introduction of a new
virus or worm into a network and the implementation
2.1. Worm and distribution of a signature-based patch can be
A computer worm is a self-replicating computer significant. Within this period, a network can be
program. It uses a network to send copies of itself to crippled by the abnormally high rate of traffic
generated by infected hosts.
other nodes (computer terminals on the network) and
it may do so without any user intervention. Unlike a As long as attacks occur at “machine speed” and
virus, it does not need to attach itself to an existing responses are implemented at “human speed,”
program. Worms always harm the network (if only computers will essentially be defenseless against new
threats. As systems get bigger and more complex, so
by consuming bandwidth), whereas viruses always
does the problem of addressing new threats.
infect or corrupt files on a targeted computer.
A different solution is needed. A truly resilient
2.2. Trojan Horse infrastructure would include a solution that
automatically hampers, contains and mitigates attacks
Trojan horse is a program that installs malicious by previously unknown threats, giving the people
software while under the guise of doing something responsible for an infrastructure’s security the time
else. Though not limited in their payload, Trojan they need to implement a response.
horses are more notorious for installing backdoor
programs which allow unauthorized non permissible Rather than replacing current, signature-and-
remote access to the victim's machine by unwanted patch-based protections, the new solution would
parties - normally with malicious intentions. Unlike a complement them by allowing computers and
computer virus, a Trojan horse does not propagate by humans to each do what they do best: computers can
inserting its code into other computer files. The term respond far more quickly than people, but are poor at
is derived from the classical myth of the Trojan gauging the nature of a previously unknown threat.
Horse. Like the mythical Trojan Horse, the malicious Humans are good at making such decisions, but are
code is hidden in a computer program or other slow—by machine standards—to act. A new solution
computer file which may appear to be useful, would have computers acting quickly to stabilize a
interesting, or at the very least harmless to an situation until humans could intervene. [1]
unsuspecting user. When this computer program or
file is executed by the unsuspecting user, the 4. Virus Throttle
malicious code is also executed resulting in the set up Virus Throttle technology is a technology that
or installation of the malicious Trojan horse program. was originally devised by HP Labs. It is a new
technique that overcomes the limitations of previous
3. Limitations of existing methods responses and meets the need for rapid containment
Current methods to stop the propagation of and mitigation of attacks by malicious agents.
malicious agents rely on the use of signature Traditional approaches to anti-viral protection
recognition to prevent hosts from being infected. are based on the actual code or signature of the virus.
That is, they seek to prevent the virus or worm from Virus Throttle, in contrast, is based on the behaviour
entering the system. These methods concentrate on of malicious code and the ways in which that
the physical characteristics of the virus—i.e., its behaviour differs from that of normal code. Virus
program code—and use parts of this code to create a Throttle is based on the observation that under
unique signature. Programs entering the system are normal activity, a computer will make fairly few
compared against this signature and discarded if they outgoing connections to new computers, but instead
match. is more likely to regularly connect to the same set of
While this method has been effective in computers. This is in contrast to the fundamental
protecting systems, it has several limitations which, behaviour of a rapidly spreading worm, which will
as the number of viruses increase, decrease its attempt many outgoing connections to new
effectiveness. It is fundamentally a reactive and case- computers. For example, while computers normally
by-case approach in that a new signature needs to be make approximately one connection per second, the
developed for each new virus or variant as it appears. SQL Slammer virus tried to infect more than 800
Signature development is usually performed by computers per second. [1]
skilled people who are able to produce only a certain The idea behind the Virus Throttle is to put a rate
number of signatures at a time. As the number of limit on connections to new computers, such that
3. normal traffic remains unaffected but suspect traffic protection that previously allowed unknown threats
that attempts to spread faster than the allowed rate to wreak significant damage before patches could be
will be slowed. This creates large backlogs of deployed. With Virus Throttle, previously unknown
connection requests that can be easily detected. Once threats can be mitigated, giving administrators time
the virus is slowed and detected, technicians and to deploy signature updates and patches against
system administrators have the time they need to further attack.
intervene in order to isolate and eradicate the threat
by cleaning it from the system. [1] 4.1 Tests Show Quick Detection, Prevention
Tests of Virus Throttle technology conducted at
Hewlett-Packard Labs in Bristol, U.K. show that
Virus Throttle is able to very quickly detect and
prevent worms spreading from an infected computer.
For example, the throttle is able to stop the
W32/Nimda-D worm in less than one second.
The test was carried out using a throttle that
followed the control flow shown in the Figure 1. The
virus throttle parses all outgoing packets from a
machine for TCP SYN packets. The destination
address of an intercepted SYN packet is then
compared against a list of destination addresses of
Figure 1: Throttle Control Flow [2] machines to which connections have previously been
made, which is termed as the working set. The
Figure 1 shows the throttle control flow. All the working set can hold up to 5 such addresses. If the
processes using the network are routed through the destination address is in this working set the
virus throttle. A process requesting access is checked connection is allowed immediately. If the address is
with a set of working processes. If it is a newly not in the working set and the working set is not full
requesting process then it is put on a delay queue. A i.e. it holds less than 5 addresses, the destination
queue length detector detects the number of address is added to the working set and the
connection requests from a single process and if it is connection is once again allowed to proceed
within an acceptable threshold, then the new process immediately. If none of these two conditions are met,
is updated in the working set of processes. If the the SYN packet is added to what we term the delay
number of connections is above the threshold, then a queue and is not transmitted immediately.
rate limiter limits the suspicious process from
Once every second the delay queue is
accessing the network.
processed and the SYN packet at its head and any
other SYN packets with the same destination address
This technique differs from signature-and-patch
are popped and sent, allowing the establishment of
approaches in three key ways:
the requested connection. The destination address of
this packet is also added to the working set, the oldest
i. It focuses on the network behaviour of the virus member of which is discarded if the working set is
and prevents certain types of behaviour — in
full. If the delay queue is empty at processing time
particular, the attempted creation of a large
and the working set is full, the oldest member of
number of outgoing connections per second.
working set is also discarded, allowing for the
ii. It is also unique in that, instead of stopping potential establishment of one connection per second
viruses from entering a system, it restricts the to a target not recently connected to.
code from leaving.
This design, summarised as a control flow in
iii. Because connections exceeding the allowed rate
Figure 1, allows hosts to create as many connections
can be blocked for configurable periods of time,
per second as they want to the 5 most recently
the system is tolerant to false positives and is connected-to machines. Any further connection
therefore robust.
attempts will be delayed for at least a second, and
then attempted. Delaying connections rather than
Virus Throttle technology is not meant to replace simply dropping them is important in a cost-sensitive
signature-based solutions but, rather, to complement
environment that, if incorrectly targeted at legitimate
them. Virus Throttle fills a gap in anti-virus
connection attempts, will introduce an often
4. imperceptible delay in the connection, instead of • After the signature updates have arrived, each
prohibiting it entirely. [2] computer in the network will have to scan the
The throttle detects a process as a malicious whole system and clean each file. It is a
one when the number of connections issued by the complex process for the IT people to scan
process is more in number within the waiting time. each computer on the network for the worm
individually and takes days to complete.
The Average time taken by the Throttle to detect real
and test worms is shown in the Table 1.
4.4 Response to W32/Nimbda-D worm by the
Virus Throttle
connections stopping time allowed
per second connections • The throttle detects the process which makes
Nimbda the abnormal activity of making over 500
120 0.25s 1 connections per second.
Test Worm • The throttle cuts the extra connections made
20 5.44s 5 by the process other than the current
40 2.34s 2 working set, thus implementing a temporary
60 1.37s 1 solution.
80 1.04s 1 • No or less number of other computer on the
100 0.91s 1 network are affected.
150 0.21s 0
200 0.02s 0 4.5 Benefits of Virus Throttle Technology
SQL Slammer The benefits of Virus Throttle technology
850 0.02s 0 include the following:
• Works without knowing anything about the
Table 1: Average time taken by the test Throttle to virus. Because it is triggered by the
detect real and test worms [2] behaviour of a virus rather than by
identifying the code of the virus, it can
4.2 W32/Nimbda-D Worm handle unknown threats without waiting for
signature updates.
W32/Nimbda-D is a mass-mailing worm that
uses multiple methods to spread itself. It searches for • Protects network infrastructure by slowing
network shares, attempts to copy itself to vulnerable or stopping routed traffic from hosts
Microsoft IIS web servers. It is a virus that affects exhibiting high connection rates. The
both local files and files on remote network shares. infrastructure will stay up and running, even
[3] when it is under attack from a virus.
• Can provide event logs and SNMP trap
4.3 Limitations in traditional way of detection of warnings when worm-like behaviour is
W32/Nimbda-D worm detected.
The traditional way of detecting the W32/Nimbda- • Gives IT staff time to react before the
D worm has the following limitations which makes it problem escalates to a crisis.
ineffiecient for use in time critical applications.
• If deployed widely, makes it difficult for
viruses to spread at all.
• The virus spreads out throughout the network
and web servers. So each computer in the
4.6 Advantages
network will have a copy of the worm.
Since the throttle prevents subsequent
• The antivirus software needs a signature infection, the effect on the global spread of a virus
update. For that it takes atleast a day and depends on how widely the throttle is deployed. HP
atmost a week, within which the virus may Labs results show that when only 50 percent of
have replicated more. computers are installed with the throttle, the global
spread of both real and constructed worms is
• The temporary solution to this problem is to
substantially reduced. Throttled machines do not
suspend the network, which is impossible in
contribute any network traffic in spite of being
an organisation as it causes a financial loss
infected, significantly reducing the amount of
due to suspension of work.
network traffic produced by a virus.
5. 5. Virus Throttle for Virus Detection in PCs v) If the process is not a trusted one, and it is
The technique of Virus Throttle on a Network not confirmed as a virus, then the process is
Environment can be used for improving the speed of suspended for access to the requested
virus detection of PC based Anti-Virus Softwares. resources and the user is prompted for what
The presently available Anti-Virus Softwares scan action to take or to add the process to the
each Application, DLL or other suspicious files for trusted applications list.
virus code of known viruses. This technique definitely improves the response
A gateway called THROTWALL is installed and the overall performance of the Antivirus software
befront an antivirus software. The THROTWALL as well as the PC itself.
monitors all the running processes for suspicious
activity. The antivirus scanner consists of presently 6. Conclusion:
available signatures of viruses and also a trusted Traditional methods of addressing viruses,
processes list. The job of the antivirus scanner is to worms and other malicious code depend on
check the files flagged by the THROTWALL for signatures and patches. That leaves systems
virus code or an entry in the trusted processes list. vulnerable to previously unknown threats until
The suspicious activity that is detected by the protective code can be written and deployed. At a
THROTWALL is defined by the following time when viruses spread more quickly than ever
guidelines: before, often generating paralysing amounts of
network traffic, this is a significant lapse.
• When a process uses resources that are not
required for its normal operation This paper has demonstrated a new technique for
• When a process creates multiple child virus detection on PCs that is based on the virus
process throttle technology of HP. The new technique uses a
gateway called THROTWALL in front of an
• When a change to multiple files is executed
antivirus software. Using the THROTWALL
by a program
prevents checking all the processes and files by the
• When a change to the registry is executed
antivirus scanner. Thus reducing the processing
• When a change to the boot sector is
power required to detect viruses, Trojans and worms.
executed
• When a change to a running program is The usage of THROTWALL even increases the
executed efficiency of the antivirus software by preventing
• When a file in the system directory is new viruses that are not present in the available
signatures of known viruses. The new technique also
changed
increases the overall performance of the PC by
• When a change to the system users and
making available, the valuable processing power for
groups is executed
other applications.
• When multiple files are created
When one or more of a suspicious activity is References:
detected, the following steps are followed to check [1] ProCurve Networking - Connection-Rate
the process for virus code: Filtering Based on Virus Throttle Technology,
i) The access to the restricted resource is Hewlett Packard Company, 2006
blocked while still allowing the process to [2] Jamie Twycross, Matthew M. Williamson -
use the general resources Implementing and testing a virus throttle,
ii) The particular process and child processes Hewlett-Packard Labs, Bristol, U.K., 2003
are scanned using a virus scanner
[3] W32/Nimda-D Virus - Sophos Security Anlaysis
iii) If the process is a trusted one, then the
http://www.sophos.com/security/analyses/viruses
process is allowed to use the restricted
-and-spyware/w32nimdad.html
resources by commanding the gateway to
permit access for the process [4] M. M. Williamson, J. Twycross, J. Griffin, and
iv) If the process is not a trusted one, and it is A. Norman. Virus throttling. In Virus Bulletin,
confirmed as a virus, then the process and its U.K., 2003.
parent or child processes are killed and [5] Matthew M. Williamson - Design,
necessary action to disinfect or delete the Implementation and Test of an Email Virus
file is taken by the antivirus program itself. Throttle, HP Laboratories Bristol, 2003