SlideShare a Scribd company logo

Virus Detection System

Antiy Labs
Antiy Labs
Technology
1 of 25
Download to read offline
Virus Detection System VDS seak@antiy.net
Outline The virus trends of 2004 Qualities of an IDS Mechanisms of a VDS Data processing
20047 new kinds of virus in 2004 Other PE 10% 2% worm AD/Erotic pieces 11% 3% Script virus 黑客工具 1% 6% Back Door 20% Trojan Virus writing generation 45% UNIX tool 0% 2%
Outline The virus trends of 2004 Qualities of an IDS Mechanisms of a VDS Data processing
How a traditional IDS works Meticulous protocol analysis Lightweight rule set No more than 500 records in a rule set.
Unitary software designing Unitary design: In the AV Ware: Scan case of dealing with an target object’s extensive complicated incident, we should divergence. classify the events and IDS: Protocol’s unify one or more of divergence. the processing modules by using an extensible data structure and data set.
AVML and Snort Echo virus(id=”B00801”;type=”Backdoor”;os=”Win32”;format=”pe”;na me=”bo”;version=”a”;size=”124928”;Port_listen=on[31337];cont ent=|81EC0805000083BC240C05000000535657557D148B84242 40500008BAC242005000050E9950500000F85800500008B|;delm ark=1) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Backdoor.bo.a Upload"; content: |81EC0805000083BC240C05000000535657557D148B842424050 0008BAC242005000050E9950500000F85800500008B |;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"Backdoor.bo.a Copy"; content: |81EC0805000083BC240C05000000535657557D148B842424050 0008BAC242005000050E9950500000F85800500008B |;)。
Redundant scans caused by divergence FTP Transfer NETBIOS rules character rules rules
Rule set scaling pressure type quantity Besides worms, there are over Email worm 2807 20,000 Trojans, Backdoors, etc… IM-worm 172 which transfer over the network. P2P-worm 1007 The corresponding IRC-worm 715 rule quantity may exceed 30,000 Other worm 675 records. total 5376
Outline The virus trends of 2004 Qualities of an IDS Mechanisms of a VDS Data processing
Algorithm optimization(1) 5000 4500 When the quantity of rules 4000 is less than 6,000, it is not 3500 obvious that time durtation(ms) 3000 2500 increases linearly with 2000 record count. But after 1500 about 10,000 records, that 1000 begins to change, causing 500 0 a sudden drop in performance up until it is 0 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 50 00 50 00 50 00 50 00 50 00 15 30 45 60 75 90 10 12 13 15 16 18 19 21 22 24 records simply unavailable。 The influence of record quantity on record matching time
Algorithm optimization (2) The scanning speed is also affected by 实际规则检测网络数据 木马检验网络数据 实际规则检测随机数据 the data being 6000 随机规则检测网络数据 matched and the 5000 quality of the patterns. duration (ms) 4000 3000 2000 1000 0 0 1500 3000 4500 6000 7500 9000 10500 12000 13500 15000 16500 18000 19500 21000 22500 24000 records Scan methods’ and data objects’ influence on the speed
Algorithm optimization (3) 1200 1000 speed(kb/s) original improved 800 600 400 200 0 500 2000 3500 5000 6500 8000 9500 11000 12500 14000 15500 17000 18500 20000 21500 23000 24500 26000 27500 29000 records Influence on efficiency caused by limiting the approximation of the virus’ characteristics
Key method of designing VDS The Unitary Model focuses on matching speed and matching granularity — matching is of foremost importance. Network traffic data is classified into three types:data matched on the binary level, data needing pre-treatment and data needing specific algorithms。
Data flow direction and the Level of virus detection Divided into 4 levels: Data log / Process backstage Event process level collection, divergence, detection and (File) Scan Complete Dataflow processing Cross verification Virus scan Stream scan level Provides package scanning, incomplete t en m at Pa re Procotol tag transfer data scanning And cka et g pr es can Data diffluence Protocol analysis and level complete data diffluence scanning. Data collection level Sniffer
System structure
Data efficiency Virus data output from Harbin Institute of Technology on July 8 , 2003.
Statistics from the 26th week of 2005
Unknown virus forewarning system Detected an unknown worm (I- Worm.Unknow) increasing notably on June 5, 2003. On June 6 it was shown to be the virus I-worm.sobig.f.
Outline The virus trends of 2004 Qualities of an IDS Mechanisms of a VDS Data processing
Event Processing ( 1 ) Detection Events Processing methods Description Language Tech-based Internal (DEDL). combine We use descriptors to Parallel combine define standard formats Analysis-based Parallel for network events and combine make them support other formats Radiant combine Defined elements: Convergence combine event type, event ID, Chain combine source IP, target IP, event time, and so on. More than 20 such key elements.
Event Processing ( 2 ) If existNet_Action(RPC_Exploit)[IP(1)->IP(2);time(1)] Net_Action(RPC_Exploit) [IP(2)->IP(3) ;time(2)] and time(2)>time(1) than Net_Action(RPC_Exploit) [IP(1)-> IP(2) -> IP(3)]
Behavior Classifications DEDL events AVML diagnostic behavior regulations Net_Action(act)[IP(1),IP(2):445; ;time(1)] Virus_act_lib Net_Action(act)[IP(1),IP(3):445; ;time(1)] Virus …. seek(id=”W02872”;dport=139,445;trans=ne Net_Action(act)[IP(1),IP(12):445; ;time(1)] tbios) Net_Action(Trans,Worm.Win32.Dvldr)[IP(1)->IP(12);time(1)]
Data processing IRC SERVER IRC SERVER2 IRC SERVER3 IR C Co nn IRC C IRC Connection IRC Connection ec onnec tio tion IRC Connection n Virus.A NODE A NODE B NODE C NODE D Virus.A Node A Node B Virus.A Virus.A Virus.A
Thoughts Network virus monitoring has been explored academically and productively. It has now expanded into a new technology with its own direction. The path of virus defense leads us to the world of freedom.

Recommended

Search solutions for big data and collaboration - Comperio seminar October 2012
Search solutions for big data and collaboration - Comperio seminar October 2012Search solutions for big data and collaboration - Comperio seminar October 2012
Search solutions for big data and collaboration - Comperio seminar October 2012Comperio - Search Matters.
 
Ispra 2007 luis martín2
Ispra 2007 luis martín2Ispra 2007 luis martín2
Ispra 2007 luis martín2IrSOLaV Pomares
 
Ts0012291251
Ts0012291251Ts0012291251
Ts0012291251Confidential
 
Ts0012291251 (autosaved)
Ts0012291251 (autosaved)Ts0012291251 (autosaved)
Ts0012291251 (autosaved)Confidential
 
Leigh Nelson - Art by Design
Leigh Nelson - Art by DesignLeigh Nelson - Art by Design
Leigh Nelson - Art by DesignLeigh Nelson
 
Analisis Teknikal Saham 2
Analisis Teknikal Saham 2Analisis Teknikal Saham 2
Analisis Teknikal Saham 2Bilawal Alhariri Anwar
 
Seminar Saham
Seminar SahamSeminar Saham
Seminar SahamBilawal Alhariri Anwar
 
Mathur
MathurMathur
MathurTUESDAY Business Network
 

Recommended

Search solutions for big data and collaboration - Comperio seminar October 2012
Search solutions for big data and collaboration - Comperio seminar October 2012Search solutions for big data and collaboration - Comperio seminar October 2012
Search solutions for big data and collaboration - Comperio seminar October 2012Comperio - Search Matters.
 
Ispra 2007 luis martín2
Ispra 2007 luis martín2Ispra 2007 luis martín2
Ispra 2007 luis martín2IrSOLaV Pomares
 
Ts0012291251
Ts0012291251Ts0012291251
Ts0012291251Confidential
 
Ts0012291251 (autosaved)
Ts0012291251 (autosaved)Ts0012291251 (autosaved)
Ts0012291251 (autosaved)Confidential
 
Leigh Nelson - Art by Design
Leigh Nelson - Art by DesignLeigh Nelson - Art by Design
Leigh Nelson - Art by DesignLeigh Nelson
 
Analisis Teknikal Saham 2
Analisis Teknikal Saham 2Analisis Teknikal Saham 2
Analisis Teknikal Saham 2Bilawal Alhariri Anwar
 
Seminar Saham
Seminar SahamSeminar Saham
Seminar SahamBilawal Alhariri Anwar
 
Mathur
MathurMathur
MathurTUESDAY Business Network
 
Virus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowVirus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowAntiy Labs
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewAntiy Labs
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityAntiy Labs
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
Virus detection system
Virus detection systemVirus detection system
Virus detection systemAkshay Surve
 
The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought Antiy Labs
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognitionahmadali999
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing pptDatta Dharanikota
 
Cloud computing simple ppt
Cloud computing simple pptCloud computing simple ppt
Cloud computing simple pptAgarwaljay
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computingRkrishna Mishra
 
Too many websites v2
Too many websites v2Too many websites v2
Too many websites v2Alan Mather
 
Risk Log
Risk LogRisk Log
Risk LogConfidential
 
Risk log
Risk logRisk log
Risk logConfidential
 
Site Speed Tuneup: Putting Your Code On A Diet
Site Speed Tuneup: Putting Your Code On A DietSite Speed Tuneup: Putting Your Code On A Diet
Site Speed Tuneup: Putting Your Code On A Dietmm_merchant
 
Medical Device Integration - Alliance Of Chicago UIC Team Analysis
Medical Device Integration - Alliance Of Chicago UIC Team AnalysisMedical Device Integration - Alliance Of Chicago UIC Team Analysis
Medical Device Integration - Alliance Of Chicago UIC Team AnalysisDinesh Jayapathy
 
Application delivery 2 0
Application delivery 2 0Application delivery 2 0
Application delivery 2 0Interop
 
Lux led45
Lux led45Lux led45
Lux led45AVNed
 
Empty template
Empty templateEmpty template
Empty templateConfidential
 
Fsna tool
Fsna toolFsna tool
Fsna toolTravis Eck
 
Characteristics of the kinase mutant TPK2 in bioreactors
Characteristics of the kinase mutant TPK2 in bioreactorsCharacteristics of the kinase mutant TPK2 in bioreactors
Characteristics of the kinase mutant TPK2 in bioreactors★ Beatriz Barrera Garmón
 

More Related Content

Viewers also liked

Virus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowVirus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowAntiy Labs
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewAntiy Labs
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityAntiy Labs
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
Virus detection system
Virus detection systemVirus detection system
Virus detection systemAkshay Surve
 
The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought Antiy Labs
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognitionahmadali999
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
Cloud computing simple ppt
Cloud computing simple pptCloud computing simple ppt
Cloud computing simple pptAgarwaljay
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computingRkrishna Mishra
 

Viewers also liked (12)

Virus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowVirus Detection Based on the Packet Flow
Virus Detection Based on the Packet Flow
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
 
Virus detection system
Virus detection systemVirus detection system
Virus detection system
 
The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought The Evolution Theory of Malware and Our Thought
The Evolution Theory of Malware and Our Thought
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and prevention
 
Artificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & RecognitionArtificial Intelligence in Virus Detection & Recognition
Artificial Intelligence in Virus Detection & Recognition
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & prevention
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing ppt
 
Cloud computing simple ppt
Cloud computing simple pptCloud computing simple ppt
Cloud computing simple ppt
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computing
 

Similar to Virus Detection System

Too many websites v2
Too many websites v2Too many websites v2
Too many websites v2Alan Mather
 
Site Speed Tuneup: Putting Your Code On A Diet
Site Speed Tuneup: Putting Your Code On A DietSite Speed Tuneup: Putting Your Code On A Diet
Site Speed Tuneup: Putting Your Code On A Dietmm_merchant
 
Medical Device Integration - Alliance Of Chicago UIC Team Analysis
Medical Device Integration - Alliance Of Chicago UIC Team AnalysisMedical Device Integration - Alliance Of Chicago UIC Team Analysis
Medical Device Integration - Alliance Of Chicago UIC Team AnalysisDinesh Jayapathy
 
Application delivery 2 0
Application delivery 2 0Application delivery 2 0
Application delivery 2 0Interop
 
Lux led45
Lux led45Lux led45
Lux led45AVNed
 
Characteristics of the kinase mutant TPK2 in bioreactors
Characteristics of the kinase mutant TPK2 in bioreactorsCharacteristics of the kinase mutant TPK2 in bioreactors
Characteristics of the kinase mutant TPK2 in bioreactors★ Beatriz Barrera Garmón
 
Conversor nº binarios a decimales y viceversa 2
Conversor nº binarios a decimales y viceversa 2Conversor nº binarios a decimales y viceversa 2
Conversor nº binarios a decimales y viceversa 2Jaime914
 
Energy-efficient extensions in passive optical networks
Energy-efficient extensions in passive optical networksEnergy-efficient extensions in passive optical networks
Energy-efficient extensions in passive optical networksradziwil
 
S proc net_blank_storyboard_060212
S proc net_blank_storyboard_060212S proc net_blank_storyboard_060212
S proc net_blank_storyboard_060212nickmccabe123
 
Basic right hand backward roll
Basic right hand backward rollBasic right hand backward roll
Basic right hand backward rollLeo Crossfield
 
Basic right hand forward roll
Basic right hand forward rollBasic right hand forward roll
Basic right hand forward rollLeo Crossfield
 

Similar to Virus Detection System (20)

Too many websites v2
Too many websites v2Too many websites v2
Too many websites v2
 
Risk Log
Risk LogRisk Log
Risk Log
 
Risk log
Risk logRisk log
Risk log
 
Site Speed Tuneup: Putting Your Code On A Diet
Site Speed Tuneup: Putting Your Code On A DietSite Speed Tuneup: Putting Your Code On A Diet
Site Speed Tuneup: Putting Your Code On A Diet
 
Medical Device Integration - Alliance Of Chicago UIC Team Analysis
Medical Device Integration - Alliance Of Chicago UIC Team AnalysisMedical Device Integration - Alliance Of Chicago UIC Team Analysis
Medical Device Integration - Alliance Of Chicago UIC Team Analysis
 
Application delivery 2 0
Application delivery 2 0Application delivery 2 0
Application delivery 2 0
 
Lux led45
Lux led45Lux led45
Lux led45
 
Empty template
Empty templateEmpty template
Empty template
 
Fsna tool
Fsna toolFsna tool
Fsna tool
 
Characteristics of the kinase mutant TPK2 in bioreactors
Characteristics of the kinase mutant TPK2 in bioreactorsCharacteristics of the kinase mutant TPK2 in bioreactors
Characteristics of the kinase mutant TPK2 in bioreactors
 
Conversor nº binarios a decimales y viceversa 2
Conversor nº binarios a decimales y viceversa 2Conversor nº binarios a decimales y viceversa 2
Conversor nº binarios a decimales y viceversa 2
 
Energy-efficient extensions in passive optical networks
Energy-efficient extensions in passive optical networksEnergy-efficient extensions in passive optical networks
Energy-efficient extensions in passive optical networks
 
Aula 1
Aula 1Aula 1
Aula 1
 
Cashflow statement form
Cashflow statement formCashflow statement form
Cashflow statement form
 
S proc net_blank_storyboard_060212
S proc net_blank_storyboard_060212S proc net_blank_storyboard_060212
S proc net_blank_storyboard_060212
 
www.energypluslight.com
www.energypluslight.comwww.energypluslight.com
www.energypluslight.com
 
Payu Pitch Deck
Payu Pitch DeckPayu Pitch Deck
Payu Pitch Deck
 
Basic right hand backward roll
Basic right hand backward rollBasic right hand backward roll
Basic right hand backward roll
 
Determine Exceptions to Validation
Determine Exceptions to ValidationDetermine Exceptions to Validation
Determine Exceptions to Validation
 
Basic right hand forward roll
Basic right hand forward rollBasic right hand forward roll
Basic right hand forward roll
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Virus Detection System

  • 1. Virus Detection System VDS seak@antiy.net
  • 2. Outline The virus trends of 2004 Qualities of an IDS Mechanisms of a VDS Data processing
  • 3. 20047 new kinds of virus in 2004 Other PE 10% 2% worm AD/Erotic pieces 11% 3% Script virus 黑客工具 1% 6% Back Door 20% Trojan Virus writing generation 45% UNIX tool 0% 2%
  • 4. Outline The virus trends of 2004 Qualities of an IDS Mechanisms of a VDS Data processing
  • 5. How a traditional IDS works Meticulous protocol analysis Lightweight rule set No more than 500 records in a rule set.
  • 6. Unitary software designing Unitary design: In the AV Ware: Scan case of dealing with an target object’s extensive complicated incident, we should divergence. classify the events and IDS: Protocol’s unify one or more of divergence. the processing modules by using an extensible data structure and data set.
  • 7. AVML and Snort Echo virus(id=”B00801”;type=”Backdoor”;os=”Win32”;format=”pe”;na me=”bo”;version=”a”;size=”124928”;Port_listen=on[31337];cont ent=|81EC0805000083BC240C05000000535657557D148B84242 40500008BAC242005000050E9950500000F85800500008B|;delm ark=1) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Backdoor.bo.a Upload"; content: |81EC0805000083BC240C05000000535657557D148B842424050 0008BAC242005000050E9950500000F85800500008B |;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"Backdoor.bo.a Copy"; content: |81EC0805000083BC240C05000000535657557D148B842424050 0008BAC242005000050E9950500000F85800500008B |;)。
  • 8. Redundant scans caused by divergence FTP Transfer NETBIOS rules character rules rules
  • 9. Rule set scaling pressure type quantity Besides worms, there are over Email worm 2807 20,000 Trojans, Backdoors, etc… IM-worm 172 which transfer over the network. P2P-worm 1007 The corresponding IRC-worm 715 rule quantity may exceed 30,000 Other worm 675 records. total 5376
  • 10. Outline The virus trends of 2004 Qualities of an IDS Mechanisms of a VDS Data processing
  • 11. Algorithm optimization(1) 5000 4500 When the quantity of rules 4000 is less than 6,000, it is not 3500 obvious that time durtation(ms) 3000 2500 increases linearly with 2000 record count. But after 1500 about 10,000 records, that 1000 begins to change, causing 500 0 a sudden drop in performance up until it is 0 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 50 00 50 00 50 00 50 00 50 00 15 30 45 60 75 90 10 12 13 15 16 18 19 21 22 24 records simply unavailable。 The influence of record quantity on record matching time
  • 12. Algorithm optimization (2) The scanning speed is also affected by 实际规则检测网络数据 木马检验网络数据 实际规则检测随机数据 the data being 6000 随机规则检测网络数据 matched and the 5000 quality of the patterns. duration (ms) 4000 3000 2000 1000 0 0 1500 3000 4500 6000 7500 9000 10500 12000 13500 15000 16500 18000 19500 21000 22500 24000 records Scan methods’ and data objects’ influence on the speed
  • 13. Algorithm optimization (3) 1200 1000 speed(kb/s) original improved 800 600 400 200 0 500 2000 3500 5000 6500 8000 9500 11000 12500 14000 15500 17000 18500 20000 21500 23000 24500 26000 27500 29000 records Influence on efficiency caused by limiting the approximation of the virus’ characteristics
  • 14. Key method of designing VDS The Unitary Model focuses on matching speed and matching granularity — matching is of foremost importance. Network traffic data is classified into three types:data matched on the binary level, data needing pre-treatment and data needing specific algorithms。
  • 15. Data flow direction and the Level of virus detection Divided into 4 levels: Data log / Process backstage Event process level collection, divergence, detection and (File) Scan Complete Dataflow processing Cross verification Virus scan Stream scan level Provides package scanning, incomplete t en m at Pa re Procotol tag transfer data scanning And cka et g pr es can Data diffluence Protocol analysis and level complete data diffluence scanning. Data collection level Sniffer
  • 17. Data efficiency Virus data output from Harbin Institute of Technology on July 8 , 2003.
  • 18. Statistics from the 26th week of 2005
  • 19. Unknown virus forewarning system Detected an unknown worm (I- Worm.Unknow) increasing notably on June 5, 2003. On June 6 it was shown to be the virus I-worm.sobig.f.
  • 20. Outline The virus trends of 2004 Qualities of an IDS Mechanisms of a VDS Data processing
  • 21. Event Processing ( 1 ) Detection Events Processing methods Description Language Tech-based Internal (DEDL). combine We use descriptors to Parallel combine define standard formats Analysis-based Parallel for network events and combine make them support other formats Radiant combine Defined elements: Convergence combine event type, event ID, Chain combine source IP, target IP, event time, and so on. More than 20 such key elements.
  • 22. Event Processing ( 2 ) If existNet_Action(RPC_Exploit)[IP(1)->IP(2);time(1)] Net_Action(RPC_Exploit) [IP(2)->IP(3) ;time(2)] and time(2)>time(1) than Net_Action(RPC_Exploit) [IP(1)-> IP(2) -> IP(3)]
  • 23. Behavior Classifications DEDL events AVML diagnostic behavior regulations Net_Action(act)[IP(1),IP(2):445; ;time(1)] Virus_act_lib Net_Action(act)[IP(1),IP(3):445; ;time(1)] Virus …. seek(id=”W02872”;dport=139,445;trans=ne Net_Action(act)[IP(1),IP(12):445; ;time(1)] tbios) Net_Action(Trans,Worm.Win32.Dvldr)[IP(1)->IP(12);time(1)]
  • 24. Data processing IRC SERVER IRC SERVER2 IRC SERVER3 IR C Co nn IRC C IRC Connection IRC Connection ec onnec tio tion IRC Connection n Virus.A NODE A NODE B NODE C NODE D Virus.A Node A Node B Virus.A Virus.A Virus.A
  • 25. Thoughts Network virus monitoring has been explored academically and productively. It has now expanded into a new technology with its own direction. The path of virus defense leads us to the world of freedom.