Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh Jordan University of Science and Technology Outline • • • • Problem and Background Threat Model System Architecture Conclusions and Future work Antivirus Virus Signatures Antivirus (cont.) • On-access Scanner – Scan on file system operations – Open, read, write, close, etc. • On-demand – Scan on user request Problem in Scanning Network Traffic • Al-Saleh et al., “Investigating the detection capabilities of antiviruses under concurrent attacks”. IET IFS Journal, 2014. Antivirus Detect? Kaspersky Anti-Virus 6.0 No Symantec Endpoint Protection 11.0 No Sophos Endpoint Security, and Control 10.0 No Panda Internet Security 2014 No Avg Internet Security 2014 No BitDefender Internet Security 2014 No Avast Internet Security 2014 No TotalDefense Internet Security No Problem (cont.) • Most malware infect victims through networks – Worm – Adware – Trojan Horse – Spam – Botnet – Etc. Why? • Is it hard to scan network traffic? – How hard is it? • Drop security for performance? – How much performance degradation when scanning network traffic? • Still speculation! – Exact reason is NOT known Solution • Very simple – It is a MUST to scan network traffic • How? – Hmmmm, needs more thinking… Threat Model Basic Idea • Simply, we need a way to tell the AV to scan network data. – Discrete packets (IP level) • ineffective scanner; – Malware spans different packets – Out of order – Higher level (TCP) • • • • Builds state machine Maintains order Separates connections Separates inbound from outbound traffic Packet Capturing (pcap) • Kernel modules – passively capture network traffic and pass them to user space processes through a well-defined Application Programming Interface (API) • Examples: Tcpdump and Wireshark • Use such libraries to build a state machine for TCP connections ClamAV • The most popular open-source AV – www.clamav.net • Allows agents to make use of it programmatically – Link to the ClamAV shared library – ClamAV daemon along with the database of virus signatures are loaded once and shared with the user agents. System Architecture Conclusion and Future Work • Antivirus software MUST scan network traffic • The proposed system will be implemented • Performance impact should be studied Acknowledgements • Jordan University of Science and Technology for the financial support Thanks