Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh

advertisement
Towards Extending the Antivirus
Capability to Scan Network Traffic
Mohammed I. Al-Saleh
Jordan University of Science and Technology
Outline
•
•
•
•
Problem and Background
Threat Model
System Architecture
Conclusions and Future work
Antivirus
Virus Signatures
Antivirus (cont.)
• On-access Scanner
– Scan on file system operations
– Open, read, write, close, etc.
• On-demand
– Scan on user request
Problem in Scanning Network Traffic
• Al-Saleh et al., “Investigating the detection
capabilities of antiviruses under concurrent attacks”.
IET IFS Journal, 2014.
Antivirus
Detect?
Kaspersky Anti-Virus 6.0
No
Symantec Endpoint Protection 11.0
No
Sophos Endpoint Security, and Control 10.0
No
Panda Internet Security 2014
No
Avg Internet Security 2014
No
BitDefender Internet Security 2014
No
Avast Internet Security 2014
No
TotalDefense Internet Security
No
Problem (cont.)
• Most malware infect victims through networks
– Worm
– Adware
– Trojan Horse
– Spam
– Botnet
– Etc.
Why?
• Is it hard to scan network traffic?
– How hard is it?
• Drop security for performance?
– How much performance degradation when
scanning network traffic?
• Still speculation!
– Exact reason is NOT known
Solution
• Very simple
– It is a MUST to scan network traffic
• How?
– Hmmmm, needs more thinking…
Threat Model
Basic Idea
• Simply, we need a way to tell the AV to scan
network data.
– Discrete packets (IP level)
• ineffective scanner;
– Malware spans different packets
– Out of order
– Higher level (TCP)
•
•
•
•
Builds state machine
Maintains order
Separates connections
Separates inbound from outbound traffic
Packet Capturing (pcap)
• Kernel modules
– passively capture network traffic and pass them to
user space processes through a well-defined
Application Programming Interface (API)
• Examples: Tcpdump and Wireshark
• Use such libraries to build a state machine for
TCP connections
ClamAV
• The most popular open-source AV
– www.clamav.net
• Allows agents to make use of it programmatically
– Link to the ClamAV shared library
– ClamAV daemon along with the database of virus
signatures are loaded once and shared with the user
agents.
System Architecture
Conclusion and Future Work
• Antivirus software MUST scan network traffic
• The proposed system will be implemented
• Performance impact should be studied
Acknowledgements
• Jordan University of Science and Technology
for the financial support
Thanks
Download