virus detection mechanisms
Download
Skip this Video
Download Presentation
Virus Detection Mechanisms

Loading in 2 Seconds...

play fullscreen
1 / 22

Virus Detection Mechanisms - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

Virus Detection Mechanisms. Final Year Project by Chaitanya kumar CH K.S. Karthik. Project details. Project Guide: Dr. V.Ch.Venkaiah Description: Study various detection mechanisms Implement the mechanisms. Some important terms.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Virus Detection Mechanisms' - haamid


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
virus detection mechanisms

Virus Detection Mechanisms

Final Year Project by

Chaitanya kumar CH

K.S. Karthik

project details
Project details
  • Project Guide: Dr. V.Ch.Venkaiah
  • Description:
    • Study various detection mechanisms
    • Implement the mechanisms
some important terms
Some important terms
  • Backdoors/Trapdoors allow unauthorized access to the system.
  • Logic bombs are programmed threats that lie dormant for an extended period of time until they are triggered.
some important terms cont
Some important terms (Cont…)
  • A Virus is a piece of code that inserts itself into a host [program] to propagate. The virus is executed along with the original program.
  • Boot sector viruses insert themselves into the boot sector area and are activated when the system boots.
some important terms cont1
Some important terms (Cont…)
  • Multi-partite Viruses refers to viruses that can use multiple means of infection, such as MBR, boot sector and parasitic
  • Trojan horses are programs that appear to have one function but actually perform another function.
some important terms cont2
Some important terms (Cont…)
  • A wormis a program that can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines.
some important terms cont3
Some important terms (Cont…)
  • Payload refers to what the virus does (besides propagation) once executed.
    • Do nothing
    • Playing with your data
    • Malicious damage
detection of internet worms
Detection of Internet Worms
  • Traffic Analysis
    • Growth in traffic volume
    • Rise in number of scans and sweeps
    • Change in traffic patterns for some hosts
    • Predicting scans by analyzing the scan engine of the worm
detection of internet worms1
Detection of Internet Worms
  • Honeypots
    • Setup a seemingly vulnerable host on the network and log all the filesystem and network activity using low level tools
    • A picture of what happens when a worm strikes a real host, along with network signatures and binaries is obtained. This can be used to develop attack signatures
detection of internet worms2
Detection of Internet Worms
  • Worms don’t usually monitor DNS entries for new hosts. They simply scan.
  • Black hole monitoring
    • Monitor the locally unused subnets within our address space.
    • Monitor the globally unused address space, or dark IP space, and to monitor that usage.
detection of internet worms3
Detection of Internet Worms
  • Signature-Based Detection
    • Network signatures
    • Log signatures from nonvulnerable servers
    • Filesystem signatures (used by any typical antivirus software)
defenses against worms
Defenses against worms
  • Host based
    • Personal Firewalls, antivirus software, privilege control
  • Firewall and Network Defenses
    • Stop existing worms
    • Implement inbound and outbound rules
    • Reactive IDS
defenses against worms1
Defenses against worms
  • Proxy-Based Defenses (application level)
    • Authentication
    • Mail-server proxies (can scan the emails)
    • Web-based proxies (content screening)
attacking the worm network
Attacking the Worm Network
  • Shutdown messages (stop the worm processes or halt the host)
  • “I am already infected”
  • Poison updates
  • These methods can be unprofessional if our attacker gets out of our control
virus scanners
Virus Scanners
  • Compare code to a database of known malicious code
    • Just matching strings in the code
    • Reasonably useful in days of floppies
  • Identify viruses by their “signatures.”
  • Search for these patterns in executable files.
  • Watch for changes in files
    • Size, time of modification, etc.
  • Monitor system for malicious actions
virus scanners internals
Virus Scanners Internals

Disk driver

Hardware

Read/Write request/reply

virus scanners internals1
Virus Scanners Internals
  • File system filter scans a file whenever it is accessed.
  • If the file is infected, it returns the original file after cleaning it.
  • If it cannot be cleaned, it returns failure message and performs appropriate action such as quarantining or deleting the infected file.
monitoring using compression enabled filesystem
Monitoring using compression enabled filesystem
  • The virus can hide itself in other files by prepending itself to other executable.
  • But this way there will be a change in the file size which can be easily recognized.
monitoring using compression enabled filesystem1
Monitoring using compression enabled filesystem
  • To avoid detection a virus compresses the original file and then prepend the virus to it.
  • Since the compression is performed to reduce the file size by the size of virus there will be no apparent change in file size
  • When executed the virus code decompresses the original code and then executes it.
monitoring using compression enabled filesystem2
File sizes before compressed by the file system

Original file

Compress file by the size of virus code

virus

Original file compressed by the virus

Monitoring using compression enabled filesystem
monitoring using compression enabled filesystem3
File sizes before compressed by the file system

Original file

virus

Original file compressed by the virus

Compression by filesystem

File sizes on the disc after compressed by the file system

Original file

virus

Original file compressed by the virus

Compression by virus

Monitoring using compression enabled filesystem
monitoring using compression enabled filesystem4
Monitoring using compression enabled filesystem
  • In a compression enabled filesystem the file size differs from original to that on the disk which is compressed.
  • When a virus hides itself in other file by compressing and prepending the virus code the file size may differ on the disk when compressed again by the filesystem
ad