Signature based virus detection and protection system
-
Upload
md-hasan-basri-angel -
Category
Technology
-
view
1.318 -
download
1
description
Transcript of Signature based virus detection and protection system
1
2
• Overview• Infection Strategies• Evaluation of Virus• Virus News & Statistics• Identification Methods• Project Overview• Data Flow Diagram (DFD)• Design the Proposed System• Conclusion• Future Work
3
• A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner.
• The term "virus" is also commonly but incorrectly used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability.
• A true virus can only spread from one computer to another (in some form of executable code) .
4
Email/IM
Flash Drive
Floppy Disk
CD/DVD Pirated Software
Internet/FTP
LAN/File Sharing
5
In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable f i les that may be part of lawful programs. If a user attempts to launch an infected program, the virus' code may be executed simultaneously.
1
2
3
…
Virus ObjectFile
ResourceDLL, OCX..
6
Figure : Virus Encounter Vectors
The following graph depicts security vulnerabilities experienced by actual enterprise customers as surveyed by ICSA Labs for the years 1996 through 2002.
7
Figure : Impact of Client Computing VulnerabilitiesRef: ICSA Labs Virus Prevalence Survey 2002
8
1. The first virus was born in the very beginning of 1970s.2 Creeper was an experimental self-replicating program written by Bob Thomas at BBN in 1971.3. Creeper gained access via the ARPANET and copied itself to the remote system.4. The Reaper program was created to delete Creeper. [First Antivirus]5. "Rother J" was the first computer virus to appear first time the lab where it was created. Written in 1981 by Richard Skrenta,6. The first PC virus in the wild was a boot sector virus dubbed Brain. created in 1986 by the Farooq Alvi Brothers.7. Macro viruses have become common since the mid-1990s.
9
• It is estimated that PC Viruses cost businesses approximately $55 Billion in damages in 2003. • Processing between 50,000 and 60,000 new copies per hour, "W32/Mydoom.A has exceeded the infamous SoBig.F virus in terms of copies intercepted, and the number continues to rise."• Message Labs collected over 1.2 Million copies of W32/Mydoom.A-mm• At its peak infection rate, about 1 in 12 emails on the Internet were MyDoom Viruses
10
11
Figure : Virus Signature Definition
A signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus.
Format: <Virus CRC16/CRC32 Hash Value> | <Virus Name>0095C3A4|STONED.LESZOP.A0086C7BE|STONED.MARCH6.A
12
Search
Memory Search File Search Registry Search
Content Based Icon Based
13
Removable Drive ScanSearching for worm as soon
as it plug-in to the system and block auto-run activity.
1Delete virusM
1
Search Dependencies
Delete DependenciesM2
Flash Drive, Pen
drive etc.
Removable Drive
Startup scanScanning files and process at
startup registry path..
2Delete FilesM
2Delete Reg. KeysM
3
Startup Info.
System Registry
Kill Process TreeM1
14
Real Time Monitor
MILSPEC-MINING Apply to monitor process
behaves
3
Search Dependencies
Process List
Running Process
Delete FilesM2
Delete Reg. KeysM3
Kill Process TreeM1
Scan For Drive
Use dictionary scan to match with existing virus
signature or Icon.
4
Search Dependencies
Directory
Search Local Disk Drive
Delete FilesM2
Delete Reg. KeysM3
Kill Process TreeM1
15
Scan with sample
Scan with file name / icon / size / visibility etc.
5Target
Content Local Disk Drive
Delete FilesM2
Delete Reg. KeysM3
Kill Process TreeM1
Local Drives
Directory Search
16
To store the virus signature a collection of flat file is used and the attributes are separated by each other using pipeline “ | ‘’ symbol.Some Example are mentioned below,
• 5B110B72|DENZUK.E• 5B0DE15C|PINGPONG.A• 5BEB04FF|WIN95.TWINNY.1638449• 5B807327|WIN32.BOLZANO.3628• 5B33914C|GENE.948
Where the first portion before ‘|’ (Pipeline), is used virus signature in CRC16 form and another portion is mentioned as virus code name. There are approximately 30’00 virus signatures are included in this project.
17
18
19