SlideShare une entreprise Scribd logo

Virus detection based on virus throttle technology

Ahmed Muzammil
Ahmed Muzammil

In the Internet age, virus epidemics are getting worse than before, making the networks slow, computers slow, suspending mission critical operations and so on. In this paper, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection. The special feature of this technology is that its virus detection algorithm is based on the network behavior of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates.

Technologie
1  sur  5
Télécharger pour lire hors ligne
Virus Detection based on Virus Throttle Technology J. Ahmed Muzammil S. Suresh Kumar UG Student, Dept. of Information Technology, Principal, Noorul Islam College of Engineering Vivekanandha College of Technology (Anna University), (Anna University), Kumaracoil, Tamilnadu, India. Elayampalayam, Thiruchengode, Erode. ahmedmuzammil@outlook.com nice.ssk@gmail.com Abstract In the Internet age, Virus Epidemics are getting worse than before, making the networks slow, Computers slow, suspending mission critical operations and so on. In this paper, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection. The special feature of this technology is that its virus detection algorithm is based on the network behaviour of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates. Keywords: Virus, Worm, Throttle, Antivirus, Network Security 1. Introduction operations down or develop inoculations to cure the As every network administrator knows, virus infections. epidemics are only getting worse. In 2003, the SQL Nor is productivity the only victim of network Slammer worm infected 75,000 computers in one viruses. The SQL Slammer virus took out a 911 minute, making it the fastest-moving virus ever seen, emergency response center serving two police and caused major network disruptions worldwide. departments and 14 fire departments near Seattle, Nimbda, Blaster, Code Red, Sasser and Welchia are USA. Protecting against computer viruses can continual threats as well. Today, computer users are ultimately be an effort to protect lives. [1] directly threatened by more than 97,000 viruses, In this paper we define a new technique for worms and Trojan horses. Increased usage of virus detection in PC based on the network virus and network applications such as Instant Messages, P2P worm detection technique of virus throttle. The also increases the risk of virus infection. In the 3rd organization of the paper is such that the section 2 quarter of 2005, the volume of IM(Instant defines the terms virus, worm and Trojan. Section 3 Messaging) threats were more than 3,000 percent explains the limitations of the existing methods for higher than the previous year, according to IMlogic virus detection. Section 4 explains Virus Throttle Threat Center. technology and also the detection methodology is To protect themselves from the onslaught of explained using an example worm W32/Nimbda-D. traffic generated by computer viruses, many The method we have devised for virus detection in corporations shut down portions of their network PCs which is based on the existing Virus Throttle infrastructure; when they can’t act fast enough, entire Technology is defined in the Section 5 of the paper. network subnets or even entire networks can be Section 6 concludes the paper. brought down by viruses. Either way, the viruses cost corporations incalculable sums in lost productivity. 2. Definitions Beyond bringing normal operations in an office or 2.1 Virus enterprise to a halt, computer viruses can put A computer virus is a computer program that attacker-defined code on a system to cause additional can copy itself and infect a computer without damage. permission or knowledge of the user. The original Network threats once were slow-moving and may modify the copies or the copies may modify easy to defend against when information transfer was themselves, as occurs in a metamorphic virus. A done largely by sharing floppies. Organizations had virus can only spread from one computer to another the time they needed to clean their networks and when its host is taken to the uninfected computer, for install defences. However, as CPU speeds increase, instance by a user sending it over a network or bandwidth grows, networks become more business carrying it on a removable medium such as a floppy critical and clients become more mobile, network disk, CD, USB drive or by the Internet. Additionally, administrators increasingly lack the time to shut
viruses can spread to other computers by infecting viruses increase, the time between initial detection files on a network file system or a file system that is and the release of a signature also increases, allowing accessed by another computer. Viruses are sometimes a virus to spread further in the interim. confused with computer worms and Trojan horses. This latency between the introduction of a new virus or worm into a network and the implementation 2.1. Worm and distribution of a signature-based patch can be A computer worm is a self-replicating computer significant. Within this period, a network can be program. It uses a network to send copies of itself to crippled by the abnormally high rate of traffic generated by infected hosts. other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a As long as attacks occur at “machine speed” and virus, it does not need to attach itself to an existing responses are implemented at “human speed,” program. Worms always harm the network (if only computers will essentially be defenseless against new threats. As systems get bigger and more complex, so by consuming bandwidth), whereas viruses always does the problem of addressing new threats. infect or corrupt files on a targeted computer. A different solution is needed. A truly resilient 2.2. Trojan Horse infrastructure would include a solution that automatically hampers, contains and mitigates attacks Trojan horse is a program that installs malicious by previously unknown threats, giving the people software while under the guise of doing something responsible for an infrastructure’s security the time else. Though not limited in their payload, Trojan they need to implement a response. horses are more notorious for installing backdoor programs which allow unauthorized non permissible Rather than replacing current, signature-and- remote access to the victim's machine by unwanted patch-based protections, the new solution would parties - normally with malicious intentions. Unlike a complement them by allowing computers and computer virus, a Trojan horse does not propagate by humans to each do what they do best: computers can inserting its code into other computer files. The term respond far more quickly than people, but are poor at is derived from the classical myth of the Trojan gauging the nature of a previously unknown threat. Horse. Like the mythical Trojan Horse, the malicious Humans are good at making such decisions, but are code is hidden in a computer program or other slow—by machine standards—to act. A new solution computer file which may appear to be useful, would have computers acting quickly to stabilize a interesting, or at the very least harmless to an situation until humans could intervene. [1] unsuspecting user. When this computer program or file is executed by the unsuspecting user, the 4. Virus Throttle malicious code is also executed resulting in the set up Virus Throttle technology is a technology that or installation of the malicious Trojan horse program. was originally devised by HP Labs. It is a new technique that overcomes the limitations of previous 3. Limitations of existing methods responses and meets the need for rapid containment Current methods to stop the propagation of and mitigation of attacks by malicious agents. malicious agents rely on the use of signature Traditional approaches to anti-viral protection recognition to prevent hosts from being infected. are based on the actual code or signature of the virus. That is, they seek to prevent the virus or worm from Virus Throttle, in contrast, is based on the behaviour entering the system. These methods concentrate on of malicious code and the ways in which that the physical characteristics of the virus—i.e., its behaviour differs from that of normal code. Virus program code—and use parts of this code to create a Throttle is based on the observation that under unique signature. Programs entering the system are normal activity, a computer will make fairly few compared against this signature and discarded if they outgoing connections to new computers, but instead match. is more likely to regularly connect to the same set of While this method has been effective in computers. This is in contrast to the fundamental protecting systems, it has several limitations which, behaviour of a rapidly spreading worm, which will as the number of viruses increase, decrease its attempt many outgoing connections to new effectiveness. It is fundamentally a reactive and case- computers. For example, while computers normally by-case approach in that a new signature needs to be make approximately one connection per second, the developed for each new virus or variant as it appears. SQL Slammer virus tried to infect more than 800 Signature development is usually performed by computers per second. [1] skilled people who are able to produce only a certain The idea behind the Virus Throttle is to put a rate number of signatures at a time. As the number of limit on connections to new computers, such that
normal traffic remains unaffected but suspect traffic protection that previously allowed unknown threats that attempts to spread faster than the allowed rate to wreak significant damage before patches could be will be slowed. This creates large backlogs of deployed. With Virus Throttle, previously unknown connection requests that can be easily detected. Once threats can be mitigated, giving administrators time the virus is slowed and detected, technicians and to deploy signature updates and patches against system administrators have the time they need to further attack. intervene in order to isolate and eradicate the threat by cleaning it from the system. [1] 4.1 Tests Show Quick Detection, Prevention Tests of Virus Throttle technology conducted at Hewlett-Packard Labs in Bristol, U.K. show that Virus Throttle is able to very quickly detect and prevent worms spreading from an infected computer. For example, the throttle is able to stop the W32/Nimda-D worm in less than one second. The test was carried out using a throttle that followed the control flow shown in the Figure 1. The virus throttle parses all outgoing packets from a machine for TCP SYN packets. The destination address of an intercepted SYN packet is then compared against a list of destination addresses of Figure 1: Throttle Control Flow [2] machines to which connections have previously been made, which is termed as the working set. The Figure 1 shows the throttle control flow. All the working set can hold up to 5 such addresses. If the processes using the network are routed through the destination address is in this working set the virus throttle. A process requesting access is checked connection is allowed immediately. If the address is with a set of working processes. If it is a newly not in the working set and the working set is not full requesting process then it is put on a delay queue. A i.e. it holds less than 5 addresses, the destination queue length detector detects the number of address is added to the working set and the connection requests from a single process and if it is connection is once again allowed to proceed within an acceptable threshold, then the new process immediately. If none of these two conditions are met, is updated in the working set of processes. If the the SYN packet is added to what we term the delay number of connections is above the threshold, then a queue and is not transmitted immediately. rate limiter limits the suspicious process from Once every second the delay queue is accessing the network. processed and the SYN packet at its head and any other SYN packets with the same destination address This technique differs from signature-and-patch are popped and sent, allowing the establishment of approaches in three key ways: the requested connection. The destination address of this packet is also added to the working set, the oldest i. It focuses on the network behaviour of the virus member of which is discarded if the working set is and prevents certain types of behaviour — in full. If the delay queue is empty at processing time particular, the attempted creation of a large and the working set is full, the oldest member of number of outgoing connections per second. working set is also discarded, allowing for the ii. It is also unique in that, instead of stopping potential establishment of one connection per second viruses from entering a system, it restricts the to a target not recently connected to. code from leaving. This design, summarised as a control flow in iii. Because connections exceeding the allowed rate Figure 1, allows hosts to create as many connections can be blocked for configurable periods of time, per second as they want to the 5 most recently the system is tolerant to false positives and is connected-to machines. Any further connection therefore robust. attempts will be delayed for at least a second, and then attempted. Delaying connections rather than Virus Throttle technology is not meant to replace simply dropping them is important in a cost-sensitive signature-based solutions but, rather, to complement environment that, if incorrectly targeted at legitimate them. Virus Throttle fills a gap in anti-virus connection attempts, will introduce an often
imperceptible delay in the connection, instead of • After the signature updates have arrived, each prohibiting it entirely. [2] computer in the network will have to scan the The throttle detects a process as a malicious whole system and clean each file. It is a one when the number of connections issued by the complex process for the IT people to scan process is more in number within the waiting time. each computer on the network for the worm individually and takes days to complete. The Average time taken by the Throttle to detect real and test worms is shown in the Table 1. 4.4 Response to W32/Nimbda-D worm by the Virus Throttle connections stopping time allowed per second connections • The throttle detects the process which makes Nimbda the abnormal activity of making over 500 120 0.25s 1 connections per second. Test Worm • The throttle cuts the extra connections made 20 5.44s 5 by the process other than the current 40 2.34s 2 working set, thus implementing a temporary 60 1.37s 1 solution. 80 1.04s 1 • No or less number of other computer on the 100 0.91s 1 network are affected. 150 0.21s 0 200 0.02s 0 4.5 Benefits of Virus Throttle Technology SQL Slammer The benefits of Virus Throttle technology 850 0.02s 0 include the following: • Works without knowing anything about the Table 1: Average time taken by the test Throttle to virus. Because it is triggered by the detect real and test worms [2] behaviour of a virus rather than by identifying the code of the virus, it can 4.2 W32/Nimbda-D Worm handle unknown threats without waiting for signature updates. W32/Nimbda-D is a mass-mailing worm that uses multiple methods to spread itself. It searches for • Protects network infrastructure by slowing network shares, attempts to copy itself to vulnerable or stopping routed traffic from hosts Microsoft IIS web servers. It is a virus that affects exhibiting high connection rates. The both local files and files on remote network shares. infrastructure will stay up and running, even [3] when it is under attack from a virus. • Can provide event logs and SNMP trap 4.3 Limitations in traditional way of detection of warnings when worm-like behaviour is W32/Nimbda-D worm detected. The traditional way of detecting the W32/Nimbda- • Gives IT staff time to react before the D worm has the following limitations which makes it problem escalates to a crisis. ineffiecient for use in time critical applications. • If deployed widely, makes it difficult for viruses to spread at all. • The virus spreads out throughout the network and web servers. So each computer in the 4.6 Advantages network will have a copy of the worm. Since the throttle prevents subsequent • The antivirus software needs a signature infection, the effect on the global spread of a virus update. For that it takes atleast a day and depends on how widely the throttle is deployed. HP atmost a week, within which the virus may Labs results show that when only 50 percent of have replicated more. computers are installed with the throttle, the global spread of both real and constructed worms is • The temporary solution to this problem is to substantially reduced. Throttled machines do not suspend the network, which is impossible in contribute any network traffic in spite of being an organisation as it causes a financial loss infected, significantly reducing the amount of due to suspension of work. network traffic produced by a virus.
5. Virus Throttle for Virus Detection in PCs v) If the process is not a trusted one, and it is The technique of Virus Throttle on a Network not confirmed as a virus, then the process is Environment can be used for improving the speed of suspended for access to the requested virus detection of PC based Anti-Virus Softwares. resources and the user is prompted for what The presently available Anti-Virus Softwares scan action to take or to add the process to the each Application, DLL or other suspicious files for trusted applications list. virus code of known viruses. This technique definitely improves the response A gateway called THROTWALL is installed and the overall performance of the Antivirus software befront an antivirus software. The THROTWALL as well as the PC itself. monitors all the running processes for suspicious activity. The antivirus scanner consists of presently 6. Conclusion: available signatures of viruses and also a trusted Traditional methods of addressing viruses, processes list. The job of the antivirus scanner is to worms and other malicious code depend on check the files flagged by the THROTWALL for signatures and patches. That leaves systems virus code or an entry in the trusted processes list. vulnerable to previously unknown threats until The suspicious activity that is detected by the protective code can be written and deployed. At a THROTWALL is defined by the following time when viruses spread more quickly than ever guidelines: before, often generating paralysing amounts of network traffic, this is a significant lapse. • When a process uses resources that are not required for its normal operation This paper has demonstrated a new technique for • When a process creates multiple child virus detection on PCs that is based on the virus process throttle technology of HP. The new technique uses a gateway called THROTWALL in front of an • When a change to multiple files is executed antivirus software. Using the THROTWALL by a program prevents checking all the processes and files by the • When a change to the registry is executed antivirus scanner. Thus reducing the processing • When a change to the boot sector is power required to detect viruses, Trojans and worms. executed • When a change to a running program is The usage of THROTWALL even increases the executed efficiency of the antivirus software by preventing • When a file in the system directory is new viruses that are not present in the available signatures of known viruses. The new technique also changed increases the overall performance of the PC by • When a change to the system users and making available, the valuable processing power for groups is executed other applications. • When multiple files are created When one or more of a suspicious activity is References: detected, the following steps are followed to check [1] ProCurve Networking - Connection-Rate the process for virus code: Filtering Based on Virus Throttle Technology, i) The access to the restricted resource is Hewlett Packard Company, 2006 blocked while still allowing the process to [2] Jamie Twycross, Matthew M. Williamson - use the general resources Implementing and testing a virus throttle, ii) The particular process and child processes Hewlett-Packard Labs, Bristol, U.K., 2003 are scanned using a virus scanner [3] W32/Nimda-D Virus - Sophos Security Anlaysis iii) If the process is a trusted one, then the http://www.sophos.com/security/analyses/viruses process is allowed to use the restricted -and-spyware/w32nimdad.html resources by commanding the gateway to permit access for the process [4] M. M. Williamson, J. Twycross, J. Griffin, and iv) If the process is not a trusted one, and it is A. Norman. Virus throttling. In Virus Bulletin, confirmed as a virus, then the process and its U.K., 2003. parent or child processes are killed and [5] Matthew M. Williamson - Design, necessary action to disinfect or delete the Implementation and Test of an Email Virus file is taken by the antivirus program itself. Throttle, HP Laboratories Bristol, 2003

Recommandé

2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...Mrunalini Koritala
 
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...UltraUploader
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsIOSR Journals
 
Eh34803812
Eh34803812Eh34803812
Eh34803812IJERA Editor
 
Survey on Computer Worms
Survey on Computer WormsSurvey on Computer Worms
Survey on Computer Wormsrahulmonikasharma
 
Introductions To Malwares
Introductions To MalwaresIntroductions To Malwares
Introductions To MalwaresCyber Vignan
 
2011 modeling and detection of camouflaging worm
2011 modeling and detection of camouflaging worm2011 modeling and detection of camouflaging worm
2011 modeling and detection of camouflaging wormdeepikareddy123
 
Computing safety
Computing safetyComputing safety
Computing safetyBrulius
 

Recommandé

2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...Mrunalini Koritala
 
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...UltraUploader
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsIOSR Journals
 
Eh34803812
Eh34803812Eh34803812
Eh34803812IJERA Editor
 
Survey on Computer Worms
Survey on Computer WormsSurvey on Computer Worms
Survey on Computer Wormsrahulmonikasharma
 
Introductions To Malwares
Introductions To MalwaresIntroductions To Malwares
Introductions To MalwaresCyber Vignan
 
2011 modeling and detection of camouflaging worm
2011 modeling and detection of camouflaging worm2011 modeling and detection of camouflaging worm
2011 modeling and detection of camouflaging wormdeepikareddy123
 
Computing safety
Computing safetyComputing safety
Computing safetyBrulius
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethicsArgie242424
 
An approach to containing computer viruses
An approach to containing computer virusesAn approach to containing computer viruses
An approach to containing computer virusesUltraUploader
 
Prevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityPrevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityEditor IJMTER
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internetUltraUploader
 
Program security
Program securityProgram security
Program securityG Prachi
 
Mitppt
MitpptMitppt
MitpptAarti Prakash
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
Distributed Intrusion Detection System for Wireless Sensor Networks
Distributed Intrusion Detection System for Wireless Sensor NetworksDistributed Intrusion Detection System for Wireless Sensor Networks
Distributed Intrusion Detection System for Wireless Sensor NetworksIOSR Journals
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareShan Kumar
 
Presentation2
Presentation2Presentation2
Presentation2Jeslynn
 
Analysis of virus algorithms
Analysis of virus algorithmsAnalysis of virus algorithms
Analysis of virus algorithmsUltraUploader
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architectureUltraUploader
 
Computer Virus
Computer VirusComputer Virus
Computer VirusRabab Munawar
 
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...IJERA Editor
 
12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malwareDigital Pymes
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superwormUltraUploader
 
Network security
Network securityNetwork security
Network securityShyam Kumar Singh
 
Pc viruses
Pc virusesPc viruses
Pc virusesNithya Rajendran
 
H0434651
H0434651H0434651
H0434651IOSR Journals
 
Research
ResearchResearch
Researchbarbertomahawk
 
An Introduction to JSON JavaScript Object Notation
An Introduction to JSON JavaScript Object NotationAn Introduction to JSON JavaScript Object Notation
An Introduction to JSON JavaScript Object NotationAhmed Muzammil
 
Element wise encryption of XML using XSLT
Element wise encryption of XML using XSLTElement wise encryption of XML using XSLT
Element wise encryption of XML using XSLTAhmed Muzammil
 

Contenu connexe

Tendances

Security and ethics
Security and ethicsSecurity and ethics
Security and ethicsArgie242424
 
An approach to containing computer viruses
An approach to containing computer virusesAn approach to containing computer viruses
An approach to containing computer virusesUltraUploader
 
Prevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityPrevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityEditor IJMTER
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internetUltraUploader
 
Program security
Program securityProgram security
Program securityG Prachi
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
Distributed Intrusion Detection System for Wireless Sensor Networks
Distributed Intrusion Detection System for Wireless Sensor NetworksDistributed Intrusion Detection System for Wireless Sensor Networks
Distributed Intrusion Detection System for Wireless Sensor NetworksIOSR Journals
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareShan Kumar
 
Presentation2
Presentation2Presentation2
Presentation2Jeslynn
 
Analysis of virus algorithms
Analysis of virus algorithmsAnalysis of virus algorithms
Analysis of virus algorithmsUltraUploader
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architectureUltraUploader
 
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...IJERA Editor
 
12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malwareDigital Pymes
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superwormUltraUploader
 

Tendances (19)

Security and ethics
Security and ethicsSecurity and ethics
Security and ethics
 
An approach to containing computer viruses
An approach to containing computer virusesAn approach to containing computer viruses
An approach to containing computer viruses
 
Prevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityPrevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network Security
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internet
 
Program security
Program securityProgram security
Program security
 
Mitppt
MitpptMitppt
Mitppt
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
Distributed Intrusion Detection System for Wireless Sensor Networks
Distributed Intrusion Detection System for Wireless Sensor NetworksDistributed Intrusion Detection System for Wireless Sensor Networks
Distributed Intrusion Detection System for Wireless Sensor Networks
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_Spyware
 
Presentation2
Presentation2Presentation2
Presentation2
 
Analysis of virus algorithms
Analysis of virus algorithmsAnalysis of virus algorithms
Analysis of virus algorithms
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architecture
 
Computer Virus
Computer VirusComputer Virus
Computer Virus
 
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
 
12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superworm
 
Network security
Network securityNetwork security
Network security
 
Pc viruses
Pc virusesPc viruses
Pc viruses
 
H0434651
H0434651H0434651
H0434651
 

En vedette

An Introduction to JSON JavaScript Object Notation
An Introduction to JSON JavaScript Object NotationAn Introduction to JSON JavaScript Object Notation
An Introduction to JSON JavaScript Object NotationAhmed Muzammil
 
Element wise encryption of XML using XSLT
Element wise encryption of XML using XSLTElement wise encryption of XML using XSLT
Element wise encryption of XML using XSLTAhmed Muzammil
 
Kalypso Introduction General
Kalypso Introduction GeneralKalypso Introduction General
Kalypso Introduction Generalalexisdabney
 
Virus detection based on virus throttle technology
Virus detection based on virus throttle technologyVirus detection based on virus throttle technology
Virus detection based on virus throttle technologyAhmed Muzammil
 
XML Security Using XSLT
XML Security Using XSLTXML Security Using XSLT
XML Security Using XSLTAhmed Muzammil
 
Jaspersoft Reporting v5
Jaspersoft Reporting v5Jaspersoft Reporting v5
Jaspersoft Reporting v5Ahmed Muzammil
 
Meeste Klassikaliste Soengute LõIkamine Ja Kujundamine
Meeste Klassikaliste Soengute LõIkamine Ja KujundamineMeeste Klassikaliste Soengute LõIkamine Ja Kujundamine
Meeste Klassikaliste Soengute LõIkamine Ja Kujundamineguest1d8e39
 
Life As A Chippewa
Life As A ChippewaLife As A Chippewa
Life As A Chippewachetc1sj
 

En vedette (14)

Research
ResearchResearch
Research
 
An Introduction to JSON JavaScript Object Notation
An Introduction to JSON JavaScript Object NotationAn Introduction to JSON JavaScript Object Notation
An Introduction to JSON JavaScript Object Notation
 
Element wise encryption of XML using XSLT
Element wise encryption of XML using XSLTElement wise encryption of XML using XSLT
Element wise encryption of XML using XSLT
 
Kalypso Introduction General
Kalypso Introduction GeneralKalypso Introduction General
Kalypso Introduction General
 
Nelson mandela
Nelson mandela Nelson mandela
Nelson mandela
 
Presentacion del entorno web Declaración Islas Canarias larga1(2)
Presentacion del entorno web Declaración Islas Canarias larga1(2)Presentacion del entorno web Declaración Islas Canarias larga1(2)
Presentacion del entorno web Declaración Islas Canarias larga1(2)
 
Virus detection based on virus throttle technology
Virus detection based on virus throttle technologyVirus detection based on virus throttle technology
Virus detection based on virus throttle technology
 
Profile
ProfileProfile
Profile
 
XML Security Using XSLT
XML Security Using XSLTXML Security Using XSLT
XML Security Using XSLT
 
Jaspersoft Reporting v5
Jaspersoft Reporting v5Jaspersoft Reporting v5
Jaspersoft Reporting v5
 
Meeste Klassikaliste Soengute LõIkamine Ja Kujundamine
Meeste Klassikaliste Soengute LõIkamine Ja KujundamineMeeste Klassikaliste Soengute LõIkamine Ja Kujundamine
Meeste Klassikaliste Soengute LõIkamine Ja Kujundamine
 
OMARI TESI
OMARI TESIOMARI TESI
OMARI TESI
 
Life As A Chippewa
Life As A ChippewaLife As A Chippewa
Life As A Chippewa
 
Edgar Allen Poe
Edgar Allen PoeEdgar Allen Poe
Edgar Allen Poe
 

Similaire à Virus detection based on virus throttle technology

Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
Computer worm
Computer wormComputer worm
Computer wormzelkan19
 
Computer worm
Computer wormComputer worm
Computer wormzelkan19
 
Presentation24190
Presentation24190Presentation24190
Presentation24190KRT395
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Computer security ethics_and_privacy
Computer security ethics_and_privacyComputer security ethics_and_privacy
Computer security ethics_and_privacyArdit Meti
 
4 threatsandvulnerabilities
4 threatsandvulnerabilities4 threatsandvulnerabilities
4 threatsandvulnerabilitiesricharddxd
 
Network management and security
Network management and securityNetwork management and security
Network management and securityAnkit Bhandari
 

Similaire à Virus detection based on virus throttle technology (20)

Information security
Information securityInformation security
Information security
 
341 346
341 346341 346
341 346
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Virus and antivirus
Virus and antivirusVirus and antivirus
Virus and antivirus
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & prevention
 
Network Security.pptx
Network Security.pptxNetwork Security.pptx
Network Security.pptx
 
Computer worm
Computer wormComputer worm
Computer worm
 
Computer worm
Computer wormComputer worm
Computer worm
 
Viruses, worms, and trojan horses
Viruses, worms, and trojan horsesViruses, worms, and trojan horses
Viruses, worms, and trojan horses
 
Viruses, worms, and trojan horses
Viruses, worms, and trojan horsesViruses, worms, and trojan horses
Viruses, worms, and trojan horses
 
Presentation24190
Presentation24190Presentation24190
Presentation24190
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Cybercrimes
CybercrimesCybercrimes
Cybercrimes
 
Ch19
Ch19Ch19
Ch19
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
Computer security ethics_and_privacy
Computer security ethics_and_privacyComputer security ethics_and_privacy
Computer security ethics_and_privacy
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
4 threatsandvulnerabilities
4 threatsandvulnerabilities4 threatsandvulnerabilities
4 threatsandvulnerabilities
 
Network management and security
Network management and securityNetwork management and security
Network management and security
 
Threats of Computer System and its Prevention
Threats of Computer System and its PreventionThreats of Computer System and its Prevention
Threats of Computer System and its Prevention
 

Dernier

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Dernier (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Virus detection based on virus throttle technology

  • 1. Virus Detection based on Virus Throttle Technology J. Ahmed Muzammil S. Suresh Kumar UG Student, Dept. of Information Technology, Principal, Noorul Islam College of Engineering Vivekanandha College of Technology (Anna University), (Anna University), Kumaracoil, Tamilnadu, India. Elayampalayam, Thiruchengode, Erode. ahmedmuzammil@outlook.com nice.ssk@gmail.com Abstract In the Internet age, Virus Epidemics are getting worse than before, making the networks slow, Computers slow, suspending mission critical operations and so on. In this paper, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection. The special feature of this technology is that its virus detection algorithm is based on the network behaviour of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates. Keywords: Virus, Worm, Throttle, Antivirus, Network Security 1. Introduction operations down or develop inoculations to cure the As every network administrator knows, virus infections. epidemics are only getting worse. In 2003, the SQL Nor is productivity the only victim of network Slammer worm infected 75,000 computers in one viruses. The SQL Slammer virus took out a 911 minute, making it the fastest-moving virus ever seen, emergency response center serving two police and caused major network disruptions worldwide. departments and 14 fire departments near Seattle, Nimbda, Blaster, Code Red, Sasser and Welchia are USA. Protecting against computer viruses can continual threats as well. Today, computer users are ultimately be an effort to protect lives. [1] directly threatened by more than 97,000 viruses, In this paper we define a new technique for worms and Trojan horses. Increased usage of virus detection in PC based on the network virus and network applications such as Instant Messages, P2P worm detection technique of virus throttle. The also increases the risk of virus infection. In the 3rd organization of the paper is such that the section 2 quarter of 2005, the volume of IM(Instant defines the terms virus, worm and Trojan. Section 3 Messaging) threats were more than 3,000 percent explains the limitations of the existing methods for higher than the previous year, according to IMlogic virus detection. Section 4 explains Virus Throttle Threat Center. technology and also the detection methodology is To protect themselves from the onslaught of explained using an example worm W32/Nimbda-D. traffic generated by computer viruses, many The method we have devised for virus detection in corporations shut down portions of their network PCs which is based on the existing Virus Throttle infrastructure; when they can’t act fast enough, entire Technology is defined in the Section 5 of the paper. network subnets or even entire networks can be Section 6 concludes the paper. brought down by viruses. Either way, the viruses cost corporations incalculable sums in lost productivity. 2. Definitions Beyond bringing normal operations in an office or 2.1 Virus enterprise to a halt, computer viruses can put A computer virus is a computer program that attacker-defined code on a system to cause additional can copy itself and infect a computer without damage. permission or knowledge of the user. The original Network threats once were slow-moving and may modify the copies or the copies may modify easy to defend against when information transfer was themselves, as occurs in a metamorphic virus. A done largely by sharing floppies. Organizations had virus can only spread from one computer to another the time they needed to clean their networks and when its host is taken to the uninfected computer, for install defences. However, as CPU speeds increase, instance by a user sending it over a network or bandwidth grows, networks become more business carrying it on a removable medium such as a floppy critical and clients become more mobile, network disk, CD, USB drive or by the Internet. Additionally, administrators increasingly lack the time to shut
  • 2. viruses can spread to other computers by infecting viruses increase, the time between initial detection files on a network file system or a file system that is and the release of a signature also increases, allowing accessed by another computer. Viruses are sometimes a virus to spread further in the interim. confused with computer worms and Trojan horses. This latency between the introduction of a new virus or worm into a network and the implementation 2.1. Worm and distribution of a signature-based patch can be A computer worm is a self-replicating computer significant. Within this period, a network can be program. It uses a network to send copies of itself to crippled by the abnormally high rate of traffic generated by infected hosts. other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a As long as attacks occur at “machine speed” and virus, it does not need to attach itself to an existing responses are implemented at “human speed,” program. Worms always harm the network (if only computers will essentially be defenseless against new threats. As systems get bigger and more complex, so by consuming bandwidth), whereas viruses always does the problem of addressing new threats. infect or corrupt files on a targeted computer. A different solution is needed. A truly resilient 2.2. Trojan Horse infrastructure would include a solution that automatically hampers, contains and mitigates attacks Trojan horse is a program that installs malicious by previously unknown threats, giving the people software while under the guise of doing something responsible for an infrastructure’s security the time else. Though not limited in their payload, Trojan they need to implement a response. horses are more notorious for installing backdoor programs which allow unauthorized non permissible Rather than replacing current, signature-and- remote access to the victim's machine by unwanted patch-based protections, the new solution would parties - normally with malicious intentions. Unlike a complement them by allowing computers and computer virus, a Trojan horse does not propagate by humans to each do what they do best: computers can inserting its code into other computer files. The term respond far more quickly than people, but are poor at is derived from the classical myth of the Trojan gauging the nature of a previously unknown threat. Horse. Like the mythical Trojan Horse, the malicious Humans are good at making such decisions, but are code is hidden in a computer program or other slow—by machine standards—to act. A new solution computer file which may appear to be useful, would have computers acting quickly to stabilize a interesting, or at the very least harmless to an situation until humans could intervene. [1] unsuspecting user. When this computer program or file is executed by the unsuspecting user, the 4. Virus Throttle malicious code is also executed resulting in the set up Virus Throttle technology is a technology that or installation of the malicious Trojan horse program. was originally devised by HP Labs. It is a new technique that overcomes the limitations of previous 3. Limitations of existing methods responses and meets the need for rapid containment Current methods to stop the propagation of and mitigation of attacks by malicious agents. malicious agents rely on the use of signature Traditional approaches to anti-viral protection recognition to prevent hosts from being infected. are based on the actual code or signature of the virus. That is, they seek to prevent the virus or worm from Virus Throttle, in contrast, is based on the behaviour entering the system. These methods concentrate on of malicious code and the ways in which that the physical characteristics of the virus—i.e., its behaviour differs from that of normal code. Virus program code—and use parts of this code to create a Throttle is based on the observation that under unique signature. Programs entering the system are normal activity, a computer will make fairly few compared against this signature and discarded if they outgoing connections to new computers, but instead match. is more likely to regularly connect to the same set of While this method has been effective in computers. This is in contrast to the fundamental protecting systems, it has several limitations which, behaviour of a rapidly spreading worm, which will as the number of viruses increase, decrease its attempt many outgoing connections to new effectiveness. It is fundamentally a reactive and case- computers. For example, while computers normally by-case approach in that a new signature needs to be make approximately one connection per second, the developed for each new virus or variant as it appears. SQL Slammer virus tried to infect more than 800 Signature development is usually performed by computers per second. [1] skilled people who are able to produce only a certain The idea behind the Virus Throttle is to put a rate number of signatures at a time. As the number of limit on connections to new computers, such that
  • 3. normal traffic remains unaffected but suspect traffic protection that previously allowed unknown threats that attempts to spread faster than the allowed rate to wreak significant damage before patches could be will be slowed. This creates large backlogs of deployed. With Virus Throttle, previously unknown connection requests that can be easily detected. Once threats can be mitigated, giving administrators time the virus is slowed and detected, technicians and to deploy signature updates and patches against system administrators have the time they need to further attack. intervene in order to isolate and eradicate the threat by cleaning it from the system. [1] 4.1 Tests Show Quick Detection, Prevention Tests of Virus Throttle technology conducted at Hewlett-Packard Labs in Bristol, U.K. show that Virus Throttle is able to very quickly detect and prevent worms spreading from an infected computer. For example, the throttle is able to stop the W32/Nimda-D worm in less than one second. The test was carried out using a throttle that followed the control flow shown in the Figure 1. The virus throttle parses all outgoing packets from a machine for TCP SYN packets. The destination address of an intercepted SYN packet is then compared against a list of destination addresses of Figure 1: Throttle Control Flow [2] machines to which connections have previously been made, which is termed as the working set. The Figure 1 shows the throttle control flow. All the working set can hold up to 5 such addresses. If the processes using the network are routed through the destination address is in this working set the virus throttle. A process requesting access is checked connection is allowed immediately. If the address is with a set of working processes. If it is a newly not in the working set and the working set is not full requesting process then it is put on a delay queue. A i.e. it holds less than 5 addresses, the destination queue length detector detects the number of address is added to the working set and the connection requests from a single process and if it is connection is once again allowed to proceed within an acceptable threshold, then the new process immediately. If none of these two conditions are met, is updated in the working set of processes. If the the SYN packet is added to what we term the delay number of connections is above the threshold, then a queue and is not transmitted immediately. rate limiter limits the suspicious process from Once every second the delay queue is accessing the network. processed and the SYN packet at its head and any other SYN packets with the same destination address This technique differs from signature-and-patch are popped and sent, allowing the establishment of approaches in three key ways: the requested connection. The destination address of this packet is also added to the working set, the oldest i. It focuses on the network behaviour of the virus member of which is discarded if the working set is and prevents certain types of behaviour — in full. If the delay queue is empty at processing time particular, the attempted creation of a large and the working set is full, the oldest member of number of outgoing connections per second. working set is also discarded, allowing for the ii. It is also unique in that, instead of stopping potential establishment of one connection per second viruses from entering a system, it restricts the to a target not recently connected to. code from leaving. This design, summarised as a control flow in iii. Because connections exceeding the allowed rate Figure 1, allows hosts to create as many connections can be blocked for configurable periods of time, per second as they want to the 5 most recently the system is tolerant to false positives and is connected-to machines. Any further connection therefore robust. attempts will be delayed for at least a second, and then attempted. Delaying connections rather than Virus Throttle technology is not meant to replace simply dropping them is important in a cost-sensitive signature-based solutions but, rather, to complement environment that, if incorrectly targeted at legitimate them. Virus Throttle fills a gap in anti-virus connection attempts, will introduce an often
  • 4. imperceptible delay in the connection, instead of • After the signature updates have arrived, each prohibiting it entirely. [2] computer in the network will have to scan the The throttle detects a process as a malicious whole system and clean each file. It is a one when the number of connections issued by the complex process for the IT people to scan process is more in number within the waiting time. each computer on the network for the worm individually and takes days to complete. The Average time taken by the Throttle to detect real and test worms is shown in the Table 1. 4.4 Response to W32/Nimbda-D worm by the Virus Throttle connections stopping time allowed per second connections • The throttle detects the process which makes Nimbda the abnormal activity of making over 500 120 0.25s 1 connections per second. Test Worm • The throttle cuts the extra connections made 20 5.44s 5 by the process other than the current 40 2.34s 2 working set, thus implementing a temporary 60 1.37s 1 solution. 80 1.04s 1 • No or less number of other computer on the 100 0.91s 1 network are affected. 150 0.21s 0 200 0.02s 0 4.5 Benefits of Virus Throttle Technology SQL Slammer The benefits of Virus Throttle technology 850 0.02s 0 include the following: • Works without knowing anything about the Table 1: Average time taken by the test Throttle to virus. Because it is triggered by the detect real and test worms [2] behaviour of a virus rather than by identifying the code of the virus, it can 4.2 W32/Nimbda-D Worm handle unknown threats without waiting for signature updates. W32/Nimbda-D is a mass-mailing worm that uses multiple methods to spread itself. It searches for • Protects network infrastructure by slowing network shares, attempts to copy itself to vulnerable or stopping routed traffic from hosts Microsoft IIS web servers. It is a virus that affects exhibiting high connection rates. The both local files and files on remote network shares. infrastructure will stay up and running, even [3] when it is under attack from a virus. • Can provide event logs and SNMP trap 4.3 Limitations in traditional way of detection of warnings when worm-like behaviour is W32/Nimbda-D worm detected. The traditional way of detecting the W32/Nimbda- • Gives IT staff time to react before the D worm has the following limitations which makes it problem escalates to a crisis. ineffiecient for use in time critical applications. • If deployed widely, makes it difficult for viruses to spread at all. • The virus spreads out throughout the network and web servers. So each computer in the 4.6 Advantages network will have a copy of the worm. Since the throttle prevents subsequent • The antivirus software needs a signature infection, the effect on the global spread of a virus update. For that it takes atleast a day and depends on how widely the throttle is deployed. HP atmost a week, within which the virus may Labs results show that when only 50 percent of have replicated more. computers are installed with the throttle, the global spread of both real and constructed worms is • The temporary solution to this problem is to substantially reduced. Throttled machines do not suspend the network, which is impossible in contribute any network traffic in spite of being an organisation as it causes a financial loss infected, significantly reducing the amount of due to suspension of work. network traffic produced by a virus.
  • 5. 5. Virus Throttle for Virus Detection in PCs v) If the process is not a trusted one, and it is The technique of Virus Throttle on a Network not confirmed as a virus, then the process is Environment can be used for improving the speed of suspended for access to the requested virus detection of PC based Anti-Virus Softwares. resources and the user is prompted for what The presently available Anti-Virus Softwares scan action to take or to add the process to the each Application, DLL or other suspicious files for trusted applications list. virus code of known viruses. This technique definitely improves the response A gateway called THROTWALL is installed and the overall performance of the Antivirus software befront an antivirus software. The THROTWALL as well as the PC itself. monitors all the running processes for suspicious activity. The antivirus scanner consists of presently 6. Conclusion: available signatures of viruses and also a trusted Traditional methods of addressing viruses, processes list. The job of the antivirus scanner is to worms and other malicious code depend on check the files flagged by the THROTWALL for signatures and patches. That leaves systems virus code or an entry in the trusted processes list. vulnerable to previously unknown threats until The suspicious activity that is detected by the protective code can be written and deployed. At a THROTWALL is defined by the following time when viruses spread more quickly than ever guidelines: before, often generating paralysing amounts of network traffic, this is a significant lapse. • When a process uses resources that are not required for its normal operation This paper has demonstrated a new technique for • When a process creates multiple child virus detection on PCs that is based on the virus process throttle technology of HP. The new technique uses a gateway called THROTWALL in front of an • When a change to multiple files is executed antivirus software. Using the THROTWALL by a program prevents checking all the processes and files by the • When a change to the registry is executed antivirus scanner. Thus reducing the processing • When a change to the boot sector is power required to detect viruses, Trojans and worms. executed • When a change to a running program is The usage of THROTWALL even increases the executed efficiency of the antivirus software by preventing • When a file in the system directory is new viruses that are not present in the available signatures of known viruses. The new technique also changed increases the overall performance of the PC by • When a change to the system users and making available, the valuable processing power for groups is executed other applications. • When multiple files are created When one or more of a suspicious activity is References: detected, the following steps are followed to check [1] ProCurve Networking - Connection-Rate the process for virus code: Filtering Based on Virus Throttle Technology, i) The access to the restricted resource is Hewlett Packard Company, 2006 blocked while still allowing the process to [2] Jamie Twycross, Matthew M. Williamson - use the general resources Implementing and testing a virus throttle, ii) The particular process and child processes Hewlett-Packard Labs, Bristol, U.K., 2003 are scanned using a virus scanner [3] W32/Nimda-D Virus - Sophos Security Anlaysis iii) If the process is a trusted one, then the http://www.sophos.com/security/analyses/viruses process is allowed to use the restricted -and-spyware/w32nimdad.html resources by commanding the gateway to permit access for the process [4] M. M. Williamson, J. Twycross, J. Griffin, and iv) If the process is not a trusted one, and it is A. Norman. Virus throttling. In Virus Bulletin, confirmed as a virus, then the process and its U.K., 2003. parent or child processes are killed and [5] Matthew M. Williamson - Design, necessary action to disinfect or delete the Implementation and Test of an Email Virus file is taken by the antivirus program itself. Throttle, HP Laboratories Bristol, 2003