In the Internet age, virus epidemics are getting worse than before, making the networks slow, computers slow, suspending mission critical operations and so on.
In this paper, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection.
The special feature of this technology is that its virus detection algorithm is based on the network behavior of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates.
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Virus detection based on virus throttle technology
1. Virus Detection based on Virus Throttle Technology
J. Ahmed Muzammil S. Suresh Kumar
UG Student, Dept. of Information Technology, Principal,
Noorul Islam College of Engineering Vivekanandha College of Technology
(Anna University), (Anna University),
Kumaracoil, Tamilnadu, India. Elayampalayam, Thiruchengode, Erode.
ahmedmuzammil@outlook.com nice.ssk@gmail.com
Abstract
In the Internet age, Virus Epidemics are getting worse than before, making the networks slow, Computers slow,
suspending mission critical operations and so on. In this paper, a new technique for virus detection based on virus
throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible
virus affection. The special feature of this technology is that its virus detection algorithm is based on the network
behaviour of the virus and not on identification of virus code. So it is possible to detect even unknown viruses
without any signature updates.
Keywords: Virus, Worm, Throttle, Antivirus, Network Security
1. Introduction operations down or develop inoculations to cure the
As every network administrator knows, virus infections.
epidemics are only getting worse. In 2003, the SQL Nor is productivity the only victim of network
Slammer worm infected 75,000 computers in one viruses. The SQL Slammer virus took out a 911
minute, making it the fastest-moving virus ever seen, emergency response center serving two police
and caused major network disruptions worldwide. departments and 14 fire departments near Seattle,
Nimbda, Blaster, Code Red, Sasser and Welchia are USA. Protecting against computer viruses can
continual threats as well. Today, computer users are ultimately be an effort to protect lives. [1]
directly threatened by more than 97,000 viruses, In this paper we define a new technique for
worms and Trojan horses. Increased usage of virus detection in PC based on the network virus and
network applications such as Instant Messages, P2P worm detection technique of virus throttle. The
also increases the risk of virus infection. In the 3rd organization of the paper is such that the section 2
quarter of 2005, the volume of IM(Instant defines the terms virus, worm and Trojan. Section 3
Messaging) threats were more than 3,000 percent explains the limitations of the existing methods for
higher than the previous year, according to IMlogic virus detection. Section 4 explains Virus Throttle
Threat Center. technology and also the detection methodology is
To protect themselves from the onslaught of explained using an example worm W32/Nimbda-D.
traffic generated by computer viruses, many The method we have devised for virus detection in
corporations shut down portions of their network PCs which is based on the existing Virus Throttle
infrastructure; when they can’t act fast enough, entire Technology is defined in the Section 5 of the paper.
network subnets or even entire networks can be Section 6 concludes the paper.
brought down by viruses. Either way, the viruses cost
corporations incalculable sums in lost productivity. 2. Definitions
Beyond bringing normal operations in an office or 2.1 Virus
enterprise to a halt, computer viruses can put
A computer virus is a computer program that
attacker-defined code on a system to cause additional
can copy itself and infect a computer without
damage.
permission or knowledge of the user. The original
Network threats once were slow-moving and may modify the copies or the copies may modify
easy to defend against when information transfer was themselves, as occurs in a metamorphic virus. A
done largely by sharing floppies. Organizations had virus can only spread from one computer to another
the time they needed to clean their networks and when its host is taken to the uninfected computer, for
install defences. However, as CPU speeds increase, instance by a user sending it over a network or
bandwidth grows, networks become more business carrying it on a removable medium such as a floppy
critical and clients become more mobile, network disk, CD, USB drive or by the Internet. Additionally,
administrators increasingly lack the time to shut
2. viruses can spread to other computers by infecting viruses increase, the time between initial detection
files on a network file system or a file system that is and the release of a signature also increases, allowing
accessed by another computer. Viruses are sometimes a virus to spread further in the interim.
confused with computer worms and Trojan horses. This latency between the introduction of a new
virus or worm into a network and the implementation
2.1. Worm and distribution of a signature-based patch can be
A computer worm is a self-replicating computer significant. Within this period, a network can be
program. It uses a network to send copies of itself to crippled by the abnormally high rate of traffic
generated by infected hosts.
other nodes (computer terminals on the network) and
it may do so without any user intervention. Unlike a As long as attacks occur at “machine speed” and
virus, it does not need to attach itself to an existing responses are implemented at “human speed,”
program. Worms always harm the network (if only computers will essentially be defenseless against new
threats. As systems get bigger and more complex, so
by consuming bandwidth), whereas viruses always
does the problem of addressing new threats.
infect or corrupt files on a targeted computer.
A different solution is needed. A truly resilient
2.2. Trojan Horse infrastructure would include a solution that
automatically hampers, contains and mitigates attacks
Trojan horse is a program that installs malicious by previously unknown threats, giving the people
software while under the guise of doing something responsible for an infrastructure’s security the time
else. Though not limited in their payload, Trojan they need to implement a response.
horses are more notorious for installing backdoor
programs which allow unauthorized non permissible Rather than replacing current, signature-and-
remote access to the victim's machine by unwanted patch-based protections, the new solution would
parties - normally with malicious intentions. Unlike a complement them by allowing computers and
computer virus, a Trojan horse does not propagate by humans to each do what they do best: computers can
inserting its code into other computer files. The term respond far more quickly than people, but are poor at
is derived from the classical myth of the Trojan gauging the nature of a previously unknown threat.
Horse. Like the mythical Trojan Horse, the malicious Humans are good at making such decisions, but are
code is hidden in a computer program or other slow—by machine standards—to act. A new solution
computer file which may appear to be useful, would have computers acting quickly to stabilize a
interesting, or at the very least harmless to an situation until humans could intervene. [1]
unsuspecting user. When this computer program or
file is executed by the unsuspecting user, the 4. Virus Throttle
malicious code is also executed resulting in the set up Virus Throttle technology is a technology that
or installation of the malicious Trojan horse program. was originally devised by HP Labs. It is a new
technique that overcomes the limitations of previous
3. Limitations of existing methods responses and meets the need for rapid containment
Current methods to stop the propagation of and mitigation of attacks by malicious agents.
malicious agents rely on the use of signature Traditional approaches to anti-viral protection
recognition to prevent hosts from being infected. are based on the actual code or signature of the virus.
That is, they seek to prevent the virus or worm from Virus Throttle, in contrast, is based on the behaviour
entering the system. These methods concentrate on of malicious code and the ways in which that
the physical characteristics of the virus—i.e., its behaviour differs from that of normal code. Virus
program code—and use parts of this code to create a Throttle is based on the observation that under
unique signature. Programs entering the system are normal activity, a computer will make fairly few
compared against this signature and discarded if they outgoing connections to new computers, but instead
match. is more likely to regularly connect to the same set of
While this method has been effective in computers. This is in contrast to the fundamental
protecting systems, it has several limitations which, behaviour of a rapidly spreading worm, which will
as the number of viruses increase, decrease its attempt many outgoing connections to new
effectiveness. It is fundamentally a reactive and case- computers. For example, while computers normally
by-case approach in that a new signature needs to be make approximately one connection per second, the
developed for each new virus or variant as it appears. SQL Slammer virus tried to infect more than 800
Signature development is usually performed by computers per second. [1]
skilled people who are able to produce only a certain The idea behind the Virus Throttle is to put a rate
number of signatures at a time. As the number of limit on connections to new computers, such that
3. normal traffic remains unaffected but suspect traffic protection that previously allowed unknown threats
that attempts to spread faster than the allowed rate to wreak significant damage before patches could be
will be slowed. This creates large backlogs of deployed. With Virus Throttle, previously unknown
connection requests that can be easily detected. Once threats can be mitigated, giving administrators time
the virus is slowed and detected, technicians and to deploy signature updates and patches against
system administrators have the time they need to further attack.
intervene in order to isolate and eradicate the threat
by cleaning it from the system. [1] 4.1 Tests Show Quick Detection, Prevention
Tests of Virus Throttle technology conducted at
Hewlett-Packard Labs in Bristol, U.K. show that
Virus Throttle is able to very quickly detect and
prevent worms spreading from an infected computer.
For example, the throttle is able to stop the
W32/Nimda-D worm in less than one second.
The test was carried out using a throttle that
followed the control flow shown in the Figure 1. The
virus throttle parses all outgoing packets from a
machine for TCP SYN packets. The destination
address of an intercepted SYN packet is then
compared against a list of destination addresses of
Figure 1: Throttle Control Flow [2] machines to which connections have previously been
made, which is termed as the working set. The
Figure 1 shows the throttle control flow. All the working set can hold up to 5 such addresses. If the
processes using the network are routed through the destination address is in this working set the
virus throttle. A process requesting access is checked connection is allowed immediately. If the address is
with a set of working processes. If it is a newly not in the working set and the working set is not full
requesting process then it is put on a delay queue. A i.e. it holds less than 5 addresses, the destination
queue length detector detects the number of address is added to the working set and the
connection requests from a single process and if it is connection is once again allowed to proceed
within an acceptable threshold, then the new process immediately. If none of these two conditions are met,
is updated in the working set of processes. If the the SYN packet is added to what we term the delay
number of connections is above the threshold, then a queue and is not transmitted immediately.
rate limiter limits the suspicious process from
Once every second the delay queue is
accessing the network.
processed and the SYN packet at its head and any
other SYN packets with the same destination address
This technique differs from signature-and-patch
are popped and sent, allowing the establishment of
approaches in three key ways:
the requested connection. The destination address of
this packet is also added to the working set, the oldest
i. It focuses on the network behaviour of the virus member of which is discarded if the working set is
and prevents certain types of behaviour — in
full. If the delay queue is empty at processing time
particular, the attempted creation of a large
and the working set is full, the oldest member of
number of outgoing connections per second.
working set is also discarded, allowing for the
ii. It is also unique in that, instead of stopping potential establishment of one connection per second
viruses from entering a system, it restricts the to a target not recently connected to.
code from leaving.
This design, summarised as a control flow in
iii. Because connections exceeding the allowed rate
Figure 1, allows hosts to create as many connections
can be blocked for configurable periods of time,
per second as they want to the 5 most recently
the system is tolerant to false positives and is connected-to machines. Any further connection
therefore robust.
attempts will be delayed for at least a second, and
then attempted. Delaying connections rather than
Virus Throttle technology is not meant to replace simply dropping them is important in a cost-sensitive
signature-based solutions but, rather, to complement
environment that, if incorrectly targeted at legitimate
them. Virus Throttle fills a gap in anti-virus
connection attempts, will introduce an often
4. imperceptible delay in the connection, instead of • After the signature updates have arrived, each
prohibiting it entirely. [2] computer in the network will have to scan the
The throttle detects a process as a malicious whole system and clean each file. It is a
one when the number of connections issued by the complex process for the IT people to scan
process is more in number within the waiting time. each computer on the network for the worm
individually and takes days to complete.
The Average time taken by the Throttle to detect real
and test worms is shown in the Table 1.
4.4 Response to W32/Nimbda-D worm by the
Virus Throttle
connections stopping time allowed
per second connections • The throttle detects the process which makes
Nimbda the abnormal activity of making over 500
120 0.25s 1 connections per second.
Test Worm • The throttle cuts the extra connections made
20 5.44s 5 by the process other than the current
40 2.34s 2 working set, thus implementing a temporary
60 1.37s 1 solution.
80 1.04s 1 • No or less number of other computer on the
100 0.91s 1 network are affected.
150 0.21s 0
200 0.02s 0 4.5 Benefits of Virus Throttle Technology
SQL Slammer The benefits of Virus Throttle technology
850 0.02s 0 include the following:
• Works without knowing anything about the
Table 1: Average time taken by the test Throttle to virus. Because it is triggered by the
detect real and test worms [2] behaviour of a virus rather than by
identifying the code of the virus, it can
4.2 W32/Nimbda-D Worm handle unknown threats without waiting for
signature updates.
W32/Nimbda-D is a mass-mailing worm that
uses multiple methods to spread itself. It searches for • Protects network infrastructure by slowing
network shares, attempts to copy itself to vulnerable or stopping routed traffic from hosts
Microsoft IIS web servers. It is a virus that affects exhibiting high connection rates. The
both local files and files on remote network shares. infrastructure will stay up and running, even
[3] when it is under attack from a virus.
• Can provide event logs and SNMP trap
4.3 Limitations in traditional way of detection of warnings when worm-like behaviour is
W32/Nimbda-D worm detected.
The traditional way of detecting the W32/Nimbda- • Gives IT staff time to react before the
D worm has the following limitations which makes it problem escalates to a crisis.
ineffiecient for use in time critical applications.
• If deployed widely, makes it difficult for
viruses to spread at all.
• The virus spreads out throughout the network
and web servers. So each computer in the
4.6 Advantages
network will have a copy of the worm.
Since the throttle prevents subsequent
• The antivirus software needs a signature infection, the effect on the global spread of a virus
update. For that it takes atleast a day and depends on how widely the throttle is deployed. HP
atmost a week, within which the virus may Labs results show that when only 50 percent of
have replicated more. computers are installed with the throttle, the global
spread of both real and constructed worms is
• The temporary solution to this problem is to
substantially reduced. Throttled machines do not
suspend the network, which is impossible in
contribute any network traffic in spite of being
an organisation as it causes a financial loss
infected, significantly reducing the amount of
due to suspension of work.
network traffic produced by a virus.
5. 5. Virus Throttle for Virus Detection in PCs v) If the process is not a trusted one, and it is
The technique of Virus Throttle on a Network not confirmed as a virus, then the process is
Environment can be used for improving the speed of suspended for access to the requested
virus detection of PC based Anti-Virus Softwares. resources and the user is prompted for what
The presently available Anti-Virus Softwares scan action to take or to add the process to the
each Application, DLL or other suspicious files for trusted applications list.
virus code of known viruses. This technique definitely improves the response
A gateway called THROTWALL is installed and the overall performance of the Antivirus software
befront an antivirus software. The THROTWALL as well as the PC itself.
monitors all the running processes for suspicious
activity. The antivirus scanner consists of presently 6. Conclusion:
available signatures of viruses and also a trusted Traditional methods of addressing viruses,
processes list. The job of the antivirus scanner is to worms and other malicious code depend on
check the files flagged by the THROTWALL for signatures and patches. That leaves systems
virus code or an entry in the trusted processes list. vulnerable to previously unknown threats until
The suspicious activity that is detected by the protective code can be written and deployed. At a
THROTWALL is defined by the following time when viruses spread more quickly than ever
guidelines: before, often generating paralysing amounts of
network traffic, this is a significant lapse.
• When a process uses resources that are not
required for its normal operation This paper has demonstrated a new technique for
• When a process creates multiple child virus detection on PCs that is based on the virus
process throttle technology of HP. The new technique uses a
gateway called THROTWALL in front of an
• When a change to multiple files is executed
antivirus software. Using the THROTWALL
by a program
prevents checking all the processes and files by the
• When a change to the registry is executed
antivirus scanner. Thus reducing the processing
• When a change to the boot sector is
power required to detect viruses, Trojans and worms.
executed
• When a change to a running program is The usage of THROTWALL even increases the
executed efficiency of the antivirus software by preventing
• When a file in the system directory is new viruses that are not present in the available
signatures of known viruses. The new technique also
changed
increases the overall performance of the PC by
• When a change to the system users and
making available, the valuable processing power for
groups is executed
other applications.
• When multiple files are created
When one or more of a suspicious activity is References:
detected, the following steps are followed to check [1] ProCurve Networking - Connection-Rate
the process for virus code: Filtering Based on Virus Throttle Technology,
i) The access to the restricted resource is Hewlett Packard Company, 2006
blocked while still allowing the process to [2] Jamie Twycross, Matthew M. Williamson -
use the general resources Implementing and testing a virus throttle,
ii) The particular process and child processes Hewlett-Packard Labs, Bristol, U.K., 2003
are scanned using a virus scanner
[3] W32/Nimda-D Virus - Sophos Security Anlaysis
iii) If the process is a trusted one, then the
http://www.sophos.com/security/analyses/viruses
process is allowed to use the restricted
-and-spyware/w32nimdad.html
resources by commanding the gateway to
permit access for the process [4] M. M. Williamson, J. Twycross, J. Griffin, and
iv) If the process is not a trusted one, and it is A. Norman. Virus throttling. In Virus Bulletin,
confirmed as a virus, then the process and its U.K., 2003.
parent or child processes are killed and [5] Matthew M. Williamson - Design,
necessary action to disinfect or delete the Implementation and Test of an Email Virus
file is taken by the antivirus program itself. Throttle, HP Laboratories Bristol, 2003