Enhancing Antivirus for Network Traffic Scanning
Discover how to extend antivirus capabilities to scan network traffic effectively and enhance cybersecurity against malware threats. Explore solutions, challenges, and the basic idea behind integrating network traffic scanning into antivirus systems.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh Jordan University of Science and Technology
Outline Problem and Background Threat Model System Architecture Conclusions and Future work
Antivirus Virus Signatures
Antivirus (cont.) On-access Scanner Scan on file system operations Open, read, write, close, etc. On-demand Scan on user request
Problem in Scanning Network Traffic Al-Saleh et al., Investigating the detection capabilities of antiviruses under concurrent attacks . IET IFS Journal, 2014. Antivirus Detect? Kaspersky Anti-Virus 6.0 No Symantec Endpoint Protection 11.0 No Sophos Endpoint Security, and Control 10.0 No Panda Internet Security 2014 No Avg Internet Security 2014 No BitDefender Internet Security 2014 No Avast Internet Security 2014 No TotalDefense Internet Security No
Problem (cont.) Most malware infect victims through networks Worm Adware Trojan Horse Spam Botnet Etc.
Why? Is it hard to scan network traffic? How hard is it? Drop security for performance? How much performance degradation when scanning network traffic? Still speculation! Exact reason is NOT known
Solution Very simple It is a MUST to scan network traffic How? Hmmmm, needs more thinking
Basic Idea Simply, we need a way to tell the AV to scan network data. Discrete packets (IP level) ineffective scanner; Malware spans different packets Out of order Higher level (TCP) Builds state machine Maintains order Separates connections Separates inbound from outbound traffic
Packet Capturing (pcap) Kernel modules passively capture network traffic and pass them to user space processes through a well-defined Application Programming Interface (API) Examples: Tcpdump and Wireshark Use such libraries to build a state machine for TCP connections
ClamAV The most popular open-source AV www.clamav.net Allows agents to make use of it programmatically Link to the ClamAV shared library ClamAV daemon along with the database of virus signatures are loaded once and shared with the user agents.
Conclusion and Future Work Antivirus software MUST scan network traffic The proposed system will be implemented Performance impact should be studied
Acknowledgements Jordan University of Science and Technology for the financial support
