Antivirus performance characterisation: system‐wide view

The Linux kernel provides its services to the application layer using so-called system calls. All system calls combined form the Application Programming Interface (API) of the kernel. Hence, system calls provide us with a window into the development process and design decisions that are made for the Linux kernel. Our paper [1] presents the result of an empirical study of the changes (8,770) that were made to the system calls during the last decade (i.e., from April 2005 to December 2014). The main contributions and most important findings of our study are:

AntiViruses (AVs) are essential to face the myriad of malware threatening Internet users. AVs operate in two modes: on-demand checks and real-time verification. Software-based real-time AVs intercept system and function calls to execute AV’s inspection routines, resulting in significant performance penalties as the monitoring code runs among the suspicious code. Simultaneously, dark silicon problems push the industry to add more specialized accelerators inside the processor to mitigate these integration problems. In this article, we propose Terminator , an AV-specific coprocessor to assist software AVs by outsourcing their matching procedures to the hardware, thus saving CPU cycles and mitigating performance degradation. We designed Terminator to be flexible and compatible with existing AVs by using YARA and ClamAV rules. Our experiments show that our approach can save up to 70 million CPU cycles per rule when outsourcing on-demand checks for matching typical, unmodified YARA rules against a dataset of 30 thousand in-the-wild malware samples. Our proposal eliminates the AV’s need for blocking the CPU to perform full system checks, which can now occur in parallel. We also designed a new inspection breakpoint mechanism that signals to the coprocessor the beginning of a monitored region, allowing it to scan the regions in parallel with their execution. Overall, our mechanism mitigated up to 44% of the overhead imposed to execute and monitor the SPEC benchmark applications in the most challenging scenario.

Enhancing scalability in best-effort hardware transactional memory systems

Fast virus scanning is becoming increasingly important in today's internet. While Moore's law continues to double CPU cycle speed, virus scanning applications fail to ride on the performance wave due to their frequent random memory accesses. This paper proposes Hash-AV, a virus scanning 'booster' technique that aims to take advantage of improvements in CPU performance. Using a set of hash functions and a Bloom filter array that fits in CPU second-level (L2) caches, Hash-AV determines the majority of 'no-match' cases without accesses to main memory. Experiments show that Hash-AV improves the performance of the open-source virus scanner Clam-AV by a factor of 2–10. The key to Hash-AV's success lies in a set of 'bad but cheap' hash functions that are used as initial hashes. The speed of Hash-AV makes it well suited for 'on-access' virus scanning, providing greater protections to the user. Through intercepting system calls and wrapping glibc libraries, we have implemented an 'on-access' version for Hash-AV+Clam-AV. The on-access scanner can examine input data at a throughput of over 200 Mb/s, making it suitable for network-based virus scanning.

Attackers like to install trojans in a target system to control it. However, it becomes more and more difficult to deceive a user into installing such trojans. One reason is that antivirus software uses more strict policies on the first run of unknown software. The other reason is that users also become more cautious. Some attackers try to find system vulnerabilities to evade the antivirus software and users. But it is not easy to find suitable vulnerabilities because they are usually patched in a short time. In this paper, we present a new type of threat called vulnerability-based backdoor (VBB). It is a two-step trojan. In the first step, attackers deceive users into installing an application. This application is transformed from the original one such as “Adobe PDF Reader” by only creating one or more vulnerabilities in it. It runs as a normal one without any malicious code. So it can escape the detection of antivirus software and users. In the second step, attackers can make use of the vulnerability and control the target system just as they use a pre-existing vulnerability. We present a method to automatically create a VBB in several minutes. In this process, no source code is needed. VBB is stable enough to reside in a system for a long time since it does not conflict with operating systems, antivirus software, other backdoors or even other VBBs. We also show how to prevent VBBs.

Entering the command to see system information is rather inconvenient in Linux. Hence, this paper developed the graphical task manager based on monitoring page fault. Firstly, it introduced the implementation principle of task manager based on gtk programming style, Secondly, it analyzed that page fault is crucial to fulfill monitoring memory. Finally, it discussed the defect of the traditional method of obtaining page fault and presented a new method of getting page fault information by modifying the Linux kernel, compiling after reconfiguration and adding new system calls. The results show that the new method can improve the accuracy and performance a lot in monitoring memory.Keywordsmemory shortage pageLinux kerneltask managerpage fault monitormemory allocation

In current commodity systems, applications have no way of limiting their trust in the underlying operating system (OS), leaving them at the complete mercy of an attacker who gains control over the OS. In this work, we describe the design and implementation of Proxos, a system that allows applications to configure their trust in the OS by partitioning the system call interface into trusted and untrusted components. System call routing rules that indicate which system calls are to be handled by the un-trusted commodity OS, and which are to be handled by a trusted private OS, are specified by the application developer. We find that rather than defining a new system call interface, routing system calls of an existing interface allows applications currently targeted towards commodity operating systems to isolate their most sensitive components from the commodity OS with only minor source code modifications.We have built a prototype of our system on top of the Xen Virtual Machine Monitor with Linux as the commodity OS. In practice, we find that the system call routing rules are short and simple -- on the order of 10's of lines of code. In addition, applications in Proxos incur only modest performance overhead, with most of the cost resulting from inter-VM context switches.

An international association advancing the multidisciplinary study of informing systems. Founded in 1998, the Informing Science Institute (ISI) is a global community of academics shaping the future of informing science.

In recent years, domestic Linux operating systems have developed rapidly, but the threat of ELF viruses has become increasingly prominent. Currently, domestic antivirus software for information technology application innovation (ITAI) operating systems shows insufficient capability in detecting ELF viruses. At the same time, research on generating malicious samples in ELF format is scarce. In order to fill this gap at home and abroad and meet the growing application needs of domestic antivirus software companies, this paper proposes an automatic ELF adversarial malicious samples generation technique based on reinforcement learning. Based on reinforcement learning framework, after being processed by cycles of feature extraction, malicious detection, agent decision-making, and evade-detection operation, the sample can evade the detection of antivirus engines. Specifically, nine feature extractor subclasses are used to extract features in multiple aspects. The PPO algorithm is used as the agent algorithm. The action table in the evade-detection module contains 11 evade-detection operations for ELF malicious samples. This method is experimentally verified on the ITAI operating system, and the ELF malicious sample set on the Linux x86 platform is used as the original sample set. The detection rate of this sample set by ClamAV before processing is 98%, and the detection rate drops to 25% after processing. The detection rate of this sample set by 360 Security before processing is 4%, and the detection rate drops to 1% after processing. Furthermore, after processing, the average number of engines on VirusTotal that could detect the maliciousness of the samples decreases from 39 to 15. Many malicious samples were detected by <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$41\sim 43$ </tex-math></inline-formula> engines on VirusTotal before processing, while after the evade-detection processing, only <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$8\sim 9$ </tex-math></inline-formula> engines on VirusTotal can detect the malware. In terms of executability and malicious function consistency, the processed samples can still run normally and the malicious functions remain consistent with those before processing. Overall, the proposed method in this paper can effectively generate adversarial ELF malware samples. Using this method to generate malicious samples to test and train the anti-virus software can promote and improve anti-virus software’s detection and defense capability against malware.

We present AVAMAT: AntiVirus and Malware Analysis Tool — a tool for analysing the malware detection capabilities of AntiVirus (AV) products running on different operating system (OS) platforms. Even though similar tools are available, such as VirusTotal and MetaDefender, they have several limitations, which motivated the creation of our own tool. With AVAMAT we are able to analyse not only whether an AV detects a malware, but also at what stage of inspection does it detect it and on what OS. AVAMAT enables experimental campaigns to answer various research questions, ranging from the detection capabilities of AVs on OSs, to optimal ways in which AVs could be combined to improve malware detection capabilities.

Though computer malicious software can be referred with different names such as virus, worm, Trojan, spam, and botnet, their ultimate goal is to causing damage to the end-computer or end-user. The progression in computer technology allows a malware writer to integrate obfuscation technique to evade detection specifically API hooking in Windows. Unfortunately, signature-based detection approach such as anti-virus software at the end-computer is not effective against system call reordering. To overcome this shortcoming, many different behavior-based approaches have been offered. However, these approaches bear limitations such as false positive, detecting zero-day attacks, and improving detection accuracy rate from past experience. In this article, an application programming interface (API)-based call graph model is put forward which captures API system call during malicious rootkit execution in Windows platform. As graph model can be effectively applied to replica complicated relation between entities, we opt it to visualize malicious rootkit behavior activities by monitoring system API calls. This will help the defender to optimally find malicious system calls from benign calls. Our simulated experiment analysis proves that our method achieves higher detection rate and accuracy with less false positive compared to existing techniques.

Fast virus scanning is becoming increasingly important in today's Internet. While Moore's law continues to double CPU cycle speed, virus scanning applications fail to ride on the performance wave due to their frequent random memory accesses. This paper proposes Hash-AV, a virus scanning "booster" technique that aims to take advantage of improvements in CPU performance. Using a set of hash functions and a bloom filter array that fits in CPU second-level (L2) caches, Hash-AV determines the majority of "no-match" cases without accesses to main memory. Experiments show that Hash-AV improves the performance of the open-source virus scanner Clam-AV by a factor of 2.5 to 10. The key to Hash-AV's success lies in a set of "bad but cheap" hash functions that are used as initial hashes. The speed of Hash-AV makes it well suited for "on-access" virus scanning, providing greater protections to the user. Through intercepting system calls and wrapping glibc libraries, we have implemented an "on-access" version for Hash-AV+Clam-AV. The on-access scanner can examine input data at a throughput of over 200 Mb/s, making it suitable for network-based virus scanning.

We study characteristics of page fault behavior of programs under a demand paging system and propose two prepaging schemes: page premapping and page prefetching. Our studies on the page fault behavior show that a large number of page faults occur in the shared library or in the dynamic heap of programs and can be handled without disk access. For those page faults, we propose page premapping that tries to reduce page fault overhead by mapping the page(s) which will be referenced shortly in advance. Premapping is performed by page fault handler whenever a page fault occurs and can save many page faults needed otherwise to execute programs. When a process starts to run, the pages of the text and the initialized data segments must be read from disk at every page fault. In that case the process must wait for a faulted page while it is being read. So the page faults that occur at process start time exert a strong influence on its response time. For those page faults, we propose page prefetching that tries to reduce page-in delay by prefetching page(s) to be referenced shortly. Prefetching is effective in reducing the sleep times of processes due to disk access. Prefetching is performed asynchronously by a low priority kernel level process. Our prepaging schemes use hints that reflect the sequence of page references and the page fault behavior of the program. Experimental results show that our prepaging schemes induce little overhead and can improve the performance of several programs significantly.

There are two main approaches for implementing IDS; host based and network based. While the former is implemented in the form of software deployed on a host, the latter, usually is built as a hardware product with its own hardware platform (IDS appliance). In this paper, a host based intrusion detection system, that uses the idea of tracing system calls, is introduced. As a program runs, it uses the services of the underlying operating system to do some system calls. This system does not exactly need to know the program codes of each process. Normal and intrusive behaviors are collected with gathering the sequences of system calls for each process. Analysis of data is done via data mining and fuzzy techniques. Data mining is used to extract the normal behavior. The proposed system is shown to improve the performance, and decrease size of database, time complexity, and the rate of false alarms.

According to statistics, there are currently over a million website which provides knowledge of how to code a computer virus and how to be a cyber cracker. Coding malware and computer virus is different from traditional weapon system research and development, the high investment is not needed and there is also no policy-related constrain, people can launch cyber attack all the time. Due to hacking techniques renovates constantly, since from Distribute Denial of Service (DDoS), Session Hijacking, to Advance Persistent Threat (APT) that lead to paralysis of six corporations. In addition to protection of firewall, anti-virus software, and packet-filtering devices, it is more effective to isolate internal network from web to form several heterogeneous networks in a corporation. To satisfy exchange or transmission requirements between heterogeneous networks, it is described in this paper on how to design and construct Heterogeneous Network System of Data transmission and based on requirements. The security of transmission is designed based on cyber security requirements; transmitted from network A to network B should be inspected through multiple specific areas which are equipped with different anti-virus software and information security policy, abnormal will be blocked and logged. In order to isolate heterogeneous network A from network B, the Enable/Disable is utilized on switches of the first and the last inspection area to control transmission. The switches are also ruled by tens of policies to assure one and only control system (ex. Access Control List). The whole process of transmission is conducted automatically and single event and transmission result will be logged in the supervisory control apparatus for administrators. The security system is developed based on labor-cost effective, high-security assurance, highly hardware compatible, and data transmission inspected.