Detection of Virus Patterns in Emails
Description of Problem Statement
The detection of unknown viruses is beyond the capability of many existing virus detection approaches. The objective of the project is to develop a prototype system, that will detect the virus which spread via email which have no signatures i.e new and lethal to today’s internet community by using proactive customization of system behaviors at email server. This project also aims to find the signature of the newly found virus (virus having no signature) to help curb the spread of virus at its juvenile phase.
Scope of Definition
The damage caused by computer viruses is more serious than ever in today’s society,
where personal communication, corporate business, and social infrastructures heavily depend on computer networks.
Unfortunately, email attachments have become a popular method of spreading malicious codes over the network. It has lead to the rise of anti-virus industry and it is now almost obligatory for us to have anti-virus programs on personal computers and/or email servers. Yet we keep hearing reports on new viruses and warnings that we have to update pattern files to avoid infection and further spread.
The main reason is that current anti-virus programs rely on byte-to-byte comparison between files, where binary strings taken from previously captured viruses are used as unique signatures. Since a file is recognized as a virus only if it contains matching signatures in the pattern file, it is impossible to detect previously unknown viruses.
This project aims to tackle the problem by running suspicious programs in a virtual isolated & monitored computer environment. The monitored resources in the environment are those which are common to virus for spreading itself (like address book etc). This project further go ahead to extract the signature of newly found virus to help the internet community to curb it.
Architecture Of Our Proposed Solution
Detection of Virus Patterns Implementation
The prototype prevents e-mail containing new and unknown outbreak viruses from spreading to unsuspecting users, working with SMTP-based e-mail server to:
- Intercept e-mail at the network edge.
- Execute and monitor the e-mail in a secure, virtual environment, and
- Quarantine any e-mail exhibiting malicious behavior before delivery to the target user.
The above mentioned steps are implemented as follows:
When the email with attachments arrives at the e-mail server it is delivered to the mail content filtering tool which extracts the attachments and transports it to the virtual machine.
The attachment is executed & monitored in the secure isolated environment of virtual machine running on the same host. The malicious activities is intercepted by hooking the various resources that virus may infect or use to spread it effect.
Once the malicious activity is detected in the virtual machine it is reported back to the mail server which then quarantines the e-mail containing the concerned attachment and than tries to extract signature for the scanner antivirus so next time it can be caught without having need to check its behavior.
Key benefits are as follows
- Executes e-mail and attachments in a virtual environment at the network edge, before reaching the target user.
- Observes the attempted behavior of suspect e-mail to determine its intent
- Quarantines e-mail demonstrating suspicious or malicious behavior
- Enables quarantined e-mails to be analyzed and cleaned by an administrator for future delivery.
Linux 9 with a minimum configuration as follows
- Processor : P IV 1.5 GHz
- RAM : 256 MB
- Hard disk : 40 GB
- Monitor : 14 inch SVGA color
- Peripherals : Mouse, 101 key board, 3.5 inch floppy drive, 32X CD-ROM drive.
- Utilities : SMTP.
Workstations with a minimum configuration as follows
- Processor : P III – 800 MHz or equivalent
- RAM : 128 MB
- Hard disk : 10 GB
- Monitor : 14 inch SVGA color
- Peripherals : Mouse, 101 key board
- Linux (9 or above ) , Windows X P.