Abstract:
Sophisticated malware is designed to spread over the network
and infect as many connected client machines as possible before being
detected. Network security engineers have always been challenged to detect
and track down such malware before infecting new client machines.
Consequently, they proposed several techniques that are deployed at different
network boundaries, such as network-based intrusion detection systems (IDS)
and proxy-based solutions. However, recent malware has been successfully
able to bypass security protocols and anti-malware shields deployed at the
network level, leaving the client machines at high risk of infection. The
client antivirus (AV) software is considered the last line of defense against
attacks that bypass network-based protection systems. Had the AV also been
bypassed, the client would have been infected and compromised. In this paper,
we propose an improvement to the client-based AV software to complement
the network-based anti-malware software. We propose an AV add-on feature
that enhances the capability of existing AV software to scan network data. We
show that our solution is capable of detecting malware spread over the network
upon arrival to the client machine and before it starts to behave maliciously. In
addition, our solution shows that it has no significant overhead on the system
under normal network traffic.