End of Studies project: Malware Repsonse Center
4 likes1,188 views
The document outlines a project aimed at building a national malware response center to automate malware analysis and assist users in Tunisia with malware-related issues. It highlights the shortcomings of existing anti-malware products and proposes an online solution that includes a scanner, ticketing system, and database management for better cybersecurity. Future enhancements include scalability improvements, automation through AI, and expanded device support.
![Database 15
Report{
Created At :
TICKET_ID :
OS_VERSION :
MACHINE_UNIQUE_ID :
PROCESSES : [
{
PROCESS_ID :
EXE_FILE :
PRIORITY_BASE :
MODULES : [
{
MODULE_NAME :
HASH :
SIZE :
}
]
}
]
}
Ticket_Status
•Id
•Label
Ticket
•Id
•Created At
•Status_Id
•Agent_Id
•Citizen_Id
•Description
Agent
•Id
•Name
•Firstname
•Email
•Password
•Mobile
Schema-less data
Different Workload
NOSQL+NOSQL OR SQL+NOSQL](https://image.slidesharecdn.com/esp-malwareresponsecenterv0-141004024038-conversion-gate01/85/End-of-Studies-project-Malware-Repsonse-Center-15-320.jpg)
End of Studies project: Malware Repsonse Center
- 1. Malware ResponseCenter MrRAOUFLAMARI PrivateHigherSchoolof Computer Science and Technologies End of StudiesProject National Agency for Computer Security ABDESSABOUR AROUS MrFOUEDZGHIDI
- 2. 2
- 3. Motivation Anti malware products can’t handle all infections (specially new ones) 200,000 newly unique malicious artifacts are collected per day (*) Getting infected is a matter of time Formatting the system disk is not always possible (production server) We need a complete checkup of the system * Source: http://www.sophos.com/en-us/support/knowledgebase/119112.aspx 3
- 4. Motivation 4 Microsoft Security Intelligence Report: Trends for the five locations with the highest malware infection rates in 2H13, by CCM (100,000 MSRT executions minimum) Tunisia is the second !!!
- 5. CurrentWorkflow (1/2) Security Analyst Email: assistance@ansi.tn Phone: 71 843 200 On site assistance: 94 Jughurtaavenue, MutuelleVille, Tunis, Tunisia “My device performance is slowing down” “My AV has detected a malware called WIN32.X but he was unable to remove it !” “I have a window telling me that I need to pay some money to unlock my Computer” NACS Assistance activity Requests Citizen/Company 5
- 6. Current Workflow (2/2) Email On site Phone Ask user to download and run an external tool User send tool report by email Usually no precise result Ask user to run a bootable AV solution Citizen Company 1 2 3 4 5 Askfor help via 6
- 7. Goals & Objectives 7 Build a system that provides all the facilities that the manual service already provides. Automate the hole process. Build a national capability in malware analysis field. Online, Easy to use, efficient, …
- 8. Proposedsolution 8 Login/Register Download the scanner Upload the report Device Scan Generate a report Download a dedicated script Create a ticket Analyze the report Check externals resources Run the removal kit
- 9. Methodology 9 SPRINT 0 SPRINT 1 SPRINT 2 SPRINT 3 SPRINT 4 Project Start Modeling Architecture and Graphical User Interface Web App: Back Office Web App: Front Office Client: Windows Application We are AGILE SCRUM Based
- 10. Overallarchitecture 10 Collect running applications Users management Tickets management Artifacts management Modules management Security Analysts management www Device Specific Code Web Application
- 11. Solution comparison 11 Collect running applications Blacklist database Whitelist database Real time scanner System Scanner tools Antivirus Malware Response Center Ticketing system Malware Removal tools Cloud Analysis Remove Malicious codes
- 12. Why a new Cleaner/Scanner? 12 Why building our own tank? National Information Security is like National territorial security! The improvement of non proprietary tool is not in your hand!
- 13. Overallarchitecture 13 User Security Analyst Web Server Front End DB Back End DB External Resources Internals Resources Modules Remote Storage
- 14. External & Internal resources Online Malware database Sandboxes Local Malware database 14 MD5 : 5f62962605b4858e20bfaf6edc8eb521
- 15. Database 15 Report{ Created At : TICKET_ID : OS_VERSION : MACHINE_UNIQUE_ID : PROCESSES : [ { PROCESS_ID : EXE_FILE : PRIORITY_BASE : MODULES : [ { MODULE_NAME : HASH : SIZE : } ] } ] } Ticket_Status •Id •Label Ticket •Id •Created At •Status_Id •Agent_Id •Citizen_Id •Description Agent •Id •Name •Firstname •Email •Password •Mobile Schema-less data Different Workload NOSQL+NOSQL OR SQL+NOSQL
- 16. Database 16 Object Document mapper Doctrine Object Relational mapper class Ticket { /** * @varinteger * * @ORMId */ private $id; } Report{ Created At : TICKET_ID : OS_VERSION : MACHINE_UNIQUE_ID : } Class Report { /** * @MongoDBId */ protected $id; } Agent •Id •Name •Firstname •Email
- 17. Overallarchitecture (Client side) 17 Processes Threads Loaded modules Device Drivers Graphical User Interface Dynamic Link Libraries Low level programming = C But C is not the reference in UI
- 18. Technologies used Client side: C# WPF UI C/C++/Assemblymodules (DLL) Server side: Nginxweb server Symfony2 framework Python MySQL front database MongoDB+ GridFsas backenddatabase Microsoft Azure Storage 18
- 19. Source code management Gitkey features Distributed Speed Data integrity Gitlabkey features Free and open source Ticket management Request management Repositories, Users management 19
- 20. Testing Unit testing(whateverrelevant) Client side( .NET ): Visual Studio Unit test framework Server side( PHP SYMFONY ): Symfony2 unit test BDD for acceptancetest Behat(PHP) Specflow(C#) 20
- 21. Security OWASP TOP 10 Security flaws: Input sanitazing Anti CSRF token Confidentiality: SSL Vulnerabilityassesment Via automatedscanner 21
- 22. Deploiement Currently in beta test version Looking to work with pioneer partners: To try the scanner and the online portal Features improvement Estimate system workload 22
- 25. At the end We succeed to: Develop a solution that covers the assistance workflow (from the client to the ticketing system) More accurate Data about Tunisian Cyberspace: Operating systems distribution Infection distribution Device use evolution 25 Operating Systems Windows 7 Windows XP Android Linux 0 2 4 6 First Quarter SecondQuarter Third Quarter FourthQuarter Top malwares Windows Linux Android
- 26. Future works More scalable: Message Queuing Databasereplicationand clustering More automated: Learning mode: ArtificialIntelligence, Expert System More defensein depth: More granularsecurity MandatoryAccess Controleimplementation Support more devices: iOS –Mac OS –etc… Feedback system and Social media integration. 26
- 27. 27
- 28. 28 Question