Article: Enhancing malware detection: clients deserve more protection Journal: International Journal of Electronic Security and Digital Forensics (IJESDF) 2016 Vol.8 No.1 pp.1 - 16 Abstract: Sophisticated malware is designed to spread over the network and infect as many connected client machines as possible before being detected. Network security engineers have always been challenged to detect and track down such malware before infecting new client machines. Consequently, they proposed several techniques that are deployed at different network boundaries, such as network-based intrusion detection systems (IDS) and proxy-based solutions. However, recent malware has been successfully able to bypass security protocols and anti-malware shields deployed at the network level, leaving the client machines at high risk of infection. The client antivirus (AV) software is considered the last line of defense against attacks that bypass network-based protection systems. Had the AV also been bypassed, the client would have been infected and compromised. In this paper, we propose an improvement to the client-based AV software to complement the network-based anti-malware software. We propose an AV add-on feature that enhances the capability of existing AV software to scan network data. We show that our solution is capable of detecting malware spread over the network upon arrival to the client machine and before it starts to behave maliciously. In addition, our solution shows that it has no significant overhead on the system under normal network traffic. Inderscience Publishers - linking academia, business and industry through research

Title: Enhancing malware detection: clients deserve more protection

Authors: Mohammed I. Al-Saleh; Bilal Shebaro

Addresses: Computer Science Department, Jordan University of Science and Technology, Irbid, 22110, Jordan ' Computer Sciences Department, St. Edward's University, Austin, TX 78704, USA

Abstract: Sophisticated malware is designed to spread over the network and infect as many connected client machines as possible before being detected. Network security engineers have always been challenged to detect and track down such malware before infecting new client machines. Consequently, they proposed several techniques that are deployed at different network boundaries, such as network-based intrusion detection systems (IDS) and proxy-based solutions. However, recent malware has been successfully able to bypass security protocols and anti-malware shields deployed at the network level, leaving the client machines at high risk of infection. The client antivirus (AV) software is considered the last line of defense against attacks that bypass network-based protection systems. Had the AV also been bypassed, the client would have been infected and compromised. In this paper, we propose an improvement to the client-based AV software to complement the network-based anti-malware software. We propose an AV add-on feature that enhances the capability of existing AV software to scan network data. We show that our solution is capable of detecting malware spread over the network upon arrival to the client machine and before it starts to behave maliciously. In addition, our solution shows that it has no significant overhead on the system under normal network traffic.

Keywords: malware detection; client protection; antivirus software; network security; intrusion detection systems; IDS; network-based anti-malware tools; network data scanning; network packet capture; UnixBench; malicious software; vulnerability discovery; security barriers; denial-of-service attacks; DoS attacks; TCP protocol; malware infection.

DOI: 10.1504/IJESDF.2016.073728

International Journal of Electronic Security and Digital Forensics, 2016 Vol.8 No.1, pp.1 - 16

Received: 25 May 2015
Accepted: 21 Jul 2015
Published online: 16 Dec 2015 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: Enhancing malware detection: clients deserve more protection

Keep up-to-date