Wiki

Virtual/Cloud malware based detection

Nowadays Data centers manage hundres of virtual machines/networls, On the following example we will configure the system for monitor malware domains on different virtual networks. Lets see how works:

import pyaiengine

Define a callback function for detection. This callback is similar to the example of the Mobile malware

def callback(flow):

    d = flow.dns_info
    if (d):
        print("Malware on ip %s domain %d network id %d" % (flow.src_ip,d.domain_name,flow.tag))

We use a external list of malware domains and add to a DomainNameManager class in the same way as the example of the mobile malware. On the other hand, we also create a list of common domains that we dont want to track.

def loadUnwantedDomains():

    dm = pyaiengine.DomainNameManager()

    dom = pyaiengine.DomainName("Facebook",".facebook.com")
    dm.add_domain_name(dom)
    dom = pyaiengine.DomainName("Google",".google.com")
    dm.add_domain_name(dom)
    # Add more common domains

    return dm

Create a new PacketDispatcher and a virtual stack and connect them.

if __name__ == '__main__':

    st = pyaiengine.StackVirtual()

Allocate the maximum number of flows on the UDP stack.

    st.udp_flows = 1638400

Load the malware domains and the unwanted domains and assign them to the stack

    st.set_domain_name_manager(loadBadDomains(),"DNSProtocol")
    st.set_domain_name_manager(loadUnwantedDomains(),"DNSProtocol", False)

Open the network device and run the engine

    with pyaiengine.PacketDispatcher("eth0") as pd:
        pd.stack = st
        pd.run()