INTEGRATION OF ANTIVIRUS WITH VIRTUAL PRIVATE

NETWORK FOR PERSONAL SYSTEMS SECURITY

Index:
SNO. TITLE PAGE NO
Abstract
1. Introduction
1.1 Objectives
1.2 Problem Statements
1.3 Scope
2. Virtual Private Network
2.1 What exactly is a VPN?
2.2 Why to develop VPN
2.3 History of VPN
2.4 Desired features of VPN
3. Types of virtual private network
3.1 Remote Access VPN
3.2 Site-To-Site VPN
3.3 Threats in Network
4. Encryption
5.1 Symmetric Key Encryption
5.2 Asymmetric Key Encryption
5. IPsec
6. Tunneling
6.1 Tunneling: Site-To-Site
6.2 Tunneling: Remote Access
6.3 Layer 2 Tunneling Protocol
6.4 PPTP(Point-To-Point Tunneling Protocol)
7. Antivirus
7.1 What exactly an anti-virus?
7.1 Features of Antivirus
7.3 How Antivirus Works
7.3.1 Virus Dictionary Approach
7.3.2 Suspicious Behaviour Approach
7.3.3 other ways to detect virus
7.4 Detecting known virus
 7.5 Preventing known virus
7.6 Detecting unknown virus
7.7 Preventing unknown virus
8 Different Virus types in the Test bed
8.1 File virus
8.2 Boot Sector Virus
8.3 Macro Virus
8.4 Script Virus
8.5 Multi Partition Virus
8.6 Polymorphic Virus
8.7 Companion Virus
8.8 Stealth Virus
8.9 Linking Virus
8.10 Memory Resident Virus
8.11 Self-distributing virus
9. Proposed System
10. Results Analysis
11. Conclusion and Future Enhancement
12 References
Abstract:

Virtual private network was developed to help users protect and better control their internet
connection. However, virtual private network cannot protect users from viruses, hacking
attempt or generally anything bad. Many techniques are proposed such as antivirus protection
technique that is designed to detect and remove software viruses, and other malicious software
like worms, Trojans, and more. But this technique does not protect users from intruders. In this
research, we proposed an integrated security system for home users. Using this system, we can
provide security from both internal i.e. antivirus and external layers i.e. virtual private network.
The aim of this research is to provide an integrated system that will protect the home users
from intruders and other viruses
.
Key Terms: Antivirus, VPN, Tunneling, Personal System Security, Encryption.
Introduction:

Internet has become an essential part of everyone’s daily life. It also attracts intruders or
attackers when users are online. As more applications become interconnected through the
internet, greater attention is now being paid to the effectiveness of network security. Network
security focuses on protecting computers, networks, programs, and data from unintended or
unauthorized access, change, or destruction. Security is one of the biggest challengers in
today’s interconnected world. As soon as your PC is connected to the Internet, you are being
targeted by unlimited number of malicious programs, viruses, hackers and other unknown new
threats appearing every day [1]. Not only this but also the information you send and received
might be intercepted, read and even altered.

The field of network security is a very dynamic and highly technical field dealing with all
aspects of scanning, hacking and securing systems against intrusions. Since invented, computer
network has brought along tremendous effectiveness in every aspect of life. Besides that, users
face threats from all kinds of attack from hackers [8]. Network security includes protection
methods for all information that is stored and transferred through a system network. This is
also a special field of interest and a difficult and complex work at the same time. In the
information outburst age, hackers develop at a faster rate than ever on all scales.

Despite widespread use of antivirus software, malware remains pervasive. The question that
comes into mind is that can home users fully rely on the antivirus software for protection?
Antivirus protection cannot effectively detect all current forms of attacks. The antivirus works
on a very basic principle; they scan a file and then matches its digital signature against the
known malwares. If the signature is match in the database it reports it, delete it or even disinfect
it depending on the program. Another question that pops up into my mind is that, is there any
drawback in the existing system because whenever a new malware is found, it takes time before
the antivirus database can be updated and during this period the malware can already take
complete control of the computer.
1.1 Objectives:
The development of computers and networks has also highlighted the security threats faced by
home users. So, the core objectives of this research are as follows:
1. To provide an integrated system to provide home users an encrypted connection over a less
secure network, such as the Internet.
2. To secure the users from external threats such as spying and intrusion.
3. To secure the users from viruses and other infected files by using both behaviour-based and
signature-based detection method.

1.2 Problem Statement:

1. The system does not provide an integrated system to the home users.
2. The system does not provide protection from the external threats such as spying and
intrusion.
3. The system does not provide both detection methods, it only uses signature-detection
method.

1.3 Scope:
The scope of the proposed system is very vast when it comes to the systems security of home
users as it can be implemented for any home user as for them security is a major concern.
Personal System Security Essentials (PSSE) is the first hybrid security system based on
windows platform for the security of home users. PSSE integrates AV with a virtual private
network. Antivirus acts as an inner layer security while a VPN acts as an outer layer security.
It provides anti-malware protection, virtual private network with encryption, creates a safe and
encrypted connection over a less secure network.
Virtual Private Network

2.1 What Exactly Is A VPN?

A VPN supplies network connectivity over a possibly long physical distance. In this respect, a
VPN is a form of Wide Area Network (WAN). The key feature of a VPN, however, is its ability
to use public networks like the Internet rather than rely on private leased lines. VPN
technologies implement restricted-access networks that utilize the same cabling and routers as
a public network, and they do so without sacrificing features or basic security.

“An Internet-based virtual private network (VPN) uses the open, distributed
infrastructure of the Internet to transmit data between corporate sites.”

Fig: Virtual Private Network(1)

A typical VPN might have a main LAN at the corporate headquarter of a company, other LANs
at remote offices or facilities and individual users connecting from out in the field.

Basically, a VPN is a private network that uses a public network (usually the Internet) to
connect remote sites or users together. Instead of using a dedicated, real-world connection such
as leased line, a VPN uses "virtual" connections routed through the Internet from the company's
private network to the remote site or employee.

VPN technology can be used for site-to-site connectivity as well, which would allow a branch
office with multiple access lines get rid of the data line, and move traffic over the existing
Internet access connection. Since many sites use multiple lines, this can be a very useful
application, and it can be deployed without adding additional equipment or software.s

2.2 Why to develop VPN?

Businesses today are faced with supporting a broader variety of communications among a
wider range of sites even as they seek to reduce the cost of their communications infrastructure.
Employees are looking to access the resources of their corporate intranets as they take to the
road, telecommute, or dial in from customer sites. Plus, business partners are joining together
in extranets to share business information, either for a joint project of a few months' duration
or for long-term strategic advantage. At the same time, businesses are finding that past
solutions to wide area networking between the main corporate network and branch offices,
such as dedicated leased lines or frame-relay circuits, do not provide the flexibility required for
quickly creating new partner links or supporting project teams in the field. Meanwhile, the
growth of the number of telecommuters and an increasingly mobile sales force is eating up
resources as more money is spent on modem banks, remote-access servers, and phone charges.
The trend toward mobile connectivity shows no sign of abating; Forrester Research estimated
that more than 80 percent of the corporate workforce would have at least one mobile computing
device by 2017.
A well-designed VPN can greatly benefit a company. For example, it can:
• Extend geographic connectivity
• Improve security
• Reduce operational costs versus traditional WAN
• Reduce transit time and transportation costs for remote users
• Improve productivity
• Simplify network topology
• Provide global networking opportunities
• Provide telecommuter support
A well-designed VPN should have the following features: It should incorporate:
• Security
• Reliability
• Scalability
• Network management
• Policy management
2.3 HISTORY
Until the end of the 1990s the computers in computer networks connected through very
expensive leased lines and/or dial-up phone lines. It could cost thousands of dollars for 56kbps
lines or tens of thousands for T1 lines, depending on the distance between the sites. Virtual
Private Networks reduce network costs because they avoid a need for many leased lines that
individually connect to the Internet.

Users can exchange private data securely, making the expensive leased lines redundant. The
term VPN has been associated in the past with such remote connectivity services as the public
telephone network and Frame Relay PVCs, but has finally settled in as being synonymous with
Passed data networking. Before this concept surfaced, large corporations had expended
considerable resources to set up complex private networks, now commonly called Intranets.
These networks were installed using costly leased line services, Frame Relay, and ATM to
incorporate remote users. For the smaller sites and mobile workers on the remote end,
companies supplemented their networks with remote access.

Servers or ISDN. At the same time, the small- to medium-sized enterprises (SMEs), who could
not afford dedicated leased lines, were relegated to low-speed switched services. As the Internet
became more and more accessible and bandwidth capacities grew, companies began to offload
their Intranets to the web and create what are now known as Extranets to link internal and
external users. However, as cost-effective and quick-to deploy as the Internet is, there is one
fundamental problem – security.

Today’s VPN solutions overcome the security factor. Using special tunneling protocols and
complex encryption procedures, data integrity and privacy is achieved in what seems, for the
most part, like a dedicated point-to-point connection. And, because these operations occur over
a public network, VPNs can cost significantly less to implement than privately owned or leased
services.

Although early VPNs required extensive expertise to implement, the technology has matured
already to a level that makes its deployment a simple and affordable solution for businesses of
all sizes, including SMEs who were previously being left out of the revolution. Using the
Internet, companies can connect their remote branch offices, project teams, business partners,
and e-customers into the main corporate network. Mobile workers and telecommuters can get
secure connectivity by dialling into the POP (Point-of-Presence) of a local ISP (Internet Service
Provider). With a VPN, corporations see immediate cost reduction opportunities in their long
distance charges (especially important to global companies), leased line fees, equipment
inventories (like large banks of modems), and network support requirements. VPN
technologies have myriad protocols, terminologies and marketing influences that define them.
For example, VPN technologies can differ in:

1.The protocols they use to tunnel the traffic

2.The tunnel's termination point, i.e., customer edge or network provider edge
3.Whether they offer site-to-site or remote access connectivity
4.The levels of security provided
5.The OSI layer they present to the connecting network, such as Layer 2 circuits or
layer 3 network connectivity.

2.4 Desired VPN Features:

The workgroup found that the following characteristics are necessary for a successful UC Davis
VPN implementation:

1.Available to all Cyber Safe remote computers. Every vendor supported end-user platform
should be able to use the VPN service, but VPN access from computing systems that are or can
be compromised should be denied.

2. Easily supportable. VPN implementation must not substantially increase help desk
utilization or costs.

3. Integrate with existing authentication/authorization infrastructure. The log-in

procedure should be simpler and less confusing than current proxy login.

4. Security that is not “one size fits all”. The ability to assign remote users to security zones
based on authorization groups is highly desirable in many circumstances. For example, SSL
VPN technology could be used to enhance campus wireless security through the assignment of
users to trusted and untrusted zones depending on their affiliation.
5. Granular administration. A VPN implementation that permits administrative delegation
in an environment of central control would be highly desirable. A vendor solution that permits
departmental participation through independent purchase of compatible equipment
may also be acceptable.

6. Split tunnel services. Split tunnel services should be supported by a campus VPN
implementation.

7. Browser support. The SSL VPN solution must be compatible with current Internet Web
browsers, including Internet Explorer, Safari, Netscape, Opera and Firefox.

8. Monitoring and logging. Monitoring should go beyond the indispensable network

utilization and error reporting level. Any VPN solution has to provide logging that is integrated
with syslog services. In the case of DMCA violations, the University must be able to remove
access to infringing files upon notification.

9. Scalability. It should be possible to begin small and economically increase capacity without
degrading performance. Technical details relating to interoperation with the existing VLAN
infrastructure may contribute significantly in this respect.

10. Hardened. The VPN platform should have a hardened operating system and firmware that
provide no opportunities for exploits.

11. Operation 24x7x365. Every hour of the night and day, some UC Davis affiliate uses
campus resources remotely, so we require a high availability platform. An active/passive
configuration would provide fail-safe operation if a load balancing active/active configuration
was unaffordable.

12. Supported. As a core service, VPN would require 24x7 vendor telephone support and 24x7
hardware maintenance availability. The workgroup identified one feature, Endpoint Security
Integration, which will require further analysis. While end-point security is a highly desirable
function for entry to the campus network, the ability to check an operating system version,
application of security patches or the currency of anti-virus detection files would likely benefit
the campus as part of a broader offering, integrated into network access for wired, wireless and
VPN services.
3. Types of Virtual Private Networks:

3.1 Remote-Access VPN:

Remote-access, also called a virtual private dial-up network (VPDN), is a user-to-LAN

connection used by a company that has employees who need to connect to the private network
from various remote locations. Normally, a company that wishes to set up a large remote-access
VPN will outsource to an enterprise service provider (ESP). The ESP sets up a network access
server (NAS) and provides the remote users with desktop client software for their computers.
The telecommuters can then dial a Low Call or Free number (0800, 0500 etc.) to reach the
NAS and use their VPN client software to access the corporate network. good example of a
company that needs a remote-access VPN would be a company with a lot of sales people in the
field. Remote-access VPNs permit secure, encrypted connections between a company's private
network and remote users through a third-party service provider.

Fig: Remote Access VPN(3.1)

The other required component of remote-access VPNs is client software. In other words,
employees who want to use the VPN from their computers require software on those computers
that can establish and maintain a connection to the VPN. Most operating systems today have
built-in software that can connect to remote-access VPNs, though some VPNs might require
users to install a specific application instead. The client software sets up the tunnelled
connection to a NAS, which the user indicates by its Internet address. The software also
manages the encryption required to keep the connection secure. You can read more about
tunneling and encryption later in this article.
3.2 Site-to-Site VPN:

Site-to-Site VPNs are an alternative WAN infrastructure that used to connect branch offices,
home offices, or business partners' sites to all or portions of a company's network. VPNs do
not inherently change private WAN requirements, such as support for multiple protocols, high
reliability, and extensive scalability, but instead meet these requirements more cost-effectively
and with greater flexibility.]

A company can connect multiple fixed sites over a public network such as the Internet through
the use of dedicated equipment and large-scale encryption. Site-to-site VPNs can be one of two
types:

1). Intranet-based - If a company has one or more remote locations that they wish to join in a
single private network, they can create an intranet VPN to connect LAN to LAN.

2). Extranet-based - When a company has a close relationship with another company (for
example, a partner, supplier or customer), they can build an extranet VPN that connects LAN
to LAN, and that allows all of the various companies to work in a shared environment.

Fig: Site-To-Site VPN(3.2)

Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN,
it could use some of the same software and equipment. Ideally, though, a site-to-site VPN
should eliminate the need for each computer to run VPN client software as if it were on a
remote-access VPN. Dedicated VPN client equipment, described later in this article, can
accomplish this goal in a site-to-site VPN.
A site-to-site VPN allows offices in multiple fixed locations to establish secure connections
with each other over a public network such as the Internet. Site-to-site VPN extends the
company's network, making computer resources from one location available to employees at
other locations. An example of a company that needs a site-to-site VPN is a growing
corporation with dozens of branch offices around the world.
3.3 THREATS IN NETWORKS:

Network security has become important due to the inter-connection of computers and the rise
of the internet. This section describes some of the popular network threats.

a) Spoofing: By obtaining the network authentication credentials of an entity (such as a user

or a process) permits an attacker to create a full communication under the entity's identity.
Examples of spoofing are masquerading and man-in-the-middle attack.

b) Masquerade: In a masquerade a user who is not authorized to use a computer pretends to

be a legitimate user. A common example is URL confusion. Thus abc.com, abc.org or abc.net
might be three different organizations or one legitimate organization and two masquerade
attempts from someone who registered similar names.

c) Phishing Attacks: These attacks are becoming quite popular due to the proliferation of Web
sites. In phishing scams, an attacker sets up a web site that masquerades as a legitimate site.
By tricking a user, the phishing site obtains the user's clear text password for the legitimate
site. Phishing has proven to be quite effective in stealing user passwords.

d) Session Hijacking: It is intercepting and carrying out a session begun by another entity.
Suppose two people have entered into a session but then a third person intercepts the traffic
and carries out a session in the name of the other person then this will be called session
hijacking. For example, if an Online merchant used a wiretap to intercept packets between you
and Amazon.com, the Online merchant can monitor the flow of packets. When the user has
completed the order, Online merchant can intercept when the "Ready to check out" packet is
sent and finishes the order with the user obtaining shipping address, credit card detail and other
information. In this case we say the Online merchant has hijacked the session.

e) Man-in-the-Middle Attack: In this type of attack also one entity intrudes between two
others. The difference between man-in-the-middle and hijacking is that a man-in-the-middle
usually participates from the start of the session, whereas a session hijacking occurs after a
session has been established. This kind of attack is frequently described in protocols. For
example, suppose two parties want to exchange encrypted information. One party contacts the
key server to get a secret key that will be used in the communication. The key server responds
by sending the private key to both the parties. A malicious middleman intercepts the response
key and then eavesdrop on the communication between the two parties.

f) Web Site Defacement: One of the most widely known attacks is the web site defacement
attack. Since this can have a wide impact they are often reported in the popular press. Web sites
are designed so that their code can be easily downloaded enabling an attacker to obtain the full
hypertext document. One of the popular attacks against a web site is buffer overflow. In this
kind of attack, the attacker feeds a program more data than what is expected. A buffer size is
exceeded and the excess data spills over adjoining code and data locations. Network and
System Security

g) Message Confidentiality Threats: Sometimes messages are miss delivered because of

some flaw in the network hardware or software. We need to design mechanisms to prevent this.
1. Exposure: To protect the confidentiality of a message, we must track it all the way
from its creation to its disposal.
2. Traffic Flow Analysis: Consider the case during wartime, if the enemy sees a large
amount of traffic between the headquarters and a particular unit, the enemy will be
able to infer that a significant action is being planned at that unit. In these situations,
there is a need to protect the contents of the message as well as how the messages are
flowing in the network.
4.Encryption Definition:

Encryption is the process of taking all the data that one computer is sending to another and
encoding it into a form that only the other computer will be able to decode. Most computer
encryption systems belong in one of two categories:

• Symmetric-key encryption
• Public-key encryption
4.1 Symmetric-key encryption:
In each computer has a secret key (code) that it can use to encrypt a packet of information
before it is sent over the network to another computer. One should know that which computers
will be talking to each other so the key can be installed on each computer. Symmetric-key
encryption is essentially the same as a secret code that each of the two computers must know
in order to decode the information. The code provides the key to decoding the message.

Fig: symmetric-key encryption(4.1)

4.2 Public-key encryption:

It uses a combination of a private key and a public key. The private key is known only to our
computer, while the public key is given by our computer to any computer that wants to
communicate securely with it. To decode an encrypted message, a computer must use the
public key, provided by the originating computer, and its own private key

Fig: public-key encryption(4.2)

5. IPsec Definition:
Internet Protocol Security Protocol (IPsec) provides enhanced security features such as better
encryption algorithms and more comprehensive authentication.

Fig: connection for IPsec (5.1)

IPsec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the
payload of each packet while transport only encrypts the payload. Only systems that are IPsec
compliant can take advantage of this protocol. Also, all devices must use a common key and
the firewalls of each network must have very similar security policies set up. IPsec can encrypt
data between various devices, such as:
• Router to router
• Firewall to router
• PC to router
• PC to server
 Fig :IPsec (5.2)

The address space for Internet is running out as more machines and domain names are being
added to the Internet. A new structure called IPv6 solves this problem by providing a 64-bit
address space to IP addresses. As part of IPv6, the Internet Engineering Task Force (IETF)
adopted an IP Security Protocol (IPsec) Suite that addresses problems such as spoofing,
eavesdropping and session hijacking. IPsec is implemented at the IP layer so it affects all layers
above it. IPsec is somewhat similar to SSL, in that it supports authentication and confidentiality
that does not necessitate significant changes either above it (in applications) or below it (in the
TCP protocols). Just like SSL, it was designed to be independent of the cryptographic protocols
and to allow the two communicating parties to agree on a mutually supported set of protocols.
The basis of IPsec is called a security association which is basically a set of security parameters
that are required to establish a secured communication. Some examples of these parameters
are: Encryption algorithm and mode Encryption Key Authentication protocol and key Lifespan
of the association to permit long running sessions to select a new key Address of the opposite
end of an association
6. Tunneling:

Most VPNs rely on tunneling to create a private network that reaches across the Internet.
Essentially, tunneling is the process of placing an entire packet within another packet and
sending it over a network. The protocol of the outer packet is understood by the network and
both points, called tunnel interfaces, where the packet enters and exits the network.
Tunneling requires three different protocols:
1. Carrier protocol: The protocol used by the network that the information is traveling
over
2. Encapsulating protocol: The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is
wrapped around the original data
3. Passenger protocol: The original data (IPX, NetBeui, IP) being carried.
6.1 Tunnelling: Site-to-Site
In a site-to-site VPN, GRE (generic routing encapsulation) is normally the encapsulating
protocol that provides the framework for how to package the passenger protocol for transport
over the carrier protocol, which is typically IP-based. This includes information on what type
of packet is being encapsulated and information about the connection between the client and
server. Instead of GRE, IPsec in tunnel mode is sometimes used as the encapsulating protocol.
IPsec works well on both remote-access and site-to-site VPNs. IPsec must be supported at both
tunnel interfaces to use.

6.2 Tunnelling: Remote-Access

In a remote-access VPN, tunneling normally takes place using PPP. Part of the TCP/IP stack,
PPP is the carrier for other IP protocols when communicating over the network between the
host computer and a remote system. Remote-access VPN tunneling relies on PPP.
6.3 Layer 2 Tunneling Protocol:

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to

support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does
not provide any encryption or confidentiality by itself. Rather, it relies on an encryption
protocol that it passes within the tunnel to provide privacy.

Description:

 The entire L2TP packet, including payload and L2TP header, is sent within a User
Datagram Protocol (UDP) datagram. A virtue of transmission over UDP (rather than
TCP; c.f. SSTP) is that it avoids the "TCP meltdown problem". It is common to
carry PPP sessions within an L2TP tunnel. L2TP does not provide confidentiality or
strong authentication by itself. IPsec is often used to secure L2TP packets by providing
confidentiality, authentication and integrity. The combination of these two protocols is
generally known as L2TP/IPsec (discussed below).

 The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator)
and the LNS (L2TP Network Server). The LNS waits for new tunnels. Once a tunnel is
established, the network traffic between the peers is bidirectional. To be useful for
networking, higher-level protocols are then run through the L2TP tunnel. To facilitate
this, an L2TP session (or 'call') is established within the tunnel for each higher-level
protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each
session is isolated by L2TP, so it is possible to set up multiple virtual networks across
a single tunnel. MTU should be considered when implementing L2TP.

 The packets exchanged within an L2TP tunnel are categorized as either control
packets or data packets. L2TP provides reliability features for the control packets, but
no reliability for data packets. Reliability, if desired, must be provided by the nested
protocols running within each session of the L2TP tunnel.
flags and version: control flags indicating data/control packet and presence of length,
sequence, and offset fields.

Length (optional): Total length of the message in bytes, present only when length flag is
set.

Tunnel ID: Indicates the identifier for the control connection.

Session ID: Indicates the identifier for a session within a tunnel.
Ns (optional): sequence number for this data or control message, beginning at zero and
incrementing by one (modulo 216) for each message sent. Present only when sequence flag
set.
Nr (optional): sequence number for expected message to be received. Nr is set to the Ns
of the last in-order message received plus one (modulo 216). In data messages, Nr is
reserved and, if present (as indicated by the S bit), MUST be ignored upon receipt.
Offset Size (optional): Specifies where payload data is located past the L2TP header. If
the offset field is present, the L2TP header ends after the last byte of the offset padding.
This field exists if the offset flag is set.
Offset Pad (optional): Variable length, as specified by the offset size. Contents of this
field are undefined.
Payload data: Variable length (Max payload size = Max size of UDP packet − size of
L2TP header)
6.4 PPTP (Point-to-Point Tunnelling Protocol):
Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual
private networks. PPTP has many well-known security issues.

PPTP uses a TCP control channel and a Generic Routing Encapsulation tunnel to
encapsulate PPP packets. Many modern VPNs use various forms of UDP for this same
functionality.

The PPTP specification does not describe encryption or authentication features and relies on
the Point-to-Point Protocol being tunnelled to implement any and all security functionalities

The PPTP implementation that ships with the Microsoft Windows product families implements
various levels of authentication and encryption natively as standard features of the Windows
PPTP stack. The intended use of this protocol is to provide security levels and remote access
levels comparable with typical VPN products

Description:
 A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This
TCP connection is then used to initiate and manage a GRE tunnel to the same peer. The
PPTP GRE packet format is non-standard, including a new acknowledgement
number field replacing the typical routing field in the GRE header. However, as in a
normal GRE connection, those modified GRE packets are directly encapsulated into IP
packets, and seen as IP protocol number 47. The GRE tunnel is used to carry
encapsulated PPP packets, allowing the tunnelling of any protocols that can be carried
within PPP, including IP, NetBEUI and IPX.
 Today, PPTP is still widely used in corporate VPNs. A big reason for this is the fact it
comes built-in on pretty much any platform. This also makes it very easy to set up,
since it doesn’t require any additional software.
 PPTP was created by a consortium led by Microsoft. It utilizes Microsoft Point-to-Point
Encryption (MPPE), along with MS-CHAP v2 authentication. While these days you’ll
rarely find anything other than 128-bit encryption with this protocol, it still suffers from
alarming security risks.
 In the past, it was demonstrated that PPTP could be cracked in just two days – a problem
that has since been patched by Microsoft. But even Microsoft itself recommends using
SSTP or L2TP/IPsec, which says enough about how reliable PPTP is nowadays.
7. Anti-Virus
7.1 What exactly is an Antivirus?

Antivirus software is a computer program that identify and remove computer virus and other
malicious software like worms and Trojans from an infected computer. Not only this, an
antivirus software also protects the computer from further virus attacks. Anti-virus system
detects viruses from system like vchost.exe, servicemgr.exe, lsass.exe, tore virus generated by
autorun.info. Generally, Antivirus first check the size & according to it if match the size with
its data base then it finds out the pattern from that file if so then it will delete it.

7.2 FEATURES OF ANTIVIRUS:

Antivirus system is a dedicated, system i-specific.

2.It provides full protection against the standard pc types of virus for files
and programs used to store on the system.
3.In antivirus there is automatic virus signature update via the internet.
4.Proactive virus signature updates via the network for internet isolated servers.
5.Antivirus can scan the entire libraries.
6.Antivirus support definition of automatic, pre-scheduled periodic scans

7.3 HOW ANTIVIRUS WORKS:

An anti-virus software program is a c-program that can be used to scan files to identify and
eliminate computer viruses and other malicious software (malware). Anti-virus software
typically uses two different techniques to accomplish this:
· Examining files to look for known viruses by means of a virus dictionary
· Identifying suspicious behaviour from any computer program which might indicate
infection
7.3.1 Virus dictionary approach:

In the virus dictionary approach, when the anti-virus software examines a file, it refers to a
dictionary of known viruses that have been identified by the author of the anti-virus software.
If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus
software can then either delete the file, quarantine it so that the file is inaccessible to other
programs and its virus is unable to spread, or attempt to repair the file by removing the virus
itself from the file.

To be successful in the medium and long term, the virus dictionary approach requires periodic
online downloads of updated virus dictionary entries. As new viruses are identified "in the
wild", civically minded and technically inclined users can send their infected files to the authors
of antivirus software, who then include information about the new viruses in their dictionaries.

7.3.2 Suspicious behaviour approach:

The suspicious behaviour approach, by contrast, doesn't attempt to identify known viruses, but
instead monitors the behaviour of all programs. If one program tries to write data to an
executable program, for example, this is flagged as suspicious behaviour and the user is alerted
to this, and asked what to do.
Unlike the dictionary approach, the suspicious behaviour approach therefore provides
protection against brand-new viruses that do not yet exist in any virus dictionaries. However,
it also sounds a large number of false positives, and users probably become desensitized to all
the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software is
obviously useless to that user. This problem has especially been made worse over the past 7
years, since many more no malicious program designs chose to modify other. exes without
regards to this false positive issue. Thus, most modern anti-virus software uses this technique
less and less.

7.3.3 Other ways to detect viruses:

Some antivirus-software will try to emulate the beginning of the code of each new executable
that is being executed before transferring control to the executable. If the program seems to be
using self-modifying code or otherwise appears as a virus (it immediately tries to find other
executables), one could assume that the executable has been infected with a virus.
However, this method results in a lot of false positives. Yet another detection method is using
a sandbox. A sandbox emulates the operating system and runs the executable in this simulation.
After the program has terminated, the sandbox is analysed for changes which might indicate a
virus. Because of performance issues this type of detection is normally only performed during
on-demand scans.
The dictionary approach to detecting virus is often insufficient due to the continual creation of
new viruses, yet the suspicious behaviour approach is ineffective due to detect false positive
alarm. Hence, the current understanding of anti-virus software will never conquer computer
virus.

7.4. Detecting known viruses

A well maintained virus test bed, which contains viruses known to computer antivirus
researches can be used for evaluating products which will detect known viruses. The virus
detection analysis can be carried out by scanning the contents of the test bed and concluding
results from the scanning reports. Unfortunately, some product may crash during the scanning
and in such files causing crashes need to be traced and files resulting in crashes should be
treated as unidentified by the product.

7.5 Preventing Known virus

A well maintained virus test bed containing viruses known to computer antivirus researches
can be used for evaluating products preventing known viruses. The difference between is that
the product is working in the background and this requires more complicated evaluation
methods, but the same virus test bed can be used with products, which will prevent known
viruses.
7.6 Detecting Unknown viruses

A virus test bed can also be used as a basis for the analysis for product, which detect unknown
viruses. Often products detecting unknown viruses are combined with products which will
detect known viruses. If possible, the products known virus detection capability should be
disabled. Known virus detection may be detached by removing virus database files, by using
old database files or by using specific operation mode of a product. Unfortunately, the known
virus detection may be an inseparable part of a product and in this case test bed should be
limited to viruses not known to the product and a vulnerability analysis may be necessary.
7.7 Preventing Unknown viruses

A virus test bed can be also used for evaluating products which will prevent unknown viruses.
The difference is that the product is working in the background and this requires special
evaluation methods, but the same virus test bed can be used with product which will prevent
unknown viruses. This is demonstrated in Virus Research Unit’s behaviour blocker analysis.
With products preventing unknown viruses, virus attack emulation and Vulnerability analysis
are also required.

8. Different virus types in the test bed

8.1File viruses

Some programs are viruses in disguise, when executed they load the virus in the memory along
with the program and perform the predefined steps and infect the system. They infect program
files like files with extensions like .EXE, .COM, .BIN, .DRV and .SYS. Some file viruses just
replicate while others destroy the program being used at that time. Such viruses start replicated
as soon as they are loaded into the memory. As the file viruses also destroy the program
currently being used, after removing the virus or disinfecting the system, the program that got
corrupted due to the file virus, too, has to be repaired or reinstalled.

8.2 Boot sector viruses

The boot sector virus can be the simplest or the most sophisticated of all computer viruses.
Since the boot sector is the first code to gain control after the ROM start up code, it is very
difficult to stop before it loads. If one writes a boot sector virus with sufficiently sophisticated
anti-detection routines, it can also be very difficult to detect after it loads, making the virus
nearly invincible. Specifically, let’s look at a virus which will carefully hide itself on both
floppy disks and hard disks, and will infect new disks very efficiently, rather than just at boot
time. Such a virus will require more than one sector of code, so we will be faced with hiding
multiple sectors on disk and loading them at boot time. Additionally, if the virus is to infect
other disks after boot-up, it must leave at least a portion of itself memory-resident. The
mechanism for making the virus memory resident cannot take advantage of the DOS Keep
function (Function 31H) like typical TSR programs.
8.3 Macro viruses

In essence, a macro is an executable program embedded in a word processing document or

other type of file. Typically, users employ macros to automate repetitive tasks and there by
save key strokes. The macro language is some type of basic programming language. A user
might define a sequence of key strokes in a macro and set it up so that a macro is invoked when
a function key is invoked. Common auto executing events are opening a file, closing file etc.
Once a macro is running it can copy itself to other documents, deleting files etc.
How does a Macro Virus strike?
1. The user gets an infected Office Document by email or by any other medium.
2. The infected document is opened by the user.
3. The evil Macro code looks for the event to occur which is set as the event
handler at which the Virus is set off or starts infecting other files. Macro viruses include
“Concept,” “Melissa,” and “Have a Nice Day.”
8.4 Script viruses

Script viruses should be replicated by using the environment needed for Replication. For
example, viruses using MS-DOS batch language should be Replicated using batch files as goat
files and viruses using Visual Basic Scripting should be replicated using Windows Scripting
Host.

8.5 Multi-partition viruses

Multipartite viruses are the hybrid variety; they can be best described as a cross between both
Boot Viruses and File viruses. They not only infect files but also infect the boot sector. They
are more destructive and more difficult to remove. First of all, they infect program files and
when the infected program is launched or run, the multipartite viruses start infecting the boot
sector too. Now the interesting thing about these viruses is the fact that they do not stop, once
the boot sector is infected. Now after the boot sector is infected, when the system is booted,
they load into the memory and start infecting other program files. Some popular examples
would be Invader and Flip etc.

8.6 Polymorphic viruses

They are the most difficult viruses to detect. They have the ability to mutate this means that
they change the viral code known as the signature each time it spreads or infects. Thus
Antiviruses which look for specific virus codes are not able to detect such viruses. Now what
exactly is a Viral Signature? Basically the Signature can be defined as the specific fingerprint
of a particular virus which is a string of bytes taken from the code of the virus. Antiviral
software’s maintain a database of known virus signatures and look for a match each time they
scan for viruses. As we see a new virus almost every day, this database of Virus Signatures has
to be kept updated. This is the reason why the Antivirus vendors provide updates.
How does a Polymorphic Virus Strike?
1. The User copies an infected file to the disk.
2. When the infected file is run, it loads the Virus into the memory or the RAM.
3. The new virus looks for a host and starts infecting other files on the disk.
4. The virus makes copies of itself on the disk.
5. The mutation engines on the new viruses generate a new unique encrypted code which is
developed due to a new unique algorithm. Thus it avoids detecting from Check summers.

8.7 Companion viruses

Companion viruses sustaining known executable appearance do not pose much difficulty for
scanners, because they can be simply detected by normally scanning executable files.
Companion viruses, however, may mislead non identifying products, like integrity checkers, if
the possibility of a companion virus type of attack has not been taken into account while
implementing the product.

8.8 Stealth viruses

They viruses are stealth in nature and use various methods to hide themselves and to avoid
detection. They sometimes remove themselves from the memory temporarily to avoid detection
and hiding from virus scanners. Some can also redirect the disk head to read another sector
instead of the sector in which they reside. Some stealth viruses like the Whale conceal the
increase in the length of
the infected file and display the original length by reducing the size by the same amount as that
of the increase, so as to avoid detection from scanners. For example, the whale virus adds 9216
bytes to an infected file and then the virus subtracts the same number of bytes i.e. 9216 from
the size given in the directory. They are somewhat difficult to detect.
8.9 Linking viruses

Linking viruses may require that the system is first infected with the virus in order to construct
the linkage. However, scanners typically detect the virus even when the linkage does not exist
and this can be utilised in virus detection analysis. Furthermore, a linkage virus may be capable
of replicating even without establishing the linkage, but if this is not the case, then the linkage
should be created before analysis. Otherwise we are not analysing true working viruses,
because the virus is not capable of replicating without the linkage.

8.10 Memory resident viruses

As demonstrated with the definition of stealth viruses, memory resident Viruses may be able
to deceive antivirus products, if the memory scanning does not work correctly for some reason
and the virus active in the central memory is not found. In such a case it is possible that a
antivirus scanner is actually replicating a virus, because the virus may infect each file the
scanner opens for reading. Therefore, one phase of antivirus product evaluation could be
evaluating products’ capabilities to detect viruses in central memory.

8.11 Self-distributing viruses

Self-distributing viruses have at least one special replication channel from a local system to a
remote system. The replication should be performed by using the replication channels.
However, the replication environment should be an isolated environment in order to prevent
the virus accidently spreading to external systems. Preventing antivirus products should be
analysed based on the prevention mechanism. This may require that the replication channel is
used or that the virus is activated while the antivirus product is actively preventing virus.
9. Proposed System:

Our proposed system provides both virtual private network and antivirus. This integrated
system can be observed as a process flow in Figure. (4.1) clarifying the storing point of view
as well as the retrieving point of view. It can be observed in Figure (4.1) personal system “User”
is protected by an antivirus which is an inner layer. On the other hand, virtual private network
is the outer layer. In fig 4.1, user is connected to virtual private network and the requests are
being send and receive over an encrypted tunnel. The proposed system makes it more difficult
for intruders or hackers to target a home user.
The proposed system scans all ingoing and outgoing data. Proposed system also detects
malicious files and links. It also warns against opening malicious websites based on the
behaviour technique. The proposed system also encrypts connection over a less secure network,
such as internet. The data flow in a virtual private network. Proposed system transmits the data
between the remote user and the company network in an encrypted tunnel, which gives a secure
connection to home users. The proposed system also allows the users to set parameters as per
need to control the system usage.
In the below diagram (fig 4.1) author focuses on computer and network security. The data is
passing through an encrypted tunnel to the VPN server, the transmission of data is secured with
encryption. From VPN server request is being send to internet. This whole process is secured
with VPN. The system has the antivirus to detect the viruses and malwares.

Fig: Proposed system(9)

10. Result Analysis:
In order to establish a secure connection, a username, password, and server address is required.
In figure 10.1, username, password has been entered along with server address. The data
encryption is done using the Microsoft Point to Point Encryption Protocol and Layer 2
Tunneling Protocol.

Fig: Connection establishment (10.1)

Fig: connecting to server(10.2)

After entering the server address, username and password in the respective fields. Once we
click on the ‘Connect’ button. The above figures 10.3 will pop-up. Following are the
procedures that will take place:

Fig: connection to VPN(10.3)

AV Defence:
Below is the AV design of the proposed system, it scans all the malwares and infected
programs. As it can be seen in the below figure 5.4, proposed system has a scan mode that
keeps blinking. Below in the ‘Panel’ a virus has been found.

Fig: Panel for VPN (10.4)

11.Conclusion & Future Enhancement:
Computer and network security has always been an important issue for home users. In this
paper, we have presented an integrated system for home users that will provide them security
from viruses and intruders. We used VPN as an outer layer that will protect them from intruders
and AV as an inner layer that will protect them from viruses and other infected files. The system
is implemented on visual studio (C-Sharp) platform. The PPTP and L2TP protocols are used
in for outer layer. Results showed that the proposed system is working perfectly. In future this
system can be extended to other platform users such as Linux OS, Mac OS and others. This
research can be extended by using large data sample set and by going into the depth of remote
access and its security for home users.
12. References:

 Shah, K. and Kapdi, T. (2015). Disclosing Malicious Traffic for Network Security.
International Journal of Advances in Engineering and Technology (IJAET), [online]
7(6), pp.1701-1706.
 Rani, S. and Rani, S. (2016). Data Security in Cloud Computing Using Various
Encryption Techniques. International Journal of Modern Computer Science (IJMCS),
[online] 4(3), pp.163-166.
 ZHU, S. (2013). Algorithm Design of Secure Data Message Transmission Based on
OPENSSL and VPN. Journal of Theoretical and Applied Information Technology,
[online] 48(1), pp.562-569.
 Al-Otaibi, N. and Gutub, A. (2014). 2-Layer Security System for Hiding Sensitive Text
Data on Personal Computer. Lecture Notes on Information Theory, [online] 2(2),
pp.151-157.
 Mungovan, D., Howley, E. and Duggan, J. (2015). Modelling Antivirus Defence
Strategies in Scale Free Networks. [online] Available at:
http://netserver.it.nuigalway.ie/endahowley/papers/aics08.pdf [Accessed 13 Jun.
2017].