Contract No.: 285248 Strategic Objective


Malware Detection Service Open API Specification



Download 1.78 Mb.
Page51/54
Date28.01.2017
Size1.78 Mb.
#8871
1   ...   46   47   48   49   50   51   52   53   54

26Malware Detection Service Open API Specification

26.1Introduction to Malware Detection Service

26.1.1Malware Detection Service Core


This document provides a description of the available interface for submitting a binary file to malware detection service.

26.1.2Intended Audience


This document is addressed to both software developers and to the consumers of malware detection service.

26.1.3Service Change History


The most recent changes are described in the table below:

Revision Date

Changes Summary

January, 2012

  • Initial version

October, 2013

  • Web portal version

  • Dynamic functionality

26.1.4How to Read This Document


The following list summarizes these special notations.

  • A bold, mono-spaced font is used to represent code or logical entities, e.g., HTTP method (GET, PUT, POST, DELETE).

  • An italic font is used to represent document titles or some other kind of special text, e.g., URI.

  • The variables are represented between brackets, e.g. {id} and in italic font. When the reader find it, can change it by any value.

For a description of some terms used along this document, see the Architecture Description document.

26.1.5Additional Resources


Additional information about WSO2 Application Server and Enterprise Service Bus open source solution can be found on official WSO2 Documentation Web Pages:

  • http://wso2.com/products/application-server/

  • http://wso2.com/products/enterprise-service-bus/

26.2General Malware Detection Service Information

26.2.1Resources Summary


The WSDL description file is delivery at http://av.loria.fr:8280/services/AV?wsdl2 or you can find a representation in annexes section of "User and Programmers Guide".

Web portal of Malware Service is accessible from URL https://av-portail.loria.fr (152.81.67.99). Once authenticated, you can submit a binary to Malware Service directy from your browser and display the result.


26.2.2Authentication


The restrict access to malware detection service is based on WS-Security Username Token specifications. So you must send an email to INRIA Carte Team for receiving your login/password authentication.

26.2.3Representation Format


The Malware Dection Service supports the SOAP protocol. The request and the response format are specified using the XML Content-Type header.

26.2.4Representation Transport


Local binary file is transmitted to server via MTOM.

26.2.5Resource Identification


Integrity and confidentiality in transport binary and response are supported by "rampart module from Apache Software Foundation"

26.2.6Links and References


Report to "Additional Resources" for references.

26.2.7Limits

Malware Detection Engine Limits


Malware Detection engine is a software capable of extracting (partly) a morphological signature from executable binary code, that corresponds to the behavior of malware.

  • In this release only executable files for Windows and Linux OS system are supported.

Absolute Limits


Under test.

26.2.8Versions


We are V1.0 release.

26.2.9Extensions


Two extensions are forecasted for the moment:

26.2.10Faults


The faults are saved in log files and also indicated on line when executing.

26.3Malware Detection Service Operations

Scan a binary file


  • SOAP action: urn:Scan

  • Operation type: Request-response

  • Input type: ScanWrapper

Data type ScanWrapper is composed by a complex type (DataRequest) that has itself 4 parameters:

1- filename: name of the binary file to scan

2- binaryData: binary file body transformed into base64 format

3- mode: scan mode switch between static (default) and dynamic

4- sha256: binary file hash in SHA-256 format

































  • Output type: ResponseWrapper

Data type ResponseWrapper is composed by 1 parameter:

1- result: Will indicate INFECTED for an infected binary file, SANE otherwise
















This action makes any submitted a binary file to be scanned by Morphus, which itself will answer either 'INFECTED' for an infected binary file, or 'SANE' otherwise.


Distance vector of a binary file


  • SOAP action: urn:Distance

  • Operation type: Request-response

  • Input type: DistanceWrapper

Data type DistanceWrapper is composed by a complex type (DataRequest) that has itself 4 parameters:

1- filename: name of the binary file to scan

2- binaryData: binary file body transformed into base64 format

3- mode: scan mode switch between static (default) and dynamic

4- sha256: binary file hash in SHA-256 format

































  • Output type: ResponseWrapper

Data type ResponseWrapper is composed by 1 parameter:

1- result: Will indicate the distance from malwares that are already in database
















This action also submits a binary to the scanner, but in this case, Morphus will reply with the distance from malwares that are already in database.

(example: Backdoor.Win32.Hupigon.bto: 100.00% Backdoor.Win32.Hupigon.bto, 59.33% Backdoor.Win32.Hupigon.bhes, 6.57% Packed.Win32.CPEX-based.e)

List malware database


  • SOAP action: urn:MalwareList

  • Operation type: Request-response

  • Input type: MalwareListRequest

Data type MalwareListRequest is composed by 1 parameter:

1- limit: maximum malware names in the list (0 for unlimited)

















  • Output type: ResponseWrapper

Data type ResponseWrapper is composed by 1 parameter:

1- result: Will indicate the malwares list
















This action provides a listing of malware's name in the database.



Download 1.78 Mb.

Share with your friends:
1   ...   46   47   48   49   50   51   52   53   54



The database is protected by copyright ©ininet.org 2024
send message
    Main page
current version
following resources
applications that
security architecture