We use proprietary and third party's cookies to improve your experience and our services, identifying your Internet Browsing preferences on our website; develop analytic activities and display advertising based on your preferences. If you keep browsing, you accept its use. You can get more information on our Cookie Policy
Cookies Policy
Malware Detection Service Open API Specification - FIWARE Forge Wiki

Malware Detection Service Open API Specification

From FIWARE Forge Wiki

Jump to: navigation, search

Contents

Introduction to Malware Detection Service

Malware Detection Service Core

This document provides a description of the available interface for submitting a binary file to malware detection service.

Intended Audience

This document is addressed to both software developers and to the consumers of malware detection service.

Service Change History

The most recent changes are described in the table below:

Revision Date Changes Summary
January, 2012
  • Initial version
October, 2013
  • Web portal version
  • Dynamic functionality

How to Read This Document

The following list summarizes these special notations.

  • A bold, mono-spaced font is used to represent code or logical entities, e.g., HTTP method (GET, PUT, POST, DELETE).
  • An italic font is used to represent document titles or some other kind of special text, e.g., URI.
  • The variables are represented between brackets, e.g. {id} and in italic font. When the reader find it, can change it by any value.

For a description of some terms used along this document, see the Architecture Description document.

Additional Resources

Additional information about WSO2 Application Server and Enterprise Service Bus open source solution can be found on official WSO2 Documentation Web Pages:

General Malware Detection Service Information

Resources Summary

The WSDL description file is delivery at http://av.loria.fr:8280/services/AV?wsdl2 or you can find a representation in annexes section of "User and Programmers Guide".

Web portal of Malware Service is accessible from URL https://av-portail.loria.fr (152.81.67.99). Once authenticated, you can submit a binary to Malware Service directy from your browser and display the result.

Authentication

The restrict access to malware detection service is based on WS-Security Username Token specifications. So you must send an email to INRIA Carte Team for receiving your login/password authentication.

Representation Format

The Malware Dection Service supports the SOAP protocol. The request and the response format are specified using the XML Content-Type header.

Representation Transport

Local binary file is transmitted to server via MTOM.

Resource Identification

Integrity and confidentiality in transport binary and response are supported by "rampart module from Apache Software Foundation"

Links and References

Report to "Additional Resources" for references.

Limits

Malware Detection Engine Limits

Malware Detection engine is a software capable of extracting (partly) a morphological signature from executable binary code, that corresponds to the behavior of malware.

  • In this release only executable files for Windows and Linux OS system are supported.

Absolute Limits

Under test.

Versions

We are V1.0 release.

Extensions

Two extensions are forecasted for the moment:

  • Apple OS Binary support
  • Android OS Binary support

Faults

The faults are saved in log files and also indicated on line when executing.

Malware Detection Service Operations

Scan a binary file

  • SOAP action: urn:Scan
  • Operation type: Request-response
  • Input type: ScanWrapper

Data type ScanWrapper is composed by a complex type (DataRequest) that has itself 4 parameters:

1- filename: name of the binary file to scan

2- binaryData: binary file body transformed into base64 format

3- mode: scan mode switch between static (default) and dynamic

4- sha256: binary file hash in SHA-256 format

 
  <xs:element name="ScanWrapper">
    <xs:complexType>
       <xs:sequence>
          <xs:element minOccurs="0" name="Datas" type="ns1:DataRequest"/>
       </xs:sequence>
    </xs:complexType>
  </xs:element>

  <xs:complexType name="DataRequest">
    <xs:sequence>
       <xs:element minOccurs="0" name="filename" nillable="true" type="xs:string"/>
       <xs:element maxOccurs="unbounded" minOccurs="0" name="binaryData" nillable="true" type="xmime:base64Binary"/>
       <xs:element minOccurs="0" name="mode" nillable="true" type="xs:string"/>
       <xs:element minOccurs="0" name="sha256" nillable="true" type="xs:string"/>
    </xs:sequence>
  </xs:complexType>
  
  • Output type: ResponseWrapper

Data type ResponseWrapper is composed by 1 parameter:

1- result: Will indicate INFECTED for an infected binary file, SANE otherwise

 
  <xs:element name="ResponseWrapper">
      <xs:complexType>
        <xs:sequence>
           <xs:element minOccurs="0" name="result" nillable="true" type="xs:string"/>
        </xs:sequence>
      </xs:complexType>
  </xs:element>
  


This action makes any submitted a binary file to be scanned by Morphus, which itself will answer either 'INFECTED' for an infected binary file, or 'SANE' otherwise.

Distance vector of a binary file

  • SOAP action: urn:Distance
  • Operation type: Request-response
  • Input type: DistanceWrapper

Data type DistanceWrapper is composed by a complex type (DataRequest) that has itself 4 parameters:

1- filename: name of the binary file to scan

2- binaryData: binary file body transformed into base64 format

3- mode: scan mode switch between static (default) and dynamic

4- sha256: binary file hash in SHA-256 format

 
  <xs:element name="DistanceWrapper">
    <xs:complexType>
       <xs:sequence>
          <xs:element minOccurs="0" name="Datas" type="ns1:DataRequest"/>
       </xs:sequence>
    </xs:complexType>
  </xs:element>

  <xs:complexType name="DataRequest">
    <xs:sequence>
       <xs:element minOccurs="0" name="filename" nillable="true" type="xs:string"/>
       <xs:element maxOccurs="unbounded" minOccurs="0" name="binaryData" nillable="true" type="xmime:base64Binary"/>
       <xs:element minOccurs="0" name="mode" nillable="true" type="xs:string"/>
       <xs:element minOccurs="0" name="sha256" nillable="true" type="xs:string"/>
    </xs:sequence>
  </xs:complexType>
  
  • Output type: ResponseWrapper

Data type ResponseWrapper is composed by 1 parameter:

1- result: Will indicate the distance from malwares that are already in database

 
  <xs:element name="ResponseWrapper">
      <xs:complexType>
        <xs:sequence>
           <xs:element minOccurs="0" name="result" nillable="true" type="xs:string"/>
        </xs:sequence>
      </xs:complexType>
  </xs:element>
  


This action also submits a binary to the scanner, but in this case, Morphus will reply with the distance from malwares that are already in database.

(example: Backdoor.Win32.Hupigon.bto: 100.00% Backdoor.Win32.Hupigon.bto, 59.33% Backdoor.Win32.Hupigon.bhes, 6.57% Packed.Win32.CPEX-based.e)

List malware database

  • SOAP action: urn:MalwareList
  • Operation type: Request-response
  • Input type: MalwareListRequest

Data type MalwareListRequest is composed by 1 parameter:

1- limit: maximum malware names in the list (0 for unlimited)

 
    <xs:element name="MalwareListRequest">
      <xs:complexType>
         <xs:sequence>
             <xs:element minOccurs="0" name="limit" nillable="true" type="xs:string"/>
         </xs:sequence>
      </xs:complexType>
    </xs:element>

  • Output type: ResponseWrapper

Data type ResponseWrapper is composed by 1 parameter:

1- result: Will indicate the malwares list

 
  <xs:element name="ResponseWrapper">
      <xs:complexType>
        <xs:sequence>
           <xs:element minOccurs="0" name="result" nillable="true" type="xs:string"/>
        </xs:sequence>
      </xs:complexType>
  </xs:element>
  


This action provides a listing of malware's name in the database.

Personal tools
Create a book